Interagency Guidance on Third-Party Relationships: Risk Management

On June 6, 2023, the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (the “agencies”) issued Interagency Guidance on Third-Party Relationships: Risk Management (“Interagency Guidance”). The Interagency Guidance addresses all business arrangements between any banking organization (generally, banks, savings associations, holding companies and certain U.S. facilities of foreign banks) and another entity, by contract or otherwise. The Interagency Guidance became effective June 6, 2023 and replaces all prior guidance put forth by the agencies on the topic. According to the agencies, the Interagency Guidance does not impose any new requirements on banking organizations; rather, it articulates sound principles that support a risk-based approach to third-party risk management that banking organizations may consider when developing and implementing risk management practices for all stages in the “life cycle” of third-party relationships. Each agency will review its supervised banking organizations’ risk management of third-party relationships as part of its standard supervisory process.

Whether activities are performed internally or via a third party, banking organizations are required to operate in a “safe and sound” manner and in compliance with applicable laws and regulations. The Interagency Guidance should serve as a useful resource to assist banking organizations in implementing third-party risk management practices by providing examples of considerations in the planning, due diligence, contract negotiation, ongoing monitoring, and termination stages of the third-party relationship life-cycle.

The agencies are clear in that Interagency Guidance that it applies to all third party relationships, regardless of the importance or size of the relationship. However, the Interagency Guidance recognizes that not all third-party relationships present the same level of risk, and thus expects banking organizations to tailor the level of oversight and risk management accordingly. Per the agencies, sound third-party risk management will take into account the level of risk, complexity, and size of the banking organization, as well as the nature of the specific third-party relationship. When the third party is involved in high-risk or critical activities, the banking organization should be more comprehensive and more rigorous in its oversight and management. According to the Interagency Guidance, characteristics of critical activities may include activities that could cause a banking organization to face significant risk if the third party fails to meet expectations, have significant customer impacts, or have a significant impact on a banking organization’s financial condition or operations. The Interagency Guidance recommends each banking organization keep complete inventories of its third-party relationships and periodically update risk management practices for each relationship as necessary. While the Interagency Guidance makes no recommendations as to how a business organization’s risk management process should be structured, it suggests the banking organization have systems in place to ensure proper oversight, accountability, and reporting.

The agencies emphasize in the Interagency Guidance that effective risk management should follow each stage of the third-party relationship life-cycle, namely: planning, due diligence, contract negotiation, ongoing monitoring, and termination. For example, among other considerations, the Interagency Guidance recommends that the planning stage of risk management include evaluations of how the third-party relationship could affect physical and cyber security, business expenses, employees, and customers.

The Interagency Guidance notes that conducting due diligence on third parties before selecting and entering into third-party relationships is an important part of sound risk management. Thorough due diligence will allow the banking organization to assess the third party’s ability to perform the activity in line with the banking organization’s expectations and policies.

The Interagency Guidance suggests that risk management is also vital during the contract negotiation stage if a banking organization determines a written contract is needed to document its relationship with a third party. A banking organization will typically negotiate contract provisions that facilitate effective risk management and oversight and that specify the expectations and obligations of both parties. The level of detail and comprehensiveness of such contract provisions will likely depend on the risk and complexity of the proposed third-party relationship.

The Interagency Guidance notes that effective third-party management should be ongoing throughout the duration of the third-party relationship, and include: (1) reviewing of reports regarding the third party’s performance and the effectiveness of its controls; (2) periodically visiting and meeting with third-party representatives to discuss performance and operational issues; and (3) regularly testing the banking organization’s controls that manage risks from its third-party relationships, particularly when supporting higher-risk activities.

Lastly, the Interagency Guidance recommends that banking organizations terminate third-party relationships in an efficient manner. When deciding on options for effectively transitioning the services it is terminating, the banking organization should be sure to consider its intellectual property and customers.

A copy of the Interagency Guidance is available here. The attorneys in Lewis Rice’s Banking Practice Group are always ready to serve our clients in addressing regulatory issues and assisting in their third-party relationships. Please do not hesitate to contact your Lewis Rice attorney or the author of this alert.

Special thanks to Ellie Richmond for her contributions to this article.