Banking Regulators Issue Final Joint Guidance on Third-Party Relationships
FinTech Risk

Banking Regulators Issue Final Joint Guidance on Third-Party Relationships

June 7, 2023

Key-insights from the Interagency Guidance to help banks better manage risks associated with third-parties, including BaaS and FinTech relationships

On June 6, 2023, the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Comptroller of the Currency (OCC) collectively issued final joint guidance on third-party relationships, which includes Banking as a Service (BaaS) banks and FinTech partnerships. The much anticipated 68 page,15,000+ word document, titled the Interagency Guidance on Third-Party Relationships: Risk Management offers the agencies’ consolidated views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.

In short, regulators have indicated banks should treat third-party platform partners (including Banking as a Service (BaaS) banks and FinTech partners) as digital branches and will be responsible for ensuring proper risk management oversight.  The report provides insights and recommendations to help banking executives better navigate and mitigate risks associated with their third-party vendors. These new guidelines also offers guidance to third parties, like BaaS banks and FinTechs who work with Financial Institutions. Read on for what is new with the final guidance and some practical strategies outlined in the report.

What is New in the Joint Guidance?

  • Replaces Existing Guidance: The final guidance rescinds and replaces each agency's existing guidance on third-party risk management.
  • Consistency in Supervisory Approach: The new interagency guidance aims to promote consistency in the agencies' supervisory approaches to third-party risk management. This ensures that banking organizations are subject to consistent standards and expectations across regulatory bodies.
  • Streamlined Framework: The new report reflects streamlined language and improved clarity compared to the previous guidance. This makes it easier for banking organizations to understand and implement effective risk management practices for their third-party relationships.
  • Third-Party Risk Management Life Cycle: The new guidance outlines the third-party risk management life cycle, providing a structured framework for managing third-party relationships. This life cycle approach helps organizations effectively identify, assess, monitor, and mitigate risks throughout the duration of relationships.
  • Varying Levels of Risk and Criticality: The new guidance clarifies that not all third-party relationships present the same level of risk or criticality to a bank's operations. This recognition allows organizations to tailor their risk management practices based on the specific characteristics and importance of each relationship, commensurate with each banking organization’s size, complexity, and risk profile.
  • Integration with Other Risk Management Rules: The guidance clarifies that banking organizations should evaluate third-party relationships related to lending, payment, or deposit activities using both the third-party risk management guidance and the applicable risk management processes, rules and regulations that apply to traditional lending and deposit relationships. This integration ensures comprehensive risk assessment and management.
  • Sound Risk Management Principles: Both the previous agency guidance and the new joint guidance emphasize the importance of sound risk management principles. However, the new guidance provides more specific principles to consider when developing and implementing third-party risk management practices. These principles are aligned with the bank's size, risk profile, complexity, and the criticality of the activities supported by third parties.

Guidance For BaaS Banks and FinTechs

Banks who distribute products and services through third-party FinTech partners fall squarely into the scope of this guidance, reinforcing the need for robust FinTech risk management practices to strengthen operations, safeguard customer interests, and enhance reputations.  The guidance emphasizes the need for these entities to prioritize thorough due diligence, regulatory compliance, and strong governance structures. By implementing diligent partner evaluation processes, ensuring adherence with regulatory requirements, and establishing effective governance frameworks, these organizations can effectively mitigate risks, demonstrate regulatory compliance, and cultivate trust with customers, partners, and regulatory authorities.

Initiating and Monitoring Third-Party Relationships

To establish a strong foundation for third-party risk management, the guidance emphasizes the need for financial institutions to undertake thorough due diligence when selecting their partners. This goes beyond simply reviewing financial statements and conducting background checks. It involves a comprehensive assessment of the overall effectiveness of the relationship, ensuring alignment with strategic goals, and considering risk appetite and compliance with laws and regulations. For example, organizations may evaluate the third party's track record in managing similar engagements, their reputation in the industry, and their commitment to cybersecurity and data privacy.

Additionally, due diligence should not be a one-time exercise but an ongoing process. Changes in the third party's business strategy, products and services, financial condition, insurance coverage, and compliance with contractual obligations should be continuously monitored. This can be achieved through regular reviews, site visits, and audits to ensure that the third-party maintains the necessary controls and meets the agreed-upon standards. SRA Watchtower | FinTech Risk Management and Monitoring can solve for this.

