On July 19, 2021, the Federal Deposit Insurance Corporation (FDIC), Federal Reserve (FRB), and Office of the Comptroller of the Currency (OCC) published in the Federal Register a Proposed Interagency Guidance on Third-Party Relationships: Risk Management.
In this article, we will discuss:
- What makes this guidance unique?
- What's new in the proposed guidance?
- Why are the agencies requesting comment?
- What is the OCC 2020 FAQ and why was it appended?
- How can you prepare?
What makes this guidance unique?
Excluding the FFIEC IT Examination Handbook, this guidance is the first concerted effort the financial industry has seen towards the development of a unified vendor management guidance. Since 2001, each agency has published their own guidance, including the key players: FDIC FIL-44-2008, FRB SR 13-19, and OCC Bulletin 2013-29.
What's new in the proposed guidance?
The proposed guidance is based on OCC Bulletin 2013-29. If you are regulated by the OCC, the proposed guidance is likely to be familiar.
Whether you are familiar with the OCC guidance or not, the core concepts of the proposed guidance remain consistent with other vendor management expectations. The guidance focuses on these six pillars of vendor management.
- Planning
- Due Diligence and Third-Party Selection
- Contract Negotiation
- Oversight and Accountability
- Ongoing Monitoring
- Termination
For additional information and examples of these concepts, see our blog: What is Vendor Management?
Why are the agencies requesting comment?
The federal banking agencies have not historically published proposed guidance with an open comment period. This is an excellent opportunity for community banks to share their thoughts and feedback on the guidance before it is made official.
Specifically, there are 18 questions the regulators are hoping to gather answers for, most of which center on the use, relevance, and clarity of the guidance. The agencies also include questions on emerging topics, such as "collaborative arrangements" and "subcontractors." Finally, the regulators are asking for comment on the OCC's 2020 FAQ.
What is the OCC's 2020 FAQ and why was it appended?
OCC Bulletin 2020-10 is a Frequently Asked Questions (FAQ) document which supplements the OCC's original guidance. The agencies have asked commenters to share feedback on the extent to which this FAQ should be incorporated into the guidance, and how it should be included.
The FAQ was originally published in 2017 (see OCC Bulletin 2017-21). The 2020 version of the FAQ includes 27 questions and answers. The questions span a variety of topics, including cloud computing, fintech companies, and collaborative arrangements. The value seems to lie in the FAQ's ability to put existing guidance into specific contexts. While this can be helpful, it can also become outdated more quickly. For the agencies and commenters alike, this is a significant factor to consider when discussing modifications to guidance which should be designed to stand the test of time.
How can you prepare?
If you are looking for next steps, here are three things you can do to prepare.
- Read the proposed guidance. You can see the guidance on the Federal Register or at any of the following links: FDIC FIL-50-2021, FRB Press Release, and OCC News Release 2021-74.
- Make a comment. Comments can be submitted on the FDIC Website and the FRB Website. Other methods for comment (e.g., mail, email, hand delivery, etc.) are listed in the proposed guidance itself. Please note that while the guidance states comments can be submitted via the Federal eRulemaking Portal, it does not appear this is possible.
- Check out Tandem Vendor Management. Tandem is designed to help banks manage the risk of their third-party relationships. Built on the core concepts identified in the proposed guidance, Tandem can help ensure your program is manageable, thorough, and effective. In addition, the Tandem team is quick to integrate changes to help its users comply with final rules and regulations. Learn more at Tandem.App/Vendor-Management-Software.