US banking regulators issue final guidance on third-party risk management

US bank regulators finalized risk management guidance for banks to consider when developing relationships with fintechs and other third parties.

The US Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) have published final guidance on managing risks associated with third-party relationships.

The guidance is relevant to all banking organizations, and it offers the agencies’ views on sound risk management principles for banks as they develop and implement risk management practices for all stages in the life cycle of their third-party relationships.

The agencies note that they are issuing the guidance to promote consistency in supervisory approaches; it replaces each agency’s existing general guidance on this topic and is directed to all banking organizations supervised by the agencies.

They also say they have observed an increase in the number and type of banking organizations’ third-party relationships.

The agencies published a proposed version of the guidance on July 19, 2021; the 60-day comment period ended on September 17, 2021, but commenters requested more time, so the agencies extended the comment window until October 18, 2021.

Critical activities

Not all third-party relationships present the same level or type of risk and therefore not all relationships require the same extent of oversight or risk management, the agency says in the guidance.

Sound third-party risk management takes account of the level of risk, complexity, and size of the banking organization, and the nature of the third-party relationship.

The agencies note that a key element of effective risk management is applying a sound methodology to designate which activities and third-party relationships receive more comprehensive oversight.

“[T]he use of third parties, especially those using new technologies, may present elevated risks to banking organizations and their customers, including operational, compliance, and strategic risks.”

Interagency guidance on third-party risk from the Fed, FDIC & OCC

Characteristics of critical activities may include those activities that could cause a banking organization to face significant risk if the third party fails to meet expectations; have significant customer impacts; or have a significant impact on a banking organization’s financial condition or operations.

The agencies say it is important to involve staff with the requisite knowledge and skills in each stage of the risk management life cycle.

“A banking organization may involve experts across disciplines, such as compliance, risk, or technology, as well as legal counsel, and may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff,” the guidance states.

Due diligence

The agencies say that the due diligence they expect in the evaluation of third-party risk includes assessing the third party’s ability to perform the activity as expected; adhere to a banking organization’s policies related to the activity; comply with all applicable laws and regulations; and conduct the activity in a safe manner.

“Relying solely on experience with or prior knowledge of a third party is not an adequate proxy for performing appropriate due diligence, as due diligence should be tailored to the specific activity to be performed by the third party,” the guidance says.

Technology and fintech partners

The use of third parties can offer banking organizations significant benefits, such as quicker and more efficient access to technologies, human capital, delivery channels, products, services, and markets, the agencies said.

But banking organizations’ use of third parties does not remove the need for sound risk management.

“On the contrary, the use of third parties, especially those using new technologies, may present elevated risks to banking organizations and their customers, including operational, compliance, and strategic risks.”

The agencies say that longstanding principles of third-party risk management set forth in this guidance are applicable to all third-party relationships, including those with fintech companies.

“It is important for a banking organization to understand how the arrangement with a third party, including a fintech company, is structured so that the banking organization may assess the types and levels of risks posed and determine how to manage those third-party relationships accordingly,” the agencies said.

Information security

Due diligence in the information security area involves assessing the third party’s information security program, including its consistency with the banking organization’s information security program, such as its approach to protecting the confidentiality, integrity, and availability of the banking organization’s data.

The guidance notes that it might also involve determining whether there are any gaps that present risk to the banking organization or its customers and considering the extent to which the third party applies controls to limit access to the banking organization’s data and transactions. Those controls include multifactor authentication, end-to-end encryption, and secure source code management.