On June 6, 2023, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Board of Governors of the Federal Reserve System (FRB) issued long-awaited Interagency Guidance on Third-Party Relationships Risk Management (Guidance). Prior to this issuance, each regulatory agency maintained its own Guidance. The new Guidance promotes consistency in supervisory approaches and supersedes all previous Guidance by these regulators.
The following summarizes the key takeaways from the new Guidance. The full text can be found here.
- The Guidance outlines principles that should be considered when developing and executing a risk management program for all stages in the life cycle of third-party relationships.
- The Guidance addresses, defines and applies to all business arrangements between any banking organization (i.e., banks, savings associations, holding companies and certain U.S. facilities of foreign banks) and another entity, by contract or otherwise.
- One size does not fit all. The agencies are clear that the Guidance applies to “all” third-party relationships but recognizes your program should be adapted to the types and level of risks, the size and complexity of your bank, the nature of your third-party relationships, and the activities they perform. For example, when third-party relationships support higher-risk activities, including those deemed “critical”, more comprehensive, and rigorous oversight and management of the relationship is warranted. Critical activities include but are not limited to those that:
- Cause a bank to face significant risk if the third party fails to meet expectations.
- Are customer-facing and/or could have significant customer impact or harm.
- Have a significant impact on the bank’s financial condition or operations.
- The risk profile of your banking organization, including activities performed by third parties, should be continuously monitored to ensure your program remains commensurate with material changes.
- The Guidance defines and describes risk-based principles and typical factors and activities to perform for managing third-party relationship risks associated with each stage of a continuous life cycle comprised of the following stages.
- Planning
- Due diligence and third-party selection
- Contract negotiation
- Ongoing monitoring
- Termination
- The agencies actively monitor trends and developments in the financial services industry and will consider issuing additional guidance or educational resources (e.g., FAQs) as necessary. The agencies also plan to develop additional resources to assist smaller, non-complex community banking organizations in managing third-party risk.
- The Guidance emphasizes that the use of third parties does not diminish or remove a bank’s responsibilities to ensure the activities are performed in a safe and sound manner and in compliance with laws and regulations.
Third-party risk has been, is and will be, a significant risk to the banking industry. Understanding and effectively managing this risk will be critical to banks’ future success. HORNE has the resources and expertise to help you as you work through this evolving risk.
