Federal Register Extracts

Agency: "The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), Treasury."

SUMMARY: The Board, FDIC, and OCC (collectively, the agencies) are issuing final guidance on managing risks associated with third-party relationships. The final guidance offers the agencies' views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships. The final guidance states that sound third-party risk management takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship. The agencies are issuing this joint guidance to promote consistency in supervisory approaches; it replaces each agency's existing general guidance on this topic and is directed to all banking organizations supervised by the agencies.

DATES:

The guidance is final as of June 6, 2023.

FOR FURTHER INFORMATION CONTACT:

Board: Kavita Jain, Deputy Associate Director, (202) 452-2062, Chandni Saxena, Manager, (202) 452-2357, Timothy Geishecker, Lead Financial Institution and Policy Analyst, (202) 475-6353, or David Palmer, Lead Financial Institution and Policy Analyst, (202) 452-2904, Division of Supervision and Regulation; Matthew Dukes, Counsel, (202) 973-5096, Division of Consumer and Community Affairs; or Claudia Von Pervieux, Senior Counsel, (202) 452-2552, Evans Muzere, Senior Counsel, (202) 452-2621, or Alyssa O'Connor, Senior Attorney, (202) 452-3886, Legal Division, Board of Governors of the Federal Reserve System, 20th and C Streets NW, Washington, DC 20551. For users of telephone systems via text telephone (TTY) or any TTY-based Telecommunications Relay Services (TRS), please call 711 from any telephone, anywhere in the United States.

FDIC: Thomas F. Lyons, Associate Director, Risk Management Policy, [email protected], (202) 898-6850), or Judy E. Gross, Senior Policy Analyst, [email protected], (202) 898-7047, Policy & Program Development, Division of Risk Management Supervision; Paul Robin, Chief, [email protected], (202) 898-6818, Supervisory Policy Section, Division of Depositor and Consumer Protection; or Marguerite Sagatelian, Senior Special Counsel, [email protected], (202) 898-6690 or Jennifer M. Jones, Counsel, [email protected], (202) 898-6768, Supervision, Legislation & Enforcement Branch, Legal Division, Federal Deposit Insurance Corporation; 550 17th Street NW, Washington, DC 20429.

OCC: Kevin Greenfield, Deputy Comptroller for Operational Risk Policy, Tamara Culler, Governance and Operational Risk Policy Director, Emily Doran, Governance and Operational Risk Policy Analyst, or Stuart Hoffman, Governance and Operational Risk Policy Analyst, Operational Risk Policy Division, (202) 649-6550; or Eden Gray, Assistant Director, Tad Thompson, Counsel, or Graham Bannon, Attorney, Chief Counsel's Office, (202) 649-5490, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219. If you are deaf, hard of hearing, or have a speech disability, please dial 7-1-1 to access telecommunications relay services.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Introduction

II. Discussion of Comments on the Proposed Guidance

A. General Support for the Proposed Guidance

B. Terminology and Scope

C. Tailored Approach to Third-Party Risk Management

D. Specific Types of Third-Party Relationships

E. Risk Management Life Cycle

F. Subcontractors

G. Oversight and Accountability

H. Other Matters Raised

III. Paperwork Reduction Act

IV. Text of Final Interagency Guidance on Third-Party Relationships

I. Introduction Banking organizations /1/ routinely rely on third parties for a range of products, services, and other activities (collectively, activities). The use of third parties can offer banking organizations significant benefits, such as quicker and more efficient access to technologies, human capital, delivery channels, products, services, and markets. Banking organizations' use of third parties does not remove the need for sound risk management. On the contrary, the use of third parties, especially those using new technologies, may present elevated risks to banking organizations and their customers, including operational, compliance, and strategic risks. Importantly, the use of third parties does not diminish or remove banking organizations' responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations, including but not limited to those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive or abusive acts or practices) and those addressing financial crimes.

