Banking agencies propose joint adoption of OCC-based guidance on third-party risk management

Joint agency guidance for banking institutions on third-party risk management – including that related to arrangements with fintech (financial technology) firms – was issued Tuesday for a 60-day public comment period by the Federal Reserve, Federal Deposit Insurance Corp. (FDIC), and Office of the Comptroller of the Currency (OCC).

The proposed guidance is based on the OCC’s 2013 guidance, revised to reflect the extension of the scope of applicability to banking organizations supervised by all three federal banking agencies. The guidance, the agencies said, offers a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.

The guidance also underscores that banks that outsource services or operational functions remain responsible for ensuring those activities are conducted “in a safe and sound manner and in compliance with all applicable laws and regulations, including consumer protection laws.”

The agencies said the proposed guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance.

Included as an exhibit separate from the proposal are the OCC’s March 2020 frequently asked questions (FAQs), which were intended to clarify the OCC’s 2013 third-party risk management guidance and discuss evolving industry topics.

“The agencies seek public comment on the extent to which the concepts discussed in the OCC’s 2020 FAQs should be incorporated into the final version of the guidance,” they said. “More specifically, the agencies seek public comment on whether: (1) any of those concepts should be incorporated into the final guidance; and (2) there are additional concepts that would be helpful to include.”

The proposed guidance, according to the notice:

  • describes third-party relationships as business arrangements between a banking organization and another entity, by contract or otherwise;
  • describes the third-party risk management life cycle and identifies principles applicable to each stage (also defined in the proposal) of the life cycle;
  • stresses the importance of a banking organization appropriately managing and evaluating the risks associated with each third-party relationship;
  • states that a banking organization’s use of third parties does not diminish its responsibility to perform an activity in a safe and sound manner and in compliance with applicable laws and regulations;
  • indicates that banking organizations should adopt third-party risk management processes that are commensurate with the identified level of risk and complexity from the third-party relationships, and with the organizational structure of each banking organization.

“The proposed guidance is intended for all third-party relationships and is especially important for relationships that a banking organization relies on to a significant extent, relationships that entail greater risk and complexity, and relationships that involve critical activities as described in the proposed guidance,” the agencies said.

The guidance describes “critical activities” as significant bank functions or other activities that: could cause a banking organization to face significant risk if the third party fails to meet expectations; could have significant customer impacts; require significant investment in resources to implement the third-party relationship and manage the risk; or could have a major impact on bank operations if the banking organization has to find an alternate third party or if the outsourced activity has to be brought in-house.

Comments are due 60 days after the proposed guidance if published in the Federal Register.

Agencies request comment on proposed risk management guidance for third-party relationships

Proposed guidance