Comments due Sept. 17 on joint guidance for third-party risk management

Comments are due Sept. 17 about proposed guidance on third-party risk management at banks – including that related to deals with financial technology (fintech) firms – issued by the federal banking agencies, according to the notice published Monday in the Federal Register.

The Office of the Comptroller of the Currency (OCC) published a bulletin (2021-31) Monday about the comment due date.

Under the proposal, announced last week (July 13) and based on 2013 guidance issued by the OCC, financial institutions are offered a framework for what the agencyies say is “based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.”

The guidance also underscores that banks that outsource services or operational functions remain responsible for ensuring those activities are conducted “in a safe and sound manner and in compliance with all applicable laws and regulations, including consumer protection laws.”

The agencies said the proposed guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance.

According to the OCC bulletin, the comment request seeks feedback on the “utility, relevance, comprehensiveness, and clarity” of the proposed guidance and responses to specific questions listed in the notice.

The comments request also includes, the OCC said, the agency’s 2020 frequently asked questions (FAQs) about the issue as an appendix. The agencies are considering incorporating concepts discussed in those FAQs into the final guidance, the OCC stated.

OCC Bulletin 2021-31: Third-Party Relationships: Notice and Request for Comment on Proposed Interagency Guidance