Agencies Issue Proposed Risk Management Guidance for Third-Party Relationships
The Federal Reserve, FDIC, and OCC have released new proposed interagency guidance on managing risks with third-party relationships. The intent of the Proposed Guidance is to promote consistent third-party risk management guidance; better address the use of, and services provided by, third-parties; and more clearly articulate risk-based principles on third-party relationship risk management.
In general, the Proposed Guidance offers a framework based on sound risk management principles that banking organizations supervised by the Agencies may use when assessing and managing risks associated with third-party relationships. The Proposed Guidance describes third-party relationships as business arrangements between a banking organization and another entity, by contract or otherwise, including relationships with vendors, fintech companies, affiliates, and the banking organization’s holding company.
Further, the Proposed Guidance stresses the importance of a banking organization appropriately managing and evaluating the risks associated with third-party relationships, and emphasizes that a banking organization’s use of third-parties does not diminish its responsibility to perform an activity in a safe and sound manner and comply with applicable laws and organizations. The Proposed Guidance also states that banking organizations should adopt third-party risk management processes that are commensurate with the identified level of risk and complexity from the third-party relationships.
Additionally, the Proposed Guidance outlines all points in the life cycle of a relationship between a banking institution and a third-party, which include: (1) developing a plan to identify risks of the activity with a third-party, as well as how to assess, select, and oversee it; (2) performing proper due diligence; (3) negotiating written contracts that articulate the rights and responsibilities of all parties; (4) having bank management oversee its risk management process and engage in independent reviews; (5) conducting ongoing monitoring of the third-party’s activities and performance; and (6) developing contingency plans for terminating the relationship.
Comments on the Proposed Guidance must be received no later than September 17, 2021.