Proposed Interagency Guidance on Third-Party Risk Management
The federal banking agencies—the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and the Board of Governors of the Federal Reserve System (Federal Reserve)—published proposed interagency guidance about third-party risk management in the Federal Register on July 19, 2021. The proposed guidance is meant to harmonize the banking agencies’ expectations about how banks manage third-party relationships. The preamble to the proposed guidance suggests that “[t]he agencies seek to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party risk management.”
Each of the agencies has issued guidance in the past. The OCC issued Bulletin 2013-29, which explains the OCC’s expectations about how banks under its jurisdiction should manage risks that arise from third-party relationships. The OCC also issued a series of frequently asked questions (FAQs) in 2017 to supplement Bulletin 2013-29. The OCC replaced those FAQs with Bulletin 2020-10, which expanded upon the 2017 FAQs. Both the 2020 FAQs and the rescinded 2017 FAQs, which have been incorporated within the 2020 set, address several issues related to financial technology companies that may help banks provide services to their customers (e.g., cloud service providers, data aggregators, etc.). The FDIC issued its own guidance in 2008 about how to manage third-party risk, while the Federal Reserve issued guidance in 2013 about how to manage outsourcing risk.
One only needs to look at the scope of the earlier guidance to see why harmonization is a good idea. For example, OCC Bulletin 2013-29 explained that a third-party relationship, which is the subject of the bulletin, “is any business arrangement between a bank and another entity, by contract or otherwise.” The FDIC noted that its “guidance provides a general framework that boards of directors and senior management may use to provide appropriate oversight and risk management of significant third-party relationships.” It defined significant third-party relationship:
“A third-party relationship should be considered significant if the institution's relationship with the third party is a new relationship or involves implementing new bank activities; the relationship has a material effect on the institution's revenues or expenses; the third party performs critical functions; the third party stores, accesses, transmits, or performs transactions on sensitive customer information; the third party markets bank products or services; the third party provides a product or performs a service involving subprime lending or card payment transactions; or the third party poses risks that could significantly affect earnings or capital.”
And the Federal Reserve examined the issue through the lens of service providers—“all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.”
The preamble to the proposed interagency guidance explained that it “is based on the OCC's existing third-party risk management guidance from 2013 and includes changes to reflect the extension of the scope of applicability to banking organizations supervised by all three federal banking agencies.” Comments on the proposed guidance are due September 17, 2021, and the agencies have requested comments on the following topics, including but not limited to:
- The sufficiency of the proposed guidance (e.g., the right level of detail, enough guidance to allow banks to scale their third-party risk management processes to fit their complexity, risk, and size, distinguishing between different types of third-party relationships, etc.);
- The scope of the guidance;
- Collaborating with others to perform due diligence on third parties;
- Fourth party risk and the use of subcontractors by a third party;
- Information security; and
- The need to incorporate topics covered in the OCC’s 2020 FAQs into the interagency guidance.
While credit unions would not be subject to the interagency guidance, credit unions may still find it helpful to review. NCUA issued guidance about evaluating third-party relationships back in 2007 and followed that up the next year with a questionnaire that explained how examiners will evaluate credit unions’ management of third-party relationships. NCUA’s guidance does not expressly address certain issues with third parties who provide technological services like the proposed guidance and the OCC’s 2020 FAQs. Because of the shift towards more digital products and channels as a result of the pandemic, credit unions who have partnered with more third parties to provide products and services to their members may wish to see how their management of third-party risk might align with the expectations of the federal banking agencies in the absence of more detailed guidance from NCUA.