Three federal banking agencies (the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency – collectively Agencies) issued proposed risk management guidance on July 13 regarding third-party relationships. The Agencies have each previously released individual guidance on this topic, but the proposed guidance seeks to provide a consistent and clearly articulated framework based on sound risk management principles for all banking organizations under the Agencies’ remit. In their press release, the Agencies noted that the proposed guidance covers fintech entities as well.
The proposed guidance is based on the OCC’s existing third-party risk management guidance from 2013 and includes changes to reflect the extension of the scope of applicability of the proposed guidance. The Agencies are also seeking public comment on the extent to which the concepts discussed in the OCC’s 2020 FAQs regarding third-party relationships should be incorporated into the final version of the guidance.The proposed guidance includes basic principles such as:
- A banking organization’s use of third parties does not diminish its responsibility to perform an activity in a safe and sound manner and in compliance with applicable laws and regulations.
- Banking organizations should adopt third-party risk management processes that are commensurate with the identified level of risk and complexity from the third-party relationships, and with the organizational structure of each banking organization.
- Proper management of third-party service relationships is especially important for relationships that a banking organization relies on to a significant extent, relationships that entail greater risk and complexity, including those with new or innovative technologies, and relationships that involve mission-critical activities.
The proposed guidance also identifies principles that are applicable to each stage of the third-party risk management life cycle, including: (1) developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party; (2) performing proper due diligence in selecting a third party; (3) negotiating written contracts that articulate the rights and responsibilities of all parties; (4) having the board of directors and management oversee the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews; (5) conducting ongoing monitoring of the third party’s activities and performance; and (6) developing contingency plans for terminating the relationship in an effective manner. The proposed guidance provides extensive details on all the above identified principles.
The proposed guidance also includes details about how examiners typically assess a banking organization’s third-party risk management.
The Agencies have solicited comments on all aspects of the proposal (comments must be received within 60 days of the proposed guidance’s publication in the Federal Register).
The interagency initiative to harmonize federal regulatory and supervisory standards for third-party relationships is a welcome initiative, in that, while each federal agency has adopted its own risk management-based principles for such relationships, the requirements and level of detail associated with each agency’s guidance is not fully consistent. It also is noteworthy that the Agencies apparently decided to issue the proposed guidance without the participation of the Consumer Financial Protection Bureau, which has its own, much less detailed, third-party oversight guidance. At the same time, the “default” that the agencies apparently are proposing is the incorporation of OCC third-party service provider guidance, which has, by a considerable margin, been the most detailed and action-specific guidance of the federal banking agencies, and in our experience has been viewed by some industry participants as more burdensome in nature.
While the proposed guidance does not directly address the specific roles of fintech service providers in bank service relationships, the guidance plainly has the fintech industry squarely “in its sights.” Therefore, in light of this consideration and the general “OCC default” orientation of the proposed guidance, banking organizations and their vendors alike should carefully review the proposed guidance and identify any potential issues that this initiative may raise, and bring those issues to the attention of the Agencies during the comment process.