On June 6, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency (collectively, the agencies) issued guidance to banking organizations on managing the risks associated with third party relationships. This final guidance reflects the 82 comment letters the agencies received from banking organizations, financial technology (fintech) companies and other third party providers on the proposed guidance released in July 2021 and replaces each agency’s existing guidance to ensure consistency in supervisory enforcement. While the agencies acknowledge that “[t]he use of third parties can offer banking organizations significant benefits, such as quicker and more efficient access to technologies, human capital, delivery channels, products, services, and markets,” they caution that the use of third parties “does not remove the need for sound risk management.” The agencies emphasize, however, that supervisory guidance does not have the force and effect of law and does not impose any new requirements on banking organizations.

According to the agencies, fintech partnerships and other third party relationships include outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures, and the joint guidance applies to all these types. However, the agencies acknowledge that some relationships require a higher level of oversight or risk management and recommend that banks tailor their risk management approach with respect to such a relationship in light of the potential for heightened risks posed by the relationship. The guidance adheres to prior iterations of third party risk management guidance from the agencies in advising that sound third party risk management must take into account the level of risk, complexity and size of the financial institution as well as the nature of the third party relationship.

Highlights from the guidance include:

  • Emphasizing the importance of identifying and managing risks associated with third party relationships.
  • Maintaining an inventory of all third party relationships and periodically conducting risk assessments for each relationship.
  • Engaging in more rigorous oversight of third party relationships that support “critical activities” such as those:
    • That cause a banking organization significant risk;
    • Have significant customer impact; or
    • Have a significant impact on the banking organization’s finances or operations.
  • Conducting periodic independent reviews to assess the adequacy of third party risk management processes.
  • Documenting and reporting third party risk management processes and specific third party relationships.

The guidance provides suggestions for banking organizations to consider through each stage of its third party relationship “life cycle” from planning, due diligence and third party selection, contract negotiation, ongoing monitoring, and termination. It also provides a list of items examiners will consider in the scope of their supervisory reviews. The agencies indicated they intend to develop additional resources to help community banks manage risks from third party relationships.