As previously reported on in WBA’s Wisconsin Banker Daily, FRB, FDIC, and OCC have collectively proposed to update interagency guidance on managing risks associated with third-party relationships. The proposal is significant as final guidance will replace each agency’s existing guidance: FRB’s 2013 guidance, SR Letter 13–19/CA Letter 13–21, “Guidance on Managing Outsourcing Risk’” (December 5, 2013, updated February 26, 2021); FDIC's 2008 guidance, FIL–44–2008, “Guidance for Managing Third-Party Risk” (June 6, 2008); and OCC's 2013 guidance and its 2020 FAQs, Bulletin 2013–29, “Third-Party Relationships: Risk Management Guidance” and OCC Bulletin 2020–10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013–29.”
Third-party vendor management is a significant part of most banks’ risk management efforts so as to protect against harm caused to bank customers or the bank itself as result of actions taken, or failed to be taken, by third-party vendors. Third-party vendor management is also a significant area of review by examiners. Depending upon how the agencies finalize the guidance, banks may need to update their third-party vendor management policies and procedures in the near future. Banks should be aware of what the agencies have proposed and should consider sharing comments with the agencies of where the guidance need be improved upon, further clarified, or narrowed in scope or coverage.
The agencies intend the proposed guidance to provide a framework based on sound risk management principles that banks may use to address the risks associated with third-party relationships. The proposed guidance describes third-party relationships as business arrangements between a bank and another entity, by contract or otherwise. As is currently agency expectation, the proposed guidance stresses the importance of banks appropriately managing and evaluating the risks associated with each third-party relationship. The proposed guidance also continues existing agency expectations that banks’ use of third parties does not diminish their responsibilities to perform an activity in a safe and sound manner and in compliance with applicable laws and regulations. Banks are to adopt third-party risk management processes that are commensurate with the identified level of risk and complexity from the third-party relationships, and with the organizational structure of each bank.
The proposed guidance is intended for all third-party relationships and is especially important for relationships that a bank relies on to a significant extent, relationships that entail greater risk and complexity, and relationships that involve critical activities. The proposed guidance defines “critical activities” as significant bank functions or other activities that: (a) could cause a bank to face significant risk if the third party fails to meet expectations; (b) could have significant customer impacts; (c) require significant investment in resources to implement the third-party relationship and manage the risk; or (d) could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.
The proposed guidance provides examples of third-party relationships, including the use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements in which a bank has an ongoing relationship or may have responsibilities for the associated records.
The agencies seek comment on all aspects of the proposed guidance, including responses to the several specific questions throughout the proposed guidance. Comments are due Sept 17. The proposed guidance may be viewed here.
WBA will be commenting on the proposed guidance. Please share your suggestions, concerns, or other general thoughts regarding the proposal with WBA Legal at 608-441-1200 or at firstname.lastname@example.org.
By, Cassie Krause