The Federal Reserve, FDIC, and OCC released on July 13, 2021 proposed guidance for banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements. The proposal is the first time that the three agencies have proposed third-party risk management guidance on an interagency basis. Comments on the proposal will be due no later than 60 days after the date it is published in the Federal Register. The proposed guidance covers all types of third-party relationships, including those involving regulatory compliance under the Bank Secrecy Act.
The proposed guidance is based on the OCC’s existing 2013 third-party risk management guidance and includes changes to reflect that the guidance’s applicability would be extended to banking organizations supervised by all three federal banking agencies. In March 2020, the OCC issued a revised set of FAQs to supplement its 2013 guidance that was intended to clarify the existing guidance and reflect evolving industry trends. The proposed guidance includes the revised FAQs as an exhibit and the agencies seek comment on the extent to which the concepts discussed in the FAQs should be incorporated into the final guidance and whether there are additional concepts that would be helpful to include.
The proposed guidance states:
A third-party relationship is any business arrangement between a banking organization and another entity, by contract or otherwise. A third-party relationship may exist despite a lack of contract or remuneration. Third-party relationships can include relationships with entities such as vendors, financial technology (fintech) companies, affiliates, and the banking organization’s holding company. While a determination of whether a banking organization’s relationship constitutes a business arrangement may vary depending on the facts and circumstances, third-party business arrangements generally exclude a bank’s customer relationships.
The proposed guidance sets forth principles for managing risk in each stage of a third-party relationship life cycle consisting of:
- Planning for a relationship
- Due diligence and third-party selection
- Contract negotiation
- Oversight and accountability
- Ongoing monitoring
The proposed guidance also discusses the process that examiners will typically follow when reviewing a banking organization’s third-party risk management.
The principles provided by the proposed guidance are generalized in nature and there is no discussion in the guidance of how such principles should be applied to specific types of third-party relationships. The OCC’s 2020 revised FAQs did address specific types of third-party relationships, such as relationships with data aggregators that collect customer-permissioned data from banks (including where aggregators engage in screen scraping activities), cloud computing providers, and relationships involving the use of alternative data. As noted above, the agencies ask for comment on the extent to which the concepts discussed in the FAQs should be incorporated into the final guidance and whether there are additional concepts that would be helpful to include. In addition, the series of questions on which the agencies request comment include:
- Whether there is a need for greater detail in any areas
- How the proposed description of third-party relationships could be clearer
- The extent to which the discussion of “business arrangement” in the proposed guidance provides sufficient clarity to permit banking organizations to identify those arrangements for which the guidance is appropriate
- What additional information the guidance could provide on managing the risks associated with third-party platforms that directly engage with end customers
- How the guidance could further assist banking organizations in appropriately managing the compliance risks of business arrangements in which a third party engages in activities for which there are regulatory compliance requirements
- What additional information the proposed guidance could provide for banking organizations to consider when managing risks related to different types of relationships with third parties (e.g. partnerships, joint ventures), including technology companies
- What revisions would better assist banking organizations in assessing’s third-party risk as technologies evolve
CFPB-supervised banks and CFPB supervised non-banks to which the banking agencies’ guidance would not apply should take note that in 2016, the CFPB began to examine service providers to institutions it supervises on a regular, systematic basis, particularly those supporting the mortgage industry. In 2016, the CFPB issued a revised bulletin titled “Compliance Bulletin and Policy Guidance 2016-02, Service Providers” setting forth its expectations for managing the risks of service provider relationships.