Pub. 13 2023-2024 Issue 4

One Rule for All: Interagency Guidance for the Risk Management of Third-Party Relationships

The day-to-day functions of a financial institution would be impossible without the ability to outsource.

Recently, existing guidance applicable to each specific regulatory agency — the Federal Reserve (Board of Governors of the Federal Reserve System), the FDIC (Federal Deposit Insurance Corporation) and the OCC (Office of the Comptroller of the Currency) — was replaced with a single rule, the Interagency Guidance on Third-Party Relationships: Risk Management (Interagency Guidance). The Interagency Guidance aligns the regulatory requirements and risk management expectations of third-party relationships among the “agencies” (Federal Reserve, FDIC and OCC).

Financial institutions routinely rely on third-party relationships for their day-to-day functions and existence. In today’s ever-growing world of speed and technology, it would be nearly impossible to be successful and competitive without outsourcing to third-party vendors. Financial institutions may rely on outsourcing for a range of products, services and other activities. Outsourcing allows financial institutions a number of significant benefits including faster and more efficient access to technologies, human capital, delivery channels, products and services, and markets. It can also mean a more cost-effective operational existence overall.

Despite the option to outsource certain functions and activities, financial institutions must still adhere to risk management and compliance expectations. The use of third-party relationships does not eliminate the need for sound risk management within an organization. In fact, it’s quite the opposite when it comes to third-party relationships. Third-party relationships, especially those involving new technologies, could present an even higher or more elevated risk for financial institutions. A phrase we commonly use in the compliance industry is, “You can contract away the function, but you can’t contract away the compliance responsibility.” Financial institutions must understand their responsibilities to ensure safe and sound third-party relationships and practices in conjunction with the compliance of all applicable laws and regulations, including those intended to protect consumers.

The New Interagency Guidance

On June 6, 2023, the federal banking agencies issued the Interagency Guidance. Much of what is outlined in the new Interagency Guidance is already somewhat familiar to the agencies. The core concepts of the Interagency Guidance remain consistent with the individual agency guidance that existed prior. The new Interagency Guidance provides consistency and an interagency approach to managing third-party risk. This is especially important for those relationships which involve critical third parties and relationships that are customer-facing or may otherwise be impactful to consumers.

The new Interagency Guidance was developed to align with the expectations and best practices in other areas of risk management. It creates a vendor management lifecycle which includes six steps:

  1. Planning for a relationship
  2. Due diligence and third-party selection
  3. Contract negotiation
  4. Oversight and accountability
  5. Ongoing monitoring
  6. Termination

It’s worth noting that the guidance is broadly applicable and applies to all business arrangements. It doesn’t specifically address the various categories or the types of third parties, such as artificial intelligence or fintech firms. But the principles within the guidance will apply to all third parties and third-party relationships. That being said, financial institutions must manage all third-party relationships, but not necessarily to the same extent as the principles within the guidance can be tailored to the relationship. The Interagency Guidance provides a number of examples, which should not be interpreted as exhaustive, that financial institutions may consider for their due diligence processes. But, the agencies do note that the guidance does not impose any new regulatory requirements.

While the new Interagency Guidance may not create new regulatory requirements for financial institutions, it is focused on managing various risks associated with outsourcing certain products, services and activities, especially those impacting consumers. The guidance is a reminder to financial institutions that consumer protections and compliance remain a priority among the regulatory agencies. The guidance emphasizes compliance and consumer protections, as those phrases, and similar phrases, are mentioned numerous times throughout the guidance. Financial institutions must be particularly diligent in ensuring they, and their third-party service providers, abide by and comply with all applicable laws and regulations. This includes ensuring that their financial institution, and any of third-party services providers, do not engage in any unfair and deceptive acts or practices.

The new Interagency Guidance provides clarification regarding the oversight of a third party’s subcontractors, indicating that financial institutions should focus on the selection and oversight processes of their third party. Financial institutions are not expected to oversee the subcontractors directly. The guidance also clarifies and distinguishes the roles of the board of directors and senior management when it comes to third-party oversight. The guidance provides various factors that a board of directors may consider for carrying out their responsibilities, and it also identifies activities and responsibilities in which management may perform.

Many see this new Interagency Guidance as a signal to financial institutions that enhanced risk management practices are an area of focus for regulators and are critical to the safety and soundness of an institution. This guidance, along with other recent consent orders, may be foreshadowing the supervisory focus on vendor management relationships and the bank’s risk management practices for maintaining such relationships.

However your institution interprets the new guidance, it is essential that a review of its current policy/procedures and risk management practices is conducted to ensure it aligns with the new Interagency Guidance. Since much of the guidance seems to highlight due diligence, contracts and the management of third-party risk and relationships, banks should consider integrating or at least addressing their third-party relationship risk management program with their overall ERM (enterprise risk management program).

Julia A. Gutierrez serves as Director of Education for Compliance Alliance, developing curriculum and presentations as well as presenting at various schools and seminars, both live and in a livestream/hybrid format. Julia has over 20 years of financial industry experience with the Compliance Alliance team.