On June 6, 2023, The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Department of the Treasury’s Office of the Comptroller of the Currency (OCC) issued final joint guidance for banking organizations on managing risks associated with third-party relationships. Previously, the Board (2013), FDIC (2008) and OCC (2013 and 2020) had all issued their own separate guidance for their respective supervised banking organizations. After extensive review and analysis of comments provided from July-October 2021 on proposed interagency guidance, the prior issuances by separate regulators were rescinded and replaced by the final joint interagency guidance[1]. The guidance was over ten years in the making, and corresponds with an observed increase in the number and types of third-party relationships used by banks. The use by banks of fintech companies is a prime example; there has been an explosion in the variety of services offered to banks by such companies. The guidance is intended to promote a consistent message on risk management from the agencies, and to more clearly articulate risk-based principles for third-party risk management.
An overarching theme of the new guidance is that no “one size fits all” model exists for banks to follow, and that no set of minimum standards has been established for banks of any size. Instead, each bank must analyze the facts and circumstances unique to its business, use its own best judgment to ensure safe and sound banking practices, and make sure that it is not exposed to unacceptable risk from a third-party provider. Activity which might not pose undue risk for one institution may pose undue risk for another. The guidance is comprehensive, in that it covers all aspects of the risk management life cycle – Planning, Due Diligence and Third-Party Selection, Contract Negotiation, Ongoing Monitoring, and Termination. It anticipates that each bank’s management team (and in some cases, especially for higher risk activities, its directors) will conduct an internal review to understand and address any identified risks associated with the on-boarding and ongoing management of a proposed third-party relationship.
One potential consequence of the new guidance is that third-party providers, especially providers that service multiple banks, may see increasing divergence in the requirements their bank customers seek to impose – even ones that are similarly-situated. Third-party providers will need to be increasingly nimble and react accordingly. A third-party’s business model that may have worked adequately in the past, may now be subject to increased scrutiny, and may need to be tweaked, or overhauled, to accommodate the new guidelines and the risk profiles of different banks. This may result in new burdens for these third-party providers, but also perhaps new business opportunities to service these new demands. Importantly, although this new guidance is primarily focused on the responsibility of banks for creating and maintaining safe and sound risk management policies and procedures, Section C.3.q of the guidance is clear: third-party providers must be aware of their roles and potential liability in their relationships with supervised banks, and it may be important for contracts to stipulate that the performance of activities is subject to regulatory examination and oversight.
One clear takeaway is that appropriate due diligence by a supervised bank as it enters into third-party relationships is crucial, and it is not adequate for any bank to rely on prior experience with or knowledge of a third-party provider. Due diligence must be tailored to the specific activity to be performed, and if the diligence uncovers any causes for concern, then additional diligence may be warranted. The level of diligence sufficient for one bank may be completely insufficient for another. The guidance recognizes that the diligence process may not be easy – e.g., a provider may not have a long operational history, or may not allow site visits – but this does not absolve a bank from its diligence obligation. Supplemental methods including industry utilities or consortiums, or consulting with other organizations (subject to antitrust limitations) may be acceptable. Ultimately, the guidance indicates that a bank (even a small community bank) may need to walk away from a relationship, if it cannot become comfortable.
Furthermore, banks will need to devote more resources, including the staffing of compliance, risk and technology professionals, to manage the procurement of services. A standard form contract that may have worked previously for multiple counterparties, may need to be vetted by specialized legal counsel prior to each signing. In some cases, banks may have limited negotiating power, especially with third-party providers in concentrated industries (e.g., check processors or cloud computing services), and the guidance acknowledges that residual risks may exist. As a potential solution, banks may negotiate as a group in order to achieve better contract terms (again, subject to antitrust limitations). But if a bank cannot become comfortable with such risk, it may need to use a different third-party provider, or perform the task in house. And the same concerns about third-party risks are even more pronounced for the subcontractors the third-party may employ. As a result, to minimize regulatory scrutiny a bank may want to be notified of, or have the right to consent to, a third-party’s use of a subcontractor, or stipulate in a contract that a third-party will be liable for the actions and activities of its subcontractors.
With heightened attention to third-party (and subcontractor) risks, ongoing monitoring will be increasingly necessary for banks. When contracts are drafted, banks should consider a built-in monitoring framework – such that, if there are repeated violations or red flags, the bank will have as much recourse as possible – including the ability to terminate without penalty. An effective monitoring procedure will allow for operational and security risks to be identified and addressed at an early stage, to prevent them from spiraling out of control and creating a risk of regulatory enforcement. Furthermore, there may be changes to the third-party itself – e.g., a merger with a foreign corporation, a dip in its financial condition, or a loss of key employees – that could make a bank sufficiently uncomfortable with the relationship, such that it may seek an early exit, without penalty, from the contract.
Ideally, this joint guidance will be a useful roadmap for each supervised banking organization to help it effectively manage the risk associated with its third-party relationships. It remains to be seen exactly how these regulatory agencies will choose to review and scrutinize the banks, and their third-party providers (and their subcontractors), under the new guidance. While it may be short on specifics, the spirit and strength of the new interagency framework and the ultimate responsibility for banks to understand and manage risks associated with third-party relationships, hopefully will enable banks to navigate both current and future third-party relationship risk in a safe and sound manner.
For further information, please contact:
Scott A. Lessne, Crowell & Moring
slessne@crowell.com
[1] “Interagency Guidance on Third-Party Relationships: Risk Management,” 88 FR 37920 (June 9, 2023); Board of Governors of the Federal Reserve System – https://www.federalreserve.gov/supervisionreg/srletters/SR2304a1.pdf; Federal Deposit Insurance Corporation – https://www.fdic.gov/news/financial-institution-letters/2023/fil23029.html; Office of the Comptroller of the Currency – https://www.occ.gov/news-issuances/bulletins/2023/bulletin-2023-17.html.