Termination Procedures

Banks may need to terminate third-party relationships for various reasons, such as contractual breaches, performance issues, or strategic decisions to bring activities in-house. The joint guidance notes that proper termination procedures ensure an efficient transition of services and minimize potential disruptions to the organization and its customers.

When developing termination procedures, the guidance calls on organizations to consider effective transition options. This could involve identifying alternative third-party providers or establishing in-house capabilities to replace the outsourced functions. Managing costs and fees is another critical aspect, as termination may incur penalties or require renegotiation of contracts. The guidance points out that organizations should carefully assess the financial impact of termination and plan accordingly.

The agencies also note that handling data retention and destruction is crucial during the termination process. Banks should ensure that sensitive customer information and proprietary data are properly transferred, securely stored, or destroyed in compliance with applicable laws and regulations. Additionally, organizations should address risks associated with intellectual property and customer impact, such as protecting trade secrets or ensuring a seamless transition for customers, according to the new joint guidance.

Governance

In the report, the agencies emphasize that an effective governance structure is crucial for robust third-party risk management. The Board of Directors plays a vital role in providing oversight, setting risk appetite, and approving policies related to third-party relationships. Boards should actively engage in understanding the risks associated with these relationships and ensure that appropriate controls and processes are in place.

The guidance also stresses that management is responsible for implementing risk management processes aligned with the organization's risk profile. This includes establishing clear roles and responsibilities, conducting regular risk assessments, and monitoring the performance of third parties. Management should also prioritize ongoing training and awareness programs to ensure that employees understand their responsibilities in managing third-party risks.

Independent reviews play a critical role in assessing the adequacy of the organization's third-party risk management processes, according to the guidance. These reviews can be conducted by internal audit teams or external consultants and help identify gaps, evaluate controls, and recommend adjustments. Documentation and reporting are essential components of effective governance. They demonstrate compliance, support control activities, and facilitate effective internal communication.

Supervisory Reviews

The guidance points out that regulatory agencies will evaluate the effectiveness of a banking organization's third-party risk management practices when conducting supervisory reviews. During these reviews, examiners assess various factors, including the ability of management to oversee relationships, the impact of third-party engagements on the organization's risk profile, compliance with laws and regulations, and the remediation of any identified deficiencies.

Supervisory reviews play a crucial role in assigning ratings to banks and highlighting risks to the organization and its stakeholders. It is essential for banking executives to proactively address any identified deficiencies and take corrective actions to strengthen their third-party risk management framework. By demonstrating a proactive approach to managing third-party risks and actively monitoring their FinTech partners, organizations can enhance their reputation, maintain regulatory compliance, and mitigate potential financial and operational risks.

Navigating the Complexities of Third-Party Relationships

By adhering to the best practices outlined in the Interagency Guidance on Third-Party Relationships: Risk Management, banking executives can ensure their organizations are well-equipped to navigate the complexities of third-party relationships. While in return, third-party partners like BaaS banks or FinTechs can leverage this guidance to ensure they are also operating within the revised guidance and adhere to regulatory requirements to be trusted partners in securing the safety and soundness of the banking community. Incorporating robust due diligence processes, implementing comprehensive ongoing monitoring, establishing efficient termination procedures, and fostering strong governance structures will enable banks to mitigate potential risks and safeguard their future success.

If you are looking for support around third-party risk or FinTech Risk Management, please contact SRA today. To access the full Final Guidance report, please refer to the official resources provided by the regulatory agencies below:

OCC Bulletin 2023-17 | June 6, 2023

PDF: Final Guidance on Third-Party Risk Management

FDIC: FIL-29-2023 | June 6, 2023

As a reference here are links to the 2021 guidelines issued by the OCC:

OCC Bulletin 2021-40 | August 27, 2021 - Third-Party Relationships: Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks

PDF: Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.
SCHEDULE a demo

EXPERIENCE. WISDOM. KNOWHOW.

Book an

SRA CONSULTING

discovery session

SCHEDULE NOW
Three ways to tap into the people, technology and insights of SRA.
We're focused exclusively on the serving the financial & Insurance industries.

DISCOVERY 
SESSION

Schedule a 30 minute consult with an SRA Risk Management Practitioner to understand your challenges, opportunities and potential paths to success.
SCHEDULE NOW

WATCHTOWER
DEMO

Look inside the SRA Watchtower platform and understand how it helps executives navigate risk and drive growth.
BOOK TODAY

SRA 
WEBINAR

Learn how SRA practitioners and their clients are tackling the most important and pressing issues facing the BFSI industry today.
REGISTER

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.
SCHEDULE a demo