Resources

Breaking Down the ‘Interagency Guidance on Third-Party Relationships: Risk Management’

Written by: Andrew Jordan

The Board of Governors of the Federal Reserve System (the Fed), the Federal Deposit Insurance Corporation (FDIC), and the Officer of the Comptroller of the Currency (OCC) have released long-awaited, comprehensive new interagency guidance around third-party management. The guidance unifies requirements for the three supervisory agencies, which previously had some disparities, while updating and clarifying some areas in relation to evolving trends. Every institution should review its third-party management program considering the new guidance, which could potentially inform its strategy going forward.

Background

Each year, regulatory agencies publish updates to guidance regarding new areas of focus. One recently highlighted area of focus was third-party relationships. This is unsurprising, as it has been an area of increasing importance, risk, regulatory scrutiny, and overall challenge for years. In particular, the changing fintech environment and new service models do not fit well into traditional vendor management programs.

This new guidance, Interagency Guidance on Third-Party Relationships: Risk Management, issued jointly by the regulatory agencies, emphasizes the importance of managing risks associated with third-party relationships. The agencies state that a sound risk management program should consider the level of risk, complexity, and size of the organization, as well as the nature of the third-party relationship.

After a comment period to ensure alignment with the industry’s challenges, the Final Issue went into effect on June 6th, 2023, and was jointly created by the Fed, FDIC, and OCC to ensure guidance is consistent across organizations.

The Guidance

Although the guidance makes few changes to specific control requirements in your third-party management process, there are important nuances and interpretations that you should understand:

  • This interagency guidance will replace all earlier independent guidance by the Fed, FDIC, and OCC.
  • The guidance stresses that the use of a third party does not reduce or remove an organization’s responsibilities. An organization still must ensure the outsourced activities are performed safely and soundly as well as in compliance with applicable laws and regulations.
  • Financial technology (fintech) organizations are now directly subject to the requirements.
  • Organizations must consider non-traditional methods of performing due diligence if standard reports or policies are not available by the third party. This is especially relevant to startup technology providers.
  • If an entity is used to collect due diligence for the organization, due diligence must then be performed for that entity.
  • All bullet points listed under due diligence, contract negotiation, and monitoring are illustrative and not prescriptive requirements. Organizations must then take into consideration the risk and complexity of the third-party relationship to determine which specific review points are appropriate to include.
  • Requirements within the stated guidance should not be created as a “checklist,” as the bulleted requirements are only meant to be examples of a strong risk management program.
  • The agencies recognize that smaller organizations, less than $100 billion in assets, may have limited resources for proper due diligence and contract structuring. The guidance notes that if the organization properly addresses or accepts the risk of these limitations, this will be acceptable.
  • Requirements are now enforced surrounding foreign based third parties to all organizations regardless of the regulator. This requirement was previously only enforced by the OCC.
  • Subcontractors and the role of the organization are now clarified. If a subcontractor of the third party presents added risks to the organization, the organization is responsible for understanding how the third party oversees the subcontractor.
  • Since it is the responsibility of the organization to find and evaluate risks based on their third-party relationships and risk management programs, the agencies have not excluded any third-party relationships from the scope of this guidance.

The overall focus that the agencies emphasize is that the guidance is principle based. Considerations to enhance an organization’s risk management program are meant to be a detailed guide, not a checklist of requirements. Each organization should tailor their risk management program to fit their size, complexity, and risk profile. As a result of this generalized approach, the agencies have not revised the guidance to address specific topics or types of relationships.

Conclusion

This new approach to the guidance stresses the importance of sound documentation and reporting process. Since each organization is different, having proper third-party relationship documentation and reporting is extremely important. A strong risk management process should consider the following:

  • A current inventory of all third-party relationships
  • All risk-related assessments to the use of those third parties
  • Due diligence and oversight results and recommendations
  • Executed contracts of all third-party relationships
  • Remediation plans and availability reports from the third party
  • Service disruption reports from the third party
  • Results of independent reviews
  • The third party’s periodic reporting to the board

The agencies and guidance recognize that all organizations are unique in size, complexity, and levels of risk. As such, the guidance should be used to enhance and strengthen an existing risk management program. The agencies will continue to evaluate their supervised organizations but will now use the guidance to have a better understanding of the organization’s environment in assessing third-party relationships.