Federal Banking Regulators Publish Final Guidance on Risk Management of Third-Party Relationships
On June 6, the Board of Governors of the Federal Reserve System (the Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the Agencies) adopted final Interagency Guidance on Third-Party Relationships: Risk Management (the final guidance) for all banking organizations supervised by the Agencies on managing risks associated with third-party relationships. Banking organizations are expected to incorporate the principles identified in the final guidance when developing and implementing risk management practices governing their third-party relationships.
The concepts discussed in the final guidance are relevant for all third-party relationships, including affiliate and subsidiary relationships, and are provided to banking organizations to assist in the tailoring and implementation of risk management policies, programs, and practices. The final guidance replaces each agency's existing third-party risk management guidance, which had been issued piecemeal over the course of several years and promotes consistency in the Agencies' supervisory approaches toward third-party risk management.
This Advisory identifies the scope and key terms relevant to the final guidance, provides a summary of the final guidance itself, highlights key changes made since the publication of the proposed guidance in July 2021, and provides several key takeaways for banking organizations subject to the final guidance. Changes from the proposed guidance include those related to differences in regulatory expectations based on the size and complexity of banking organizations or the type of third-party relationships, as well as the Agencies highlighting the importance of banking organizations managing risks related to bank-fintech partnerships, including those that involve novel or complex structures, where the fintech may interact directly with and serve as the intermediary providing the banking service to the end customer.
While the guidance itself is not binding, it provides a potential roadmap for supervisory activity in the area of risk management of third-party relationships, a subject of increasing concern for supervisors. As such, banking organizations should to review their policies and procedures regarding third-party relationships in light of the new, uniform guidance so as to avoid regulatory or supervisory pitfalls related to third-party risk management.
Scope and Key Terms of the Final Guidance
The final guidance is broad, addressing a wide range of business relationships that banking organizations may have with third parties. The final guidance states that the terms “third-party relationship” and “business relationship,” as used in the final guidance, are meant to be interpreted broadly and capture any business arrangement between a banking organization and another entity, by contract or otherwise. Notably, the Agencies rejected the suggestions of commenters to establish a materiality standard for determining which types of relationships constitute “business relationships” for purposes of the final guidance.
The final guidance notes that a third-party relationship may exist despite a lack of a contract or payment and can include, but is not limited to, outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures.
The final guidance takes a principles-based approach rather than a prescriptive approach in the interest of allowing banking organizations to appropriately tailor the concepts in the final guidance to their own needs based on the specific risk profile of each third-party relationship. For example, in applying the concepts in the final guidance to third-party relationships that may pose relatively less risk, such as affiliate and subsidiary relationships, banking organizations are explicitly encouraged to tailor the general framework provided by the final guidance and apply it in a manner that fits the risks applicable to the unique circumstances of each third-party relationship.
We note that the final guidance is a non-binding supervisory guidance document. While the final guidance provides key insights into the supervisory expectations and priorities of the Agencies, to which banking organizations will be expected to conform, it does not create any new regulation or otherwise impose any new legal requirements on banking organizations.1
Summary of the Final Guidance
The final guidance provides broad principles that help banking organizations understand and address the risks presented through all stages of a relationship with third party. The final guidance is broken down into four primary sections: (1) general principles of third-party risk management, (2) the third-party relationship life cycle, (3) governance issues related to third-party risk, and (4) guidelines used by the Agencies for independent reviews.
General Principles of Third-Party Risk Management
The final guidance instructs banking organizations to analyze the risks associated with each third-party relationship and address those risks accordingly. Banking organizations are instructed to tailor risk management practices in a manner that is commensurate with the banking organization’s size, complexity, and risk profile and with the nature of the third-party relationship itself.
As noted, the final guidance acknowledges and explicitly embraces that different banking organizations (and different third-party relationships) will have different risk management needs that correspond to each unique situation. The final guidance instructs banking organizations to provide greater oversight and management over third-party relationships that support critical activities, which include those that (1) cause a banking organization to face significant risk if the third party fails to meet expectations, (2) have significant customer impacts, or (3) have a significant impact on a banking organization’s financial condition or operations.
Risk Management Throughout the Third-Party Relationship Life Cycle
The final guidance identifies that the risks presented by third-party relationships generally follow a continuous life cycle, with each stage in the lifecycle requiring particular steps to manage risk. The final guidance identifies and describes the following specific stages:
The final guidance notes that effective planning enables a banking organization to evaluate and manage risks even before entering into the third-party relationship itself. The final guidance identifies planning related to costs, potential effects on information and physical security, employee wellbeing, and oversight and management as some of the key elements that banking organizations should consider before a third-party relationship is commenced.
2. Due Diligence and Third Party Selection
The final guidance also identifies due diligence as an important part of sound risk management, as it provides organizational leaders with the information about third parties that is needed to determine if a relationship would help achieve a banking organization's strategic and financial objectives. The final guidance also notes that the scope and degree of due diligence should be commensurate with the level of risk and complexity of each third-party relationship, with more comprehensive due diligence being particularly important when a third party supports higher-risk activities.
3. Contract Negotiation
The final guidance identifies preparing, reviewing, and negotiating contracts as a critical stage of the third-party relationship lifecycle. The final guidance provides a host of factors that a banking organization should address while preparing and reviewing contractual terms with a third party, including the nature and scope of the arrangement, costs and compensation, performance measures or benchmarks, requirements related to information storage, audit and remediation rights, confidentiality, subcontracting, and termination. The final guidance states that, while third parties initially may offer a standard contract, a banking organization may seek to request modifications, additional contract provisions, or addendums to satisfy its needs and manage the risks posed by the relationship. The final guidance also notes that banks may experience difficult contract negotiations, such as when a smaller banking organization has limited negotiating power relative to the third party, and in those circumstances in particular, it is important for the banking organization to understand any resulting limitations and potential risks that would accompany a particular contract.
