On June 6, 2023, final interagency guidance was issued on managing risks associated with third-party relationships. The guidance provides sound principles that supports a risk-based approach to third-party risk management. It is important that financial institutions include these practices when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.
- Promotes consistency in the agencies’ supervisory approach to third-party risk management. The guidance replaces the Agencies’ existing, separate third-party risk management guidance.
- Outlines the third-party risk management life cycle and identifies risk management principles applicable to each stage of the life cycle. Specifically, it responds to the continued and growing prevalence of relationships between financial institutions and third parties, including both traditional service providers and fintechs.
- Clarifies that not all third-party relationships present the same level of risk or criticality to a financial institution’s operations.
- Describes sound risk management principles to consider when developing and implementing third-party risk management practices, commensurate with the financial institution’s risk profile and complexity as well as the criticality of the activity supported by the third party.
- Largely consistent with the proposal released on July 13, 2021 (the Proposed Guidance). Like the Proposed Guidance, it is based on the OCC’s existing guidance and broadly consistent with each of the Agencies’ existing guidance it replaces.
- Emphasizes that a financial institution is ultimately responsible for conducting its activities—including activities conducted through a third party—in a safe and sound manner.
- A financial institution should adopt risk management practices that are commensurate with the risk posed by its third-party relationships.
Key changes from the Proposed Guidance:
- Explicitly references in scope partnerships with new or novel structures and features, which would include those in which fintechs interact directly with customers.
- The Interagency Guidance referenced maintaining a complete inventory of all third-party relationships, noting that the inventory and periodic risk assessments for each third-party relationship are supportive of an institution’s sound risk management over time.
- Agencies will tailor the scope of their supervisory review of a financial institution to the degree of risk and the complexity associated with the organization’s activities and third-party relationships.
- The Interagency Guidance stated that examiners would consider that “not all third-party risk relationships present the same risks, and that financial institutions tailor their practices to the risks presented.” Unlike the Proposed Guidance, the final Interagency Guidance does not specifically exclude customer relationships from the definition of “business arrangement.”
- Revised the definition of “critical activities,” including the elimination from the definition the proposed concepts of “significant financial institution functions” and activities “requiring significant investment in resources to implement the third-party relationship and manage the risk.”
- Placed greater emphasis on the nature of the considerations listed in the Interagency Guidance as merely illustrative examples, not requirements, and noting that they may not apply to every organization or to each third-party relationship.
- Acknowledges that a financial institution may have limited negotiating power in contract negotiation.
- Emphasized the importance of a financial institution having a “sound methodology to designate which activities and third-party relationships receive more comprehensive oversight.
- Clarified the responsibilities of a board of directors of a financial institution, including providing oversight for third-party risk management and holding management accountable, providing clear guidance regarding acceptable risk appetite, approving appropriate policies and ensuring that appropriate procedures and practices have been established.
Managing your vendor relationships is an important component of your financial institution’s risk management practices. It is going to be very important that you understand the updated requirements and make sure your third-party management programs are evolved to comply with the robust rules.