FOOTNOTE 1 For a description of the banking organizations supervised by each agency, refer to the definition of "appropriate Federal banking agency" in section 3(q) of the Federal Deposit Insurance Act (12 U.S.C. 1813(q)). This guidance is relevant to all banking organizations supervised by the agencies. END FOOTNOTE

The agencies have each previously issued general guidance for their respective supervised banking organizations to address appropriate risk management practices for third-party relationships, each of which is rescinded and replaced by this final guidance: the Board's 2013 guidance, /2/ the FDIC's 2008 guidance, /3/ and the OCC's 2013 guidance and its 2020 frequently asked questions (herein, OCC FAQs). /4/ By issuing this interagency guidance, the agencies aim to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles for third-party risk management. Further, the agencies have observed an increase in the number and type of banking organizations' third-party relationships. Accordingly, the final guidance is intended to assist banking organizations in identifying and managing risks associated with third-party relationships and in complying with applicable laws and regulations. /5/

FOOTNOTE 2 SR Letter 13-19/CA Letter 13-21, "Guidance on Managing Outsourcing Risk" (December 5, 2013, updated February 26, 2021). END FOOTNOTE

FOOTNOTE 3 FIL-44-2008, "Guidance for Managing Third-Party Risk" (June 6, 2008). END FOOTNOTE

FOOTNOTE 4 OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance," and OCC Bulletin 2020-10, "Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29." Additionally, the OCC also issued foreign-based third-party guidance, OCC Bulletin 2002-16, "Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance," which is not being rescinded but instead supplements the final guidance. END FOOTNOTE

FOOTNOTE 5 These include the "Interagency Guidelines Establishing Standards for Safety and Soundness," and the "Interagency Guidelines Establishing Information Security Standards," which were adopted pursuant to the procedures of section 39 of the Federal Deposit Insurance Act and section 505 of the Graham Leach Bliley Act, respectively. See 12 CFR part 30, appendices A and B (OCC); part 208, appendices D-1 and D-2 (Board); and part 364, appendices A and B (FDIC). END FOOTNOTE

II. Discussion of Comments on the Proposed Guidance

On July 19, 2021, the agencies published for comment proposed guidance on managing risks associated with third-party relationships (proposed guidance). /6/ The 60-day comment period initially ended on September 17, 2021. In response to commenters' requests for additional time to analyze and respond to the proposal, the agencies extended the comment period until October 18, 2021. /7/

FOOTNOTE 6 "Proposed Interagency Guidance on Third-Party Relationships: Risk Management," 86 FR 38182 (July 19, 2021). END FOOTNOTE

FOOTNOTE 7 "Proposed Interagency Guidance on Third-Party Relationships: Risk Management," 86 FR 50789 (September 10, 2021). END FOOTNOTE

The agencies invited comment on all aspects of the proposed guidance. To help solicit feedback, the agencies posed 18 questions within the request for comment, organized across the following themes: General, Scope,Tailored Approach to Third-Party Risk Management, Third-Party Relationships,Due Diligence and Collaborative Arrangements, Subcontractors,Information Security, and the OCC's 2020 FAQs. The agencies collectively received 82 comment letters from banking organizations, financial technology (fintech) companies and other third-party providers, trade associations, consultants, nonprofits, and individuals. /8/

FOOTNOTE 8 Comments can be accessed at: https://www.regulations.gov/document/OCC-2021-0011-0001/comment (OCC); https://www.federalreserve.gov/apps/foia/ViewComments.aspx?doc_id=OP-1752&doc_ver=1 (Board); and https://www.fdic.gov/resources/regulations/federal-register-publications/2021/2021-proposed-interagency-guidance-third-party-rel-rm-3064-za26.html (FDIC). END FOOTNOTE

A. General Support for the Proposed Guidance

In general, commenters supported the agencies' efforts to issue joint principles-based guidance on third-party risk management. Commenters agreed with the proposal's overarching message regarding the importance of banking organizations adopting sound risk management practices that are commensurate with the level of risk and complexity of their respective third-party relationships. They agreed that a principles-based approach to third-party risk management can be adapted to a wide range of relationships and scaled for banking organizations of different sizes and complexity.

--This is a summary of a Federal Register article originally published on the page number listed below--

Final interagency guidance.

RIN Number: "RIN 3064-ZA26"

Citation: "88 FR 37920"

Document Number: "Docket No. OP-1752"; "Docket ID OCC-2021-0011"

Federal Register Page Number: "37920"

"Notices"