The Federal Reserve, FDIC, and OCC have released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements. The guidance is intended to provide principles for effective third-party risk management for all types of third-party relationships, regardless of how they may be structured. At the same time, the agencies state that banking organizations have flexibility in their approach to assessing the risks posed by each third- party relationship and deciding the relevance of the considerations discussed in the final guidance
The final guidance rescinds and replaces each agency’s previously-issued guidance on risk management practices for third-party relationships. In their July 2021 proposal, the agencies had included as an appendix FAQs issued by the OCC to supplement the OCC’s existing 2013 third-party risk management guidance. The proposed guidance included the revised FAQs as an exhibit and the agencies sought comment on the extent to which the concepts discussed in the FAQs should be incorporated into the final guidance. In their discussion of the final guidance, the agencies identify which concepts from the FAQs have been incorporated into the final guidance.
The final guidance states:
This guidance addresses any business arrangement between a banking organization and another entity, by contract or otherwise. A third-party relationship may exist despite a lack of contract or remuneration. Third-party relationships can include, but are not limited to, outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures. Some banking organizations may form third-party relationships with new or novel structures and features—such as those observed in relationships with some financial technology (fintech) companies. The respective roles and responsibilities of a banking organization and a third party may differ, based on the specific circumstances of the relationship. Where the third-party relationship involves the provision of products or services to, or other interaction with, customers, the banking organization and the third party may have varying degrees of interaction with those customers.
In a footnote, the agencies indicate that the term “business arrangement” is meant to be interpreted broadly and is synonymous with the term “third-party relationship.” The proposal had stated that the term “business relationship” generally excluded a customer relationship. In their discussion of the final guidance, the agencies indicate that this text was removed from the final guidance because some business relationships may incorporate elements or features of a customer relationship.
The final guidance begins with an overview of risk management in which the agencies acknowledge that not all third-party relationships present the same level of risk and therefore do not all require the same level or type of oversight or risk management. It provides that as part of sound risk management, each banking organization has the responsibility to analyze the risks associated with each third-party relationship and tailor its risk management processes, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of the third-party relationship. In addition, as part of sound risk management, banking organizations are expected to engage in more comprehensive and rigorous oversight of third-party relationships that support higher-risk activities, including critical activities. Critical activities may include activities that could (1) cause a banking organization to face significant risk if the third party fails to meet expectations, (2) have significant customer impacts, or (3) have a significant impact on a banking organization’s financial condition or operations.
The agencies acknowledge that while each banking organization is responsible for having a sound methodology for identifying its critical activities and third-party relationships that support those activities, an activity that is critical for one banking organization may not be critical for another.
As discussed below, the other sections of the guidance address the third-party relationship life cycle, governance, and supervisory reviews of third-party relationships.
Third-party relationship life cycle. The agencies state that the degree to which the examples of considerations discussed in the guidance are relevant to each banking organization is based on specific facts and circumstances and the examples given may not apply to all of a banking organization’s third party relationships. The guidance notes the importance of involving staff with the requisite knowledge and skills in each stage of the risk management life cycle as well as experts across disciplines, such as compliance, risk, or technology, legal counsel, and external support. The guidance discusses the following life cycle stages:
- Planning for a relationship by evaluating and considering how to manage risks before entering into a third-party relationship
- Due diligence and third-party selection
- Contract negotiation
- Ongoing monitoring
For each life cycle stage, the guidance discusses a series of factors that a banking organization typically considers depending on the third-party relationship’s degree of risk and complexity.
Governance. The proposed guidance had included oversight and accountability as a separate life cycle stage. In their discussion of the final rule, the agencies state that they reorganized the guidance to make clear that oversight and accountability happens through the risk management life cycle and is not a specific stage. The final guidance includes oversight and accountability as part of governance. It distinguishes the board’s responsibilities from those of management and lists various factors that a board of directors (or a designated board committee) typically considers throughout the third-party risk management life cycle in carrying out its responsibility for providing oversight of third-party risk management and holding management accountable. Other practices the agencies identify as typically considered by banking organizations throughout the risk management life cycle are independent reviews and documentation and reporting. The guidance lists various factors typically considered in periodic independent reviews and provides examples of processes that support effective documentation and internal reporting that the agencies have observed.
Supervisory reviews of third-party relationships. The guidance states that each agency will review its supervised banking organizations’ risk management of third-party relationships as part of its standard supervisory processes. Supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations. The guidance indicates that the scope of a supervisory review will depend on the degree of risk and the complexity associated with the banking organization’s activities and third-party management processes. It lists various activities typically conducted by examiners when reviewing third-party risk management processes. The agencies note that when circumstances warrant, they may use their legal authority to examine functions or operations that a third party performs on a banking organization’s behalf and such examinations may evaluate the third party’s ability to fulfill its obligations in a safe and sound manner and comply with applicable laws and regulations, including those designed to protect consumers and to provide fair access to credit.
The final guidance demonstrates the increased attention the regulators intend to pay to third-party relationships and, in particular, bank partner programs. Because the guidance does not set forth concrete expectations applicable to all such arrangements, we anticipate, unfortunately, that the final guidance will be cited to support examination criticisms inconsistently from institution to institution. Further, we agree with Fed Governor Michelle Bowman, who stated that she believed that community banks would find the final guidance challenging to implement and criticized the agencies for failing to provide resources with the issuance of the final guidance to reduce confusion and regulatory burden on those institutions. Regardless of the type of institution, the final guidance will require institutions to reconsider processes with respect to their bank partners through the entirety of the third-party relationship life cycle and document their processes or face significant criticism. Attorneys in Ballard Spahr’s Consumer Financial Services Group have extensive experience in helping clients make sure that their third-party relationships are fully compliant with regulators’ expectations.