Published Article
Interagency Guidance on Risks Associated with a Third-Party Relationship
Read Time: 2 minsOn June 6, 2023, the Board of the Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, Agencies) issued final joint guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies or “FinTechs” (Interagency Guidance). The Interagency Guidance replaces prior guidance issued by each Agency individually in order to promote consistency in the Agencies’ third-party risk management guidance and to clearly articulate risk-based principles for third-party management.
The Interagency Guidance acknowledges that the Agencies have observed an increased number and type of third-party relationships and the benefits that third-party relationships can provide for banking organizations and consumers. To support the increase in such relationships, the Interagency Guidance describes principles and considerations for banking organizations’ sound risk management of third-party relationships, and covers risk management practices for the stages in the life cycle of third-party relationships including: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination. The Interagency Guidance provided that banking organizations are tasked with identifying their critical activities and third-party relationships that support these critical activities. Characteristics of critical activities include those that cause a banking organization to face significant risk if the third party fails to meet expectations, has significant customer impacts, or has significant impact on a banking organization’s financial condition or operations.
While acknowledging that not all relationships present the same level of risk and require the same level of oversight, the Interagency Guidance emphasizes that banks need to ensure their risk management programs provide strategies in managing third-party relationships, including bank partnerships with FinTechs, and such programs must be rightsized to the complexity, nature, and size of the institution. To do so, banks may prescribe certain requirements on the FinTech or other third party by contract in order to mitigate the bank’s risk of noncompliance with applicable law. These can include but are not limited to: independent reviews of the third party’s business and operations, testing and auditing of the third party, requiring notification of significant strategic operational changes, specifying reports to be received by the third party, and escalation of issues and remediation of such issues.
We note that the Interagency Guidance did not directly address true lender issues or bank partnership programs, continuing a pattern of not taking an explicit position on state true lender arguments. Nevertheless, the Interagency Guidance suggests that the Agencies are not opposed to bank partner programs in principle. Therefore, FinTechs and other businesses engaged in third-party relationships with financial institutions should be aware of the Agencies’ emphasis on risk management programs, the role that third parties play, and the compliance obligations banks have as they pursue bank partnership programs. The Interagency Guidance reaffirms that the use of third-party relationships does not absolve a banking organization of its obligation to operate in a safe and sound manner and comply with all applicable laws and regulations.
Reprinted with permission from the American Bar Association’s Business Law Today June Month-In-Brief: Business Regulation & Regulated Industries.