Regulators issue guidance to community banks on third-party risks

Michael Barr
Michael Barr, vice chair for supervision at the Federal Reserve, said in January that banks' reliance on third-party providers for services creates "the potential for greater cyber risk." The Fed, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. issued a joint guidance Friday on third-party risk for community banks.
Bloomberg News

Federal regulators have issued fresh guidelines for how community banks should manage risks related to third-parties.

The Federal Reserve, Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency issued a 30-page guidebook on Friday explaining how small banks should approach all phases of their external partnerships, from planning to due diligence, contract negotiation to ongoing oversight and, ultimately, termination. 

"Third-party relationships present varied risks that community banks are expected to appropriately identify, assess, monitor, and control to ensure that their activities are performed in a safe and sound manner and in compliance with applicable laws and regulations," the agency said in a joint statement. "These laws and regulations include, but are not limited to, those designed to protect consumers and those addressing financial crimes."

The publication elaborates on the formal guidance issued by the Fed, FDIC and OCC last June. It does not introduce new standards but provides specific considerations and source materials for each of the previous established principles. It also includes illustrative examples of how they might be put into practice.

The report notes that failing to properly manage third parties could expose banks to financial losses or other risks, and could result in harm to customers. 

The fresh guidance is the latest step by the Washington agencies to remind banks that they are on the hook for things non-bank partners and service providers do on their behalf. 

"Reliance by banks on third-party service providers has grown considerably in recent years, and with that reliance comes the potential for greater cyber risk," said Fed Vice Chair for Supervision Michael Barr during a speech in January. "It is ultimately the responsibility of banks to manage their third-party risk, and we have historically seen gaps in this regard."

Friday's report notes that the advice is not applicable solely to community banks and could be a point of reference for larger institutions, too.

Traditionally, smaller banks have been more apt to partner with outside groups — such as financial technology firms — to bolster their businesses that their larger counterparts. Banking-as-a-service arrangements, in which fintechs procure customers for deposit, credit or lending services facilitated by a chartered bank, have been hotbeds for supervisory activity during the past year. 

The guidance is not exclusive to BaaS arrangements, though. It also notes key considerations for core services providers — something else many smaller banks outsource — fraud management and computing capabilities.

In March, Acting Comptroller of the Currency Michael Hsu said the agencies were considering a formal rule that would incorporate third-party risk management into a new operational risk framework

He noted that the expansion of bank partnerships has created more openings for risk to creep into the banking system.

"The provision of banking services increasingly resembles global manufacturing supply chains, with their efficiencies, complexities and vulnerabilities," Hsu said. "The threat surface for disruptions expands, and as authorities in other jurisdictions begin implementing their rules to ensure operational resilience, we are assessing and working with our interagency peers to develop the right approach here in the U.S."

For reprint and licensing requests for this article, click here.
Community banking Regulation and compliance