Bank Regulators Issue Request for Comment on Proposed Guidance for Third-Party Risk Management
Earlier this month, three federal bank agencies – the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (each an “Agency” and, collectively, the “Agencies”) – issued a request for public comment related to joint guidance proposed by the Agencies to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology-focused entities (the “Proposed Guidance”).
Each of the three Agencies has previously issued its own respective guidance addressing third-party relationships and setting forth the appropriate risk management practices the Agencies’ supervised banking organizations were expected to implement. While each Agency’s guidance addressed similar issues and points of concern, they generally came at different times and, therefore, the existing guidance is not consistent between the various Agencies.
For this reason, the Agencies are issuing the Proposed Guidance in an effort to both modernize and promote consistency in third-party risk management guidance.
Many of the provisions in the Proposed Guidance will be familiar to banking organizations and existing service providers as they mirror elements already required in the existing guidelines or that have been communicated to banking organizations by their respective regulatory Agency. Among these provisions is an expectation that banking organizations each adopt third-party risk management processes commensurate with the (i) identified level of risk, (ii) complexity of the third-party relationship, and (ii) organizational structure of the banking organization.
Further, similar to other current third-party oversight guidance – such as the Office of the Comptroller of the Currency’s 2013-29 bulletin – the Proposed Guidance includes a description of the third-party risk management life cycle and identifies principles applicable to each stage of the life cycle, including:
- developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party;
- performing proper due diligence in selecting a third party;
- negotiating written contracts that articulate the rights and responsibilities of all parties;
- having the board of directors and management oversee the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews;
- conducting ongoing monitoring of the third party’s activities and performance; and
- developing contingency plans for terminating the relationship in an effective manner.
As of the date of this article, the Proposed Guidance has not been published on the Federal Register. Once the Proposed Guidance has been published, interested parties will have 60 days to file comments with the Agencies.
A copy of the Proposed Guidance is available here – https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20210713a1.pdf.