FDIC Announces New Guidance on Third-Party Risk Management
In June of 2023, the FDIC and the Office of the Comptroller of Currency announced a final Interagency Guidance on Third-Party Relationships: Risk Management. This serves as an update to related 2021 guidance.
The updated guidance offers banks a framework for engaging in sound risk management practices in all stages of the third-party relationship lifecycle and outlines several types of third-party relationships including: outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures. It does stipulate that other and novel forms of third-party relationships can exist and should also keep this guidance in mind.
The guidance outlines a five-stage life cycle for third-party risk management. The steps to the lifecycle are as follows:
- Planning: Banks should research and recognize potential risks before agreeing to a third-party relationship. The FDIC guidance lists activities banks should undertake during the planning phase; they can be found here.
- Due Diligence and Third-Party Selection: Banks should perform due diligence on any entity they are considering entering into a third-party agreement with. How rigorous this due diligence is should be based on the complexity and amount of potential risk present. A wide range of due diligence activities recommended by the FDIC can be found here.
- Contract Negotiation: When a bank decides to enter a third-party relationship with a service provider, a written contract is drafted. This contract must be negotiated to ensure that the bank’s business and risk management needs are being met. There are many aspects that need to be considered during these negotiations, the FDIC provides details on them here.
- Ongoing Monitoring: It is important to keep track of how existing third-party relationships are going, both to ensure that work is being done effectively, in accordance with agreements, and to be able to respond to issues that might arise. The FDIC details suggested ongoing monitoring activities here.
- Termination: If it is decided to end a third-party relationship, it must be done in a strategic and efficient manner. Special care should be placed on data controls and system access. Other considerations during the termination stage can be found here.
The FDIC recognizes that there are many ways an organization can structure its third-party risk management process. Whatever approach a bank takes, risk governance should always contain the following three elements:
- Oversight and Accountability: The bank’s board of directors must provide oversight on any third parties employed, giving details of the oversight to management who develop and implement the oversight plan. Making sure to keep third-parties accountable can help minimize risk to the banking organization.
- Independent Reviews: Banks should periodically have an independent review done on their third-party risk management practices. This allows the bank to check that their processes are adequate, that no conflicts of interests are present, and that their goals are truly in alignment with the third party’s.
- Documentation and Reporting: It is crucial that the banking organization document and report on its third-party risk management processes to individuals who conduct control activities, both internal and external. Management should be made aware of any such reports.
Supervisory agencies will review the third-party risk management processes of the banks they oversee as part of their standard supervisory process. This can include assessing the bank’s ability to manage third-party relationships, performing transaction tests to evaluate the activities performed by the third party, and assess that all aspects of the third-party relationship comply with applicable laws and regulations.
For more info on the Interagency Guidance on Third-Party Relationships: Risk Management see the FDIC website.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.