Federal Banking Regulators Release Final Guidance on Third-Party Risk Management

, , ,
  • The FDIC, Federal Reserve, and OCC release guidance on third-party risk management amidst increased scrutiny of bank-fintech relationships.
  • Regulators state guidance does not have the force and effect of law and does not impose any new requirements on banking organizations, but new guidance appears more prescriptive than the guidance it replaces.
  • Final guidance shifts tone relative to proposal in several key areas, including operational resilience and due diligence.

On June 6, the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (Federal Reserve), and the Office of the Comptroller of the Currency (OCC) released long-anticipated interagency guidance on risk management of third-party relationships for supervised banking organizations. The guidance revises the July 2021 proposed interagency guidance, which received 82 comment letters.

The joint guidance provides the view of the banking regulators on what constitutes “sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.” The agencies further intend for the guidance to promote consistency in the regulatory approach to third-party risk management. Prior to this joint guidance, regulators had more diverse approaches to examining third-party risk of banking organizations. Greater harmonization among the regulators creates a more level playing field between state banks regulated by the FDIC and Federal Reserve and national banks regulated by the OCC.

The release of the guidance comes amid increased scrutiny from banking regulators regarding third-party risk management as displayed in recent enforcement actions and speeches. In August of 2022, the OCC issued an enforcement action against Blue Ridge Bank alleging unsafe and unsound practices relating to third-party risk management, particularly with regard to the bank’s fintech relationships. Acting Comptroller of the Currency Michael Hsu delivered remarks in September of 2022 in which he addressed the growing trend of bank-fintech relationships and his view that this “de-integration” of banking services “if left to its own devices is likely to accelerate and expand until there is a severe problem or even a crisis.”

In March of this year, the FDIC took enforcement action against Cross River Bank alleging unsafe and unsound practices related to compliance with fair lending laws that largely implicated the bank’s fintech relationships through which it offered “banking-as-a-service” products. The requirements stipulated in that order indicate the regulator’s broader views on how banks should be managing risks associated with fintech partnerships generally, particularly within the context of fair lending compliance.

Highlights from Interagency Guidance

The guidance focuses on two primary areas: the life cycle of third-party relationships and the governance of such relationships. The life cycle section outlines factors banking organizations should consider throughout each stage of a third-party relationship, from planning through termination. The guidelines contain granular language, offering specific examples of what banking regulators view as important considerations in particular phases such as due diligence and contract negotiation, although the agencies note that the examples provided are “not intended to be interpreted as exhaustive or to be used as a checklist.”

The governance section discusses the need for oversight and accountability of third-party relationships and describes the obligations of the board of directors and bank management. The guidance makes clear that the board of directors “has ultimate responsibility for providing oversight for third-party risk management” while the bank’s management is responsible for developing and implementing the requisite policies, procedures, and practices.

The guidance concludes with a discussion of the supervisory review process for third-party risk management. Activities typically conducted by examiners during such a review are detailed including assessing the impact of third-party relationships on the bank’s risk profile and financial and operational performance as well as compliance with applicable laws and regulations and performing transaction testing to evaluate activities performed by the third-party.

Notable Changes from Proposed Guidance

Banking regulators incorporated feedback from commenters on the 2021 draft proposal into the final guidance. For example, the final guidance highlights steps to limit the burden of due diligence, most notably encouragement to collaborate with other banking organizations and engage with third parties that specialize in conducting due diligence. Some notable revisions were made to the guidance on conducting due diligence and third-party selection. The draft proposal included direction to “consider any conformity assessment or certification by independent third parties related to relevant domestic or international standards” which was dropped in the final guidance. This change is intended to emphasize the importance of banking organizations conducting their own due diligence and to avoid relying exclusively on the diligence of third parties. The final guidance incorporated a consideration of the third-party’s training and redundancy planning for key personnel that was not included in the draft proposal.

Also within the due diligence and third-party selection phase of the life cycle, the operational resilience subsection was enhanced in the final guidance. Consideration of dependency on a single provider for multiple activities was added to emphasize the importance of avoiding servicer concentrations. The importance of assessing a third-party’s operational resilience to operate through and recover from disruption is emphasized as particularly important when the impact of such a disruption could affect the customers of a bank, including when the third-party interacts with customers directly.

The decision not to specifically exclude customer relationships from the definition of “business arrangement” in the final guidance, contrary to what had been proposed in the draft guidance, is one point of contention among regulators. FDIC Director Jonathan McKernan notes in his statement on the final guidance that the change “creates ambiguity” and the guidance is “now unclear as to whether or when it applies to arrangements involving depositors, borrowers, or other customers of traditional banking services.” McKernan goes on to state that he would “support developing a separate resource guide for community banks as soon as practicable,” a sentiment echoed by Federal Reserve Governor Michelle Bowman in her remarks. Bowman did not support the guidance primarily based on her view that it does not sufficiently “mitigate regulatory burden on smaller institutions.” She noted that while the guidance acknowledges fundamental differences between banks, it “applies the same expectations to all banks, regardless of their size and complexity.”

Considerations for Banks and Fintech Providers

Given the regulators’ heightened focus on third-party risk management, particularly regarding fintech partnerships, bank management should consider reevaluating compliance and reviewing their third-party risk management frameworks to ensure conformity with the new guidance. This is especially the case for state-chartered banks, since the new guidance aligns most closely with the OCC’s previous guidance, certain aspects of the final guidance may be new or different to these organizations. Banking organizations would be well served to ensure their third-party risk management approach (and especially documentation of their activities) is consistent with regulatory expectations in advance of scheduled examinations.

Fintechs seeking to maintain or expand bank partnerships should be aware of the risk management framework memorialized by the new guidance and should consider what governance, operational, and compliance enhancements may be necessary to best meet the diligence, contracting, and monitoring needs of bank partners.

While the guidance does not have the force of law and regulation, it reminds third parties that the agencies have legal authority to directly examine functions or operations that a third-party performs on a banking organization’s behalf and if warranted take corrective measures, including enforcement actions, when necessary to address violations of laws and regulations or unsafe or unsound banking practices by the banking organization or its third party.

While reminders of such authority are not uncommon in supervisory guidance, the timing may foreshadow additional scrutiny of third-party service providers under the Bank Service Company Act.

Put Patomak’s Banking Expertise to Work 

Patomak has deep experience in helping banks and other financial institutions identify and manage risks and respond to developments in banking regulation and supervision. Patomak can work with boards and management to assess their governance and internal risk and control functions proactively to ensure they exceed supervisory expectations and support their business objectives. Contact us to learn how Patomak can help you navigate these challenges and help you meet your business goals.