The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) (collectively, the agencies) are issuing final guidance on managing risks associated with third-party relationships. The guidance provides sound principles that support a risk-based approach to third-party risk management that banking organizations may consider when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.
- On July 19, 2021, the agencies published in the Federal Register Proposed Interagency Guidance on Third-Party Relationships: Risk Management. The proposed guidance offered a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.
- After careful consideration of comments received, the agencies are issuing final guidance that will replace each agency’s existing guidance on this topic, providing a consistent approach to managing risks associated with all third-party relationships.
- A banking organization’s use of third parties can increase its risk, but the use of third parties does not diminish or remove a banking organization’s responsibility to perform all activities in a safe and sound manner, in compliance with applicable laws and regulations, including those related to consumer protection and security of customer information.
- The guidance serves as a useful resource to assist banking organizations implementing third-party risk management practices by providing examples of considerations in the planning, due diligence, contract negotiation, ongoing monitoring, and termination stages of managing third-party relationships.
- The guidance notes that sound third-party risk management takes into account the level of risk, complexity, and size of the banking organization, as well as the nature of the specific third-party relationship.
- Business relationships with third parties engaged in lending, payment, or deposit activities for the benefit of the bank or through the bank should be evaluated by banks using both the third party risk management guidance and the various risk management processes and rules that apply to traditional lending and deposit relationships.1
- Relationships that are only between banks and their direct customers of traditional bank products and services (such as deposit accounts or retail or commercial loans) would not be addressed in a third-party risk management framework and are covered by the various risk management processes and rules that apply to traditional lending and deposit relationships.
- The guidance rescinds and replaces the FDIC’s Guidance for Managing Third-Party Risk issued in FIL-44-2008.
- Because the final guidance addresses all types of third-party relationships including lending arrangements, the FDIC is withdrawing the 2016 proposed Guidance on Third Party Lending (FIL-50-2016), issued for comment July 29, 2016.
1 See, for example: Part 364 safety and soundness standards for risk assessment, audit, internal control, underwriting (including ability to repay), loan documentation and growth; Part 328 rules for proper advertising of deposit insurance; Section 326.8 implementing the Bank Secrecy Act; Office of Foreign Asset Control requirements; Parts 323 and 365 for real-estate related lending activities; the Truth in Lending Act and Regulation Z; the Truth in Savings Act and Regulation DD; the Electronic Fund Transfers Act and Regulation E; prohibitions against unfair, deceptive, and abusive acts and practices; and fair lending laws.