Tom Curry

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency recently released proposed guidance to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies.  

Previously, each agency issued its own guidance addressing such outsourcing relationships and practices; however, the agencies now seek to update, streamline and consolidate their existing guidance in order to promote a consistent framework of risk management principles for banking organizations to consider in developing risk management policies and procedures for effectively managing third-party vendor relationships. 

Agencies Nod to Fintech’s Role 

The proposed interagency guidance and request for comment expressly acknowledges that it is based upon the OCC’s existing third-party risk management guidance. Issued in 2013, the OCC’s guidance and related FAQs on community banks and fintechs are widely recognized as the gold standard in this area.  

Kate Henry

The agencies noted in their proposed guidance that “[b]anking organizations routinely rely on third parties for a range of products, services, and activities,” and that “[c]ompetition, advances in technology, and innovation in the banking industry contribute to banking organizations’ increasing use of third parties to perform business functions, deliver support services, facilitate providing new products and services, or facilitate providing existing products and services in new ways.”  

“As the banking industry becomes more complex and technologically driven, banking organizations are forming more numerous and more complex relationships with other entities to remain competitive, expand operations, and help meet customer needs.” the guidance says. 

Risk Not Evenly Distributed 

Although third parties serve a vital role, they can also expose banking organizations to financial loss, concentration risk, cybersecurity and other operational risks if not managed appropriately.  

The proposed guidance is intended to provide a framework based on sound risk management principles to assist banking organizations in identifying and addressing risks and complying with applicable statutes and regulations through all stages in the life cycle of third-party relationships., including planning, due diligence, contract negotiation, oversight and accountability, ongoing monitoring, and termination.  

Armand J. Santaniello

The agencies acknowledge that such efforts should be commensurate to the level of risk, complexity and size of each banking organization and the nature of the relevant third-party vendor relationship. However, the proposed guidance emphasizes that the use of a third-party vendor does not diminish the responsibilities of a banking organization’s board of directors to provide oversight of senior management or the responsibilities of senior management. They must ensure that the activity in which the vendor is engaged is in compliance with safety and soundness considerations and all applicable laws and regulations, the regulators say. 

The proposed guidance further clarifies that not all third-party relationships require the same level of rigor. The expectation is that banking organizations will “engage in more comprehensive and rigorous oversight and management of third-party relationships that support ‘critical activities.’”  

According to the proposed guidance, critical activities are significant bank functions – any business line and associated operations, services, functions and support, the failure of which would result in a material loss of revenue, profit, or value of the banking organization. Critical activities also include those that could cause a banking organization to face significant risk if the vendor fails to perform, could have significant customer impacts, could require significant investments to implement the vendor relationship and manage associated risks or could have a major impact on bank operations if the vendor must be replaced or the outsourced activity must be brought in-house. 

Proposal a Welcome Effort 

Overall, the proposed guidance provides insights into supervisory expectations for a banking organization’s third-party vendor risk management functions.  

For example, the proposed guidance explains that the Fed, FDIC or OCC may use their examination authority to evaluate the functions or operations performed by a vendor on behalf of a banking organization, including evaluations of safety and soundness risks to the banking organization posed by the vendor relationship, the financial and operational viability of the vendor, the vendor’s ability to perform its contractual obligations and the vendor’s ability to comply with applicable laws and regulations. 

The proposed guidance is a welcome effort by the federal banking regulators to update and standardize a set of risk management principles nearly 10 years old and to reaffirm that it is not a one size fits all approach. Hopefully, the final guidance will give banking organizations a set of principles that can be applied proportionately to the myriad types of third-party relationships. Given the increased reliance by the banking industry on third-party vendors, especially financial technology providers, clear and tested vendor risk management principles are essential.    

Thomas J. Curry is a partner in Nutter’s corporate and transactions department. Kate Henry and Armand J. Santaniello are associates in Nutter’s corporate and transactions department. Curry is former U.S. comptroller of the currency and all are members of the firm’s banking and financial services group.