4. Ongoing Monitoring
The final guidance notes that after the third-party relationship begins, effective third-party risk management requires ongoing monitoring throughout the duration of the relationship, commensurate with the level of risk and complexity of the relationship and the activity performed by the third party. The final guidance states further that ongoing monitoring enables a banking organization to confirm the quality and sustainability of a third party's controls and ability to meet contractual obligations; escalate significant issues or concerns, such as material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk; and respond to such significant issues or concerns when identified.
The final guidance identifies termination as the last stage of the third-party relationship lifecycle and recommends that banking organizations take into account options for effective transition of services, costs and fees associated with termination, handling of joint intellectual property, and managing risks that arise from the termination, both to the banking organization and its customers.
Governance and Risk Management
The final guidance also identifies governance as a key area that banking organizations must address to manage risks posed by third parties. The final guidance provides principles applicable to oversight and accountability of third parties by the board of directors, direction on how organizations should conduct independent reviews, and factors to consider when engaging in documentation and reporting of third-party relationships.
The final guidance states that boards of directors ultimately bear responsibility for providing oversight for third-party risk management and should hold senior management accountable to engage safely in third-party relationships. The final guidance also specifies that boards of directors should clearly communicate the risk appetite of the organization to management and continue to oversee management’s engagement with third-party organizations to guarantee that the risks posed by these relationships are commensurate with the risk appetite of the organization overall. Further, the final guidance stresses the importance of conducting periodic independent reviews to assess the adequacy of third-party risk management processes and developing documentation and reporting standards and controls in respect of such processes.
Supervisory Reviews of Third-Party Relationships
The final guidance also provides a general framework for how the Agencies will conduct supervisory reviews of third-party risk management. The final guidance explicitly notes that examiners will not be applying a one-size-fits-all approach to their examinations of third-party risk. Rather, in their evaluations of a banking organization’s third-party risk management, examiners will take into account that banking organizations engage in a diverse set of third-party relationships, that not all third-party relationships present the same risks, and that banking organizations accordingly tailor their practices to the risks presented. The final guidance goes on to note that the scope of the supervisory review will depend on the degree of risk and the complexity associated with the banking organization’s activities and third-party relationships.
The final guidance states that, when circumstances warrant, examiners may use their legal authority to examine functions or operations that a third party performs on a banking organization’s behalf. The Agencies may in turn pursue corrective measures, including enforcement actions when necessary to address violations of law and regulations or unsafe or unsound banking practices by the banking organization or the associated third party.
Key Changes from the Proposed Guidance
The final guidance differs in several respects from the proposed guidance originally published in July 2021. Many of these changes were suggested by public comment, such as (1) noting that a sound third-party risk management framework for a banking organization should consider the level of risk, complexity, and size of the banking organization; (2) stating that banking organizations should tailor their practices to the risks presented; and (3) explicitly taking into consideration bank-fintech partnerships, including those that involve novel or complex structures, where the fintech may interact directly with and serve as the intermediary providing the banking service to the end customer. In general, the final guidance eliminates some of the arguably prescriptive elements of the proposed guidance, as the Agencies were seeking to provide a principles-based risk-management framework.
The final guidance also addresses certain concerns raised by smaller banking institutions during the comment period, including a lack of recognition of the limited bargaining power of small institutions with regard to certain third parties, as well as the general view that the proposed guidance would be excessively burdensome on smaller institutions. The final guidance now specifically acknowledges that some banking organizations may be limited in their risk management efforts by insufficient bargaining power, and the final guidance reiterates throughout that all banking organizations, including small banking institutions, can implement the final guidance in such a way as to suit their particular needs and risk profile.
The final guidance also differs from the proposed guidance in the way it deals with subcontractors utilized by third parties. The final guidance incorporates revisions to its discussion of subcontractors to clarify that these relationships should be evaluated based on the risk posed by the third party’s relationship to the banking organization, which may include assessing whether a third party’s use of subcontractors may heighten or raise additional risk to the banking organization and applying mitigating factors, as appropriate. Further, the final guidance removed references to the term “critical subcontractor” with the intent to improve clarity and promote flexibility.
Takeaways for Banking Organizations
The Agencies had each previously issued third-party risk management guidance for their respective supervised banking organizations. The following guidance documents has been rescinded and replaced by this final guidance: the Federal Reserve’s 2013 guidance,2 the FDIC’s 2008 guidance,3 and the OCC’s 2013 guidance and its 2020 frequently asked questions (FAQs).4 Banking organizations should review the final guidance closely and consider whether existing third-party agreements, including agreements with affiliates and subsidiaries, may require modification, and whether it would be appropriate to enhance or restructure processes and controls governing various aspects of the risk management life cycle.
Moreover, small and medium-sized banking institutions should continue to look out for additional guidance from the Agencies, as the Agencies have noted that they plan to develop additional resources to assist smaller, non-complex community banking organizations in managing relevant third-party risks.
Financial institutions interested in how the recent activity of the Agencies may impact their businesses may contact any of the authors of this Advisory or their usual Arnold & Porter contact. The firm’s Financial Services team would be pleased to assist with any questions about third-party risk management or banking supervision more broadly.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
For further information about non-binding supervisory guidance, please see the Interagency Statement Clarifying the Role of Supervisory Guidance that was jointly published by the Federal Reserve, the FDIC, the OCC, the National Credit Union Administration, and the Bureau of Consumer Financial Protection. Interagency Statement Clarifying the Role of Supervisory Guidance (Sep. 11, 2018), https://www.fdic.gov/news/press-releases/2018/pr18059a.pdf.