On May 3, 2024, the Board of Governors of the Federal Reserve System (the “Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) jointly released the “Third-Party Risk Management: A Guide for Community Banks” (the “Guide”), presenting it as a resource for community banks to bolster their third-party risk management programs, policies, and practices.

The Guide serves as a companion to the Interagency Guidance on Third-Party Relationship: Risk Management issued in June 2023 (on which we blogged, here).  It also relates to the OCC’s Fall 2023 Semiannual Risk Perspective, which emphasizes the need for banks to maintain prudent risk management practices – including practices tailored to address Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships.

The Guide acknowledges the widespread collaborations between community banks and third-party entities, and recognizes the strategic importance for such partnerships to improve competitiveness and adaptability.  These collaborations provide community banks with access to a diverse array of resources, such as new technologies, risk management tools, skilled personnel, delivery channels, products, services, and market opportunities.

However, the Guide underscores that reliance on third parties entails a loss of direct operational control, thereby exposing community banks to a spectrum of risks.  Banks are still accountable for executing all activities in compliance with applicable laws and regulations.  “These laws and regulations include . . . those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering).”  Accordingly, the Guide emphasizes that the engagement of third parties does not absolve a bank of its responsibility to operate in a safe and sound manner and to comply with regulatory requirements, “just as if the bank were to perform the service or activity itself.”  The Guide sets forth this concept in bold, on the first page. 

The Guide’s emphasis on governance practices highlights the critical role of oversight, accountability, and documentation in ensuring regulatory compliance and safeguarding the interests of both banks and their customers.  Although the Guide styles itself as offering a framework tailored to the specific needs and challenges faced by community banks, it also offers direction to all financial institutions in regards to effective third-party risk management. 

Risk Management

The Guide stresses the need for comprehensive initial risk assessments tailored to third-party activities, particularly those involving sensitive customer data or transaction processing.  The Guide also emphasizes governance practices, such as oversight mechanisms and documentation protocols.

Recognizing the diverse nature of third-party relationships and the differences in risks for community banks, the Guide advocates for more rigorous risk management measures for third parties involved in higher-risk activities.  Banks should tailor their risk management practices according to their size, complexity and risk profile, and periodic assessments should gauge the risks of each partnership.  As an initial step, banks should identify the partnerships involving higher-risk activities.  The creation of specific risk profiles can turn on factors such as a partner’s access to sensitive data, transaction processing, and provision of essential technology and business services.  Finally, successful risk management requires the active involvement of bank personnel with the requisite expertise at each phase of risk management.

Five Stage Life Cycle

The Guide lays out a five stage life cycle of risk management of third party relationships: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination.

Planning.  According to the Guide, planning is paramount because it enables a bank to proactively identify and mitigate potential risks associated with the proposed third-party relationship.  Key considerations include assessing legal and compliance requirements applicable to the prospective activities, evaluating whether the anticipated benefits outweigh the potential costs and risks, and determining the extent of interaction the third party will have with customers (and the corresponding complaint handling procedures).  When planning, banks can consider budgetary analyses, input from human resources personnel, and internal policies, processes, and controls.

Due Diligence and Third-Party Selection.  Effective due diligence requires evaluating a third party’s capability to perform activities as expected, adhere to the bank’s policies and legal requirements, and operate safely.  The Guide recommends a thorough examination of factors such as the third party’s available resources and expertise, past performance during economic or financial stress periods, and utilization of technologies that may introduce additional risk.

To assess a third party’s suitability, the Guide advises banks to examine various sources of information, such as their audited financial statements, licenses, relevant policies and procedures such as anti-money laundering/combatting the financing of terrorism (“AML/CFT”) measures, and independent reviews – including reviews of the AML/CFT program.  Additionally, banks should consider examining consumer complaints, strategic plans, staffing levels, training programs, sanctions list compliance, audit reports, client feedback, and insurance coverage to ensure a comprehensive risk assessment and mitigation strategy.

Contract Negotiation.  Prior to contracting with a third party, banks should align contract terms with their strategic objectives, regulatory requirements, and risk management policies. Contracts should clearly set forth responsibilities.  They also should include governance and escalation protocols, address data access rights, and assess potential scenarios for breach of contract, particularly for higher-risk activities.  Contract negotiations can be informed by risk assessment findings, proposed service level agreements, input from business units, contract clauses granting access to audit reports, and legal and compliance perspectives to safeguard the bank’s interests.

Ongoing Monitoring.  Continuous monitoring of third-party activities is necessary for ensuring compliance with contract requirements and facilitating timely adjustments to risk management practices.  Banks can assess third-party performance against service level agreements, confirm financial stability through audited reports, attempt to ensure compliance with laws and regulations, review changes in risk assessments, and evaluate contingency testing results.  Banks also can review information security, customer complaints, staffing and succession plans, training materials, and public feedback and media reports regarding the third party.

Termination.  Although termination of a third-party relationship may become necessary, the Guide encourages banks to carefully consider during the planning phase the potential impact of termination to minimize costs and disruptions, especially for higher-risk activities.  Considerations include assessing the impact of termination on bank operations and compliance with applicable laws and regulations, determining access to bank systems or information granted to the third party, and ensuring access to data for compliance with AML/CFT requirements and other recordkeeping obligations.  The Guide suggests leveraging resources such as third-party contract terms, budgeting for termination costs, transition plans, evaluations of alternative third-party options, and strategies to minimize disruption to customer accounts and operations.  Additionally, the bank should maintain an inventory of its customer’s data held by third parties to support risk management regarding data retention, access, and destruction.

The Guide notes that governance plays a pivotal role throughout the third-party relationship life cycle.  Good governance can include evaluating the effectiveness of bank policies and procedures for third-party risk management, assessing the alignment of governance structure and the internal control environment with bank policies, conducting periodic independent reviews, and documenting actions taken to address issues.  Additional steps can include aligning third-party risk management with strategic goals, establishing policies and procedures for risk assessment, contingency testing, audit reports, and periodic management reporting.