Regulators propose joint guidance on managing third-party risk

WASHINGTON — Three federal bank regulators are requesting industry input on a set of interagency guidelines to help financial institutions navigate the risks of third-party relationships.

The proposed guidance, released jointly on Tuesday afternoon by the Federal Reserve, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corp., centers on the responsibilities of banks when practicing risk management with business partners.

Rather than eliminate the need for rigorous compliance, the agencies wrote in the guidance, “the use of third parties may present elevated risks to banking organizations and their customers.”

The guidance also marks the first time the three agencies have moved as one to advise banks on the risks of fintech partnerships and other relationships with nonbank firms. Over the past decade, each of the regulators have issued distinct third-party management guidelines: the FDIC issued guidance on partnerships in 2008, while the Fed and OCC issued their own separate versions in 2013.

Comments from stakeholders will be due 60 days after the guidance is published in the Federal Register.

The guidance is substantial, stretching more than 90 pages and attempting to account “for all stages in the life cycle of third-party relationships,” the agencies wrote, including initial business planning, contract negotiation, ongoing compliance and eventual termination.

“As the banking industry becomes more complex and technologically driven, banking organizations are forming more numerous and more complex relationships with other entities to remain competitive, expand operations, and help meet customer needs,” the regulators wrote in the guidance. “A banking organization can be exposed to substantial financial loss if it fails to manage appropriately the risks associated with third-party relationships.”

At the same time, regulators also acknowledged concerns long expressed by the nation’s smaller banks that they would be expected to approach fintech compliance with the same intensity as their megabank counterparts.

“Banking organizations, including smaller and less complex banking organizations, should adopt risk management practices commensurate with the level of risk and complexity of their third-party relationships and the risk and complexity of the banking organization’s operations,” the regulators wrote in the guidance.

The guidance also appeared to encourage banks to share regulatory burden when working with the same potential business partner or vendor, noting that “banking organizations may collaborate when they use the same third party, which can improve risk management and lower the costs among such banking organizations.”

The regulators warned, however, that even while collaborating, an individual banking organizations is "ultimately accountable for managing the risks of its own third-party business arrangements."

In addition to the agencies’ new guidance, the regulators also included the already-published set of frequently-asked-questions issued by the OCC last year on fintech parnterships. The agencies will ask stakeholders to what extent they believe “the concepts discussed in the OCC’s 2020 FAQs should be incorporated into the final version of the guidance,” as well as whether any additional concepts should be included in a joint version of the FAQ.

For reprint and licensing requests for this article, click here.
Risk management Fintech Partnerships
MORE FROM AMERICAN BANKER