On June 6, 2023, the Federal Deposit Insurance Corporation (FDIC), Federal Reserve (FRB), and Office of the Comptroller of the Currency (OCC) published new Interagency Guidance on Third-Party Relationships: Risk Management. Here are eight things community banks need to know about it. 

1. It has been in the works for a long time.

A proposed version of the guidance was originally published in the Federal Register on July 19, 2021. The agencies received 82 comments from banks, third-party service providers, and other stakeholders (e.g., trade associations, nonprofits, individuals, etc.). The first 28 pages of the guidance document are dedicated to addressing these comments and discussing how the final guidance was revised to integrate feedback provided by the industry. The final version of the guidance looks quite different from the original proposed version, which shows the agencies put a lot of time and effort into this process. 

2. It replaces the existing guidance from these three agencies.

The new guidance replaces each agency's existing third-party risk management guidance, including: 

  • FDIC FIL-44-2008: Guidance on Managing Third Party Risk 
  • FRB SR 13-19 Guidance on Managing Outsourcing Risk 
  • OCC Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance
  • OCC Bulletin 2020-10: Third-Party Relationships: Frequently Asked Questions 

The primary reason for the replacement is to promote consistency. Instead of each agency offering a slightly different variation on how to manage third-party relationships, this final interagency version offers standardization and enhances consistency across the industry. 

3. It recommends a five-stage lifecycle.

The guidance recommends following a five-stage lifecycle approach to third-party risk management: 

  1. Planning
  2. Due diligence and third-party selection
  3. Contract negotiation
  4. Ongoing monitoring
  5. Termination 

If you're looking at this list and thinking, "Hm… Didn't it used to be six stages?" You'd be correct! In the proposed version, there was an "Oversight and Accountability" stage which was removed and given its own section in the final version of the document. The agencies' reasoning was that appropriate governance should be included throughout the relationship, and not just as one particular stage. 

4. It offers a "principles-based approach."

Third-party risk management is a moving target. Because of this, the agencies made it their goal to "clearly articulate risk-based principles for third-party risk management." 

What this means is the agencies say things, like: 

  • "Not all relationships require the same level or type of oversight or risk management." 
  • Lots of things depend on "the degree of risk and complexity of the third-party relationship."
  • "An activity that is critical for one banking organization may not be critical for another."
  • And "the guidance is relevant to managing all third-party relationships." 

In short, this guidance has been painted with a broad brush. While some may find freedom in that fact, others may find the flexibility a bit daunting. We'll keep exploring this idea, so you can see what I mean. 

5. It applies to all third-party relationships.

You will not find any reference to terms like "cloud," "fintech," "core," or any other category of third party in the guidance. This guidance was written in such a way that you could look at it and use the principles included to help you evaluate any third-party relationship. 

If you are looking for guidance on how to evaluate risks related to specific types of third-party relationships, it would be best to look toward other existing guidance that was not replaced by this one (e.g., FFIEC Joint Statement on Security in a Cloud Computing Environment, Interagency Guide on Conducting Due Diligence on Financial Technology Companies, etc.). 

6. It uses the word "periodic" … A lot.

If it wasn't clear before that third-party risk management is supposed to be an ongoing process, it is now. The agencies have replaced all timeframe suggestions with the word "periodic." For example: 

  • "Periodically [conduct] risk assessments for each third-party relationship." 
  • "Periodically conduct background checks."
  • "Periodic reviews of executed contracts" are a good idea.
  • Report "periodically to the board (or designated committee), as appropriate, on third-party risk management activities."

You get the idea. The word "periodic" (and its variations) are used twelve times in this document.

So, what does "periodic" mean? Literally speaking, the guidance doesn't say. Using historic context, the term "periodic" could be interpreted to mean "at least annually." At the end of the day, it is going to be up to you to justify what "periodic" means in your business context. 

7. It answers some frequently asked questions.

There was some clarity given on a few frequently debated due diligence topics. For example: 

  • What should I do if a vendor won't give me the due diligence I've requested? (Page 37) 
    It happens. But it's still your responsibility. In a case like this, you need to "document any limitations," "understand the risks from such limitations," and "consider alternatives as to how to mitigate the risks." 
     
  • Can I work with others to do collaborative due diligence? (Pages 37 – 38) 
    Yes. Kind of. If you work with an outside source on your third-party risk management, that's allowed. But it's still your responsibility. The guidance refers to this kind of outsourcing as "supplemental efforts." It says, "use of such external parties to conduct supplemental due diligence does not abrogate the responsibility of the banking organization to manage third-party relationships in a safe and sound manner and consistent with applicable laws and regulations." 
     
  • How should I manage subcontractors? (Pages 23 & 45) 
    Your third parties should be managing their own vendors. But it's still your responsibility to evaluate your "third party's own processes for overseeing subcontractors and managing risks." For more information on this topic, check out our blog: The Vendor Manager's Guide to Subcontractor Due Diligence

8. It says more guidance is coming.

According to the guidance, "the agencies plan to develop additional resources to assist smaller, non-complex community banking organizations in managing relevant third-party risks." 

Here's what this tells me:

  • In theory, adopting a full-on principles-based approach is a good idea.
  • In practice, it may present some challenges for the practitioners.

This idea was supported by Federal Reserve Board Governor Michelle Bowman, who published a press release explaining some of her concerns.

That said, I would not underestimate the community banking industry's resilience to changing requirements, especially when the regulatory burden has been arguably lessened. Much of the guidance is already aligned with existing norms, the new concepts provide clarity on murky topics, and the principles-based approach offers flexibility.

Companies who provide third-party risk management products and services will adapt to the new recommendations and come alongside their community bank partners to better improve the process of third-party risk management across the board.

I look forward to any future guidance which may be released on this topic, and I think there's room for some, but I think this new guidance is a good place to start.

Update: The agencies published a Third-Party Risk Management Guide for Community Banks on Friday, May 3, 2024.

Conclusion 

My takeaway from this guidance: When it comes to third-party risk management, the sky's the limit, if you can justify how you got there. 

As much as guidance can feel like a regulatory burden, it can also provide support. It can be a foundation from which to build a strong program. From my perspective, this guidance is no different. The federal banking agencies have handed over a set of tools, ideas, and recommendations for overseeing third-party relationships, without being overly prescriptive. It's up to us now to determine how to best use them. 

What do you think? Connect with me on LinkedIn and share your thoughts: https://www.linkedin.com/in/alyssapugh/

If you use Tandem Vendor Management, keep an eye on our Software Updates to see changes we recommend based on this guidance. If you'd like to supplement your own third-party risk management efforts, check out our list of Tandem Partners who provide vendor management services. 

Join us on August 10, 2023, at 2:00 PM (CT) for a deep dive into the topics covered by this guidance. We will discuss the five-stages of third-party risk management, provide tips and tricks for improving your processes, and answer your questions. Register now: https://tandem.app/2023-risk-guide

Find out how Tandem can help you at Tandem.App/Vendor-Management-Software

Tandem Vendor Management Software Image

 

Update Log