As originally proposed in July 2021, the third–party risk management guidance generally excluded a bank’s customer relationships from its scope.1 This exclusion of customer relationships was consistent with existing guidance at the time.2
Today’s final joint guidance has removed the proposal’s exclusion of customer relationships. According to the agencies, this change “is intended to reduce ambiguity.”3 In my view, the exclusion’s removal itself creates ambiguity. The final guidance is now unclear as to whether or when it applies to arrangements involving depositors, borrowers, or other customers of traditional banking services.
The FDIC has endeavored to provide some clarity on this important scope question in its accompanying Financial Institutions Letter.4 I am pleased the FDIC has taken this step, and would look forward to hearing views as to whether this clarification adequately addresses the issue.
On a related note, while detailed, I understand that this third–party risk management guidance nonetheless remains principles–based and risk–based. The granular discussion of potential risk management steps is intended to provide illustrative examples of risk management considerations, not prescriptive requirements. That said, given the importance of the issue and the length of the guidance, I would support developing a separate resource guide for community banks as soon as practicable.
1 Proposed Interagency Guidance on Third–Party Relationships: Risk Management, 86 Fed. Reg. 38,182, 38,186–7 (Jul. 19, 2021) (“While a determination of whether a banking organization’s relationship constitutes a business arrangement may vary depending on the facts and circumstances, third–party business arrangements generally exclude a bank’s customer relationships.”)
2 See OCC Bulletin 2020-10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29” (Mar. 5, 2020) FAQ 2 (“Business arrangements generally exclude bank customers.”); SR Letter 13–19 / CA Letter 13–21, “Guidance on Managing Outsourcing Risk” 1 (Dec. 5, 2013, updated Feb. 26, 2021) (“This guidance supplements existing guidance on technology service provider (TSP) risk, and applies to service provider relationships where business functions or activities are outsourced. For purposes of this guidance, “service providers” is broadly defined to include all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.”) (emphasis added, footnotes omitted).
3 Interagency Guidance on Third–Party Relationships: Risk Management (June 6, 2023) at 8.
4 FIL-29-2023, “Interagency Guidance on Third–Party Relationships: Risk Management” (June 6, 2023) (“Relationships that are only between banks and their direct customers of traditional bank products and services (such as deposit accounts or retail or commercial loans) would not be addressed in a third–party risk management framework and are covered by the various risk management processes and rules that apply to traditional lending and deposit relationships.”); id. (“Business relationships with third parties engaged in lending, payment, or deposit activities for the benefit of the bank or through the bank should be evaluated by banks using both the third party risk management guidance and the various risk management processes and rules that apply to traditional lending and deposit relationships.”) (footnote omitted).