Office of the Comptroller of the Currency, FDIC, Fed: Interagency Guidance on Third-Party Relationships – Risk Management (Part 1 of 3)
The notice was issued by Acting Comptroller of the Currency
Here are excerpts:
* * *
SUMMARY:
The Board,
DATES:
The guidance is final as of
FOR FURTHER INFORMATION CONTACT:
Board:
OCC:
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Introduction
II. Discussion of Comments on the Proposed Guidance
A. General Support for the Proposed Guidance
B. Terminology and Scope
C. Tailored Approach to Third-Party Risk Management
D. Specific Types of Third-Party Relationships
E. Risk Management Life Cycle
F. Subcontractors
G. Oversight and Accountability
H. Other Matters Raised
III. Paperwork Reduction Act
IV. Text of Final Interagency Guidance on Third-Party Relationships
I. Introduction
Banking organizations[1] routinely rely on third parties for a range of products, services, and other activities (collectively, activities). The use of third parties can offer banking organizations significant benefits, such as quicker and more efficient access to technologies, human capital, delivery channels, products, services, and markets. Banking organizations' use of third parties does not remove the need for sound risk management. On the contrary, the use of third parties, especially those using new technologies, may present elevated risks to banking organizations and their customers, including operational, compliance, and strategic risks. Importantly, the use of third parties does not diminish or remove banking organizations' responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations, including but not limited to those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive or abusive acts or practices) and those addressing financial crimes.
The agencies have each previously issued general guidance for their respective supervised banking organizations to address appropriate risk management practices for third-party relationships, each of which is rescinded and replaced by this final guidance: the Board's 2013 guidance,[2] the
II. Discussion of Comments on the Proposed Guidance
On
The agencies invited comment on all aspects of the proposed guidance. To help solicit feedback, the agencies posed 18 questions within the request for comment, organized across the following themes: General, Scope,Tailored Approach to Third-Party Risk Management, Third-Party Relationships,Due Diligence and Collaborative Arrangements, Subcontractors,Information Security, and the OCC's 2020 FAQs. The agencies collectively received 82 comment letters from banking organizations, financial technology (fintech) companies and other third-party providers, trade associations, consultants, nonprofits, and individuals.[8]
A. General Support for the Proposed Guidance
In general, commenters supported the agencies' efforts to issue joint principles-based guidance on third-party risk management. Commenters agreed with the proposal's overarching message regarding the importance of banking organizations adopting sound risk management practices that are commensurate with the level of risk and complexity of their respective third-party relationships. They agreed that a principles-based approach to third-party risk management can be adapted to a wide range of relationships and scaled for banking organizations of different sizes and complexity.
There were varying views among commenters on the level of detail included in the proposed guidance. While some commenters found the language to be too prescriptive, others noted that it had the right level of detail to enable banking organizations to use the guidance in a risk-based fashion. Other commenters specifically requested that the agencies establish minimum required "standards" or incorporate greater specificity on supervisory expectations. Commenters also offered differing perspectives on whether or how to incorporate the concepts from the OCC FAQs.[9]
In response to comments received, the agencies underscore that supervisory guidance does not have the force and effect of law and does not impose any new requirements on banking organizations.[10] The guidance addresses key principles banking organizations can leverage when developing and implementing risk management processes tailored to the risk profile and complexity of their third-party relationships.
B. Terminology and Scope
Commenters offered views on the description of the terms "business arrangement," "third-party relationship," and "critical activities."
1. Description of the Terms "Business Arrangement" and "Third-Party Relationship"
Some commenters suggested that the term "business arrangement" is overly broad and inconsistent with the risk-based approach of the guidance. For example, some commenters believed that without narrowing the term, banking organizations may face an undue burden when implementing their risk management processes. Several commenters offered suggestions to narrow or modify the term "business arrangement." These suggestions included focusing on material relationships, scoping out low-risk activities, and limiting arrangements to only those that are continuous and/or governed by a written contract.
Similarly, some commenters suggested that the term "third-party relationship" was overly broad and may divert banking organizations from focusing sufficiently on those relationships that present higher risk. These commenters suggested applying a materiality standard (for example, those third parties supporting critical activities) or excluding certain categories of third-party relationships (for example, affiliates or bank-to-bank relationships).
A few commenters recommended incorporating some of the more detailed discussions from OCC FAQs 1 and 2 elaborating on and providing examples of "business arrangements" and "third-party relationships."
With respect to these comments, the agencies believe the scope of the term "business arrangement" in the proposed guidance captures the full range of third-party relationships that may pose risk to banking organizations, and the final guidance does not change that scope. These relationships have evolved, and may continue to evolve, over time to encompass a large range of activities, justifying the use of broad terminology. The agencies have incorporated concepts from OCC FAQs 1 and 2. Although the terms "business arrangement" and "third-party relationship" are broad, the guidance does not suggest that all relationships require the same level or type of oversight or risk management, since different relationships present varying levels of risk. The guidance states that, as part of sound risk management, a banking organization analyzes the risks associated with each third-party relationship and adjusts its risk management practices, commensurate with the banking organization's size, complexity, and risk profile and with the nature of its third-party relationships. The agencies have removed from the final guidance the proposed text, which stated that the term "business arrangement" generally excludes customer relationships. Since some business relationships may incorporate elements or features of a customer relationship, the removal of the proposed text is intended to reduce ambiguity.
2. Description of the Term "Critical Activities"
Commenters expressed views on the term "critical activities," suggesting that the agencies provide banking organizations flexibility in determining which activities are higher risk and critical in nature or requested clarification on or limitation of the scope and application of the term. Some commenters requested the agencies provide further examples of critical activities or clarify whether banking organizations could employ risk-tiering processes to identify critical activities.
Commenters provided other suggestions that they thought would improve the description of "critical activities," such as:
- Merging the concepts of "critical activities" and "significant bank functions;"
- Reconsidering whether certain factors articulated within the proposed guidance should be determinative of criticality;
* Clarifying whether a certain monetary threshold would determine whether an activity requires a "significant investment in resources to implement the third-party relationship and manage the risk;"[11]
- Incorporating the concept from OCC FAQ 8 that not every relationship involving critical activities is necessarily a critical third-party relationship; and
* Aligning the concept of criticality in the proposed guidance with similar concepts in existing, related guidance (for example, the definitions for "critical operations" and "core business line" used in the Interagency Paper on Sound Practices to Strengthen Operational Resilience[12] (Sound Practices Paper)) to facilitate banking organizations' adoption of comprehensive risk management strategies.
The agencies considered the range of comments on the term "critical activities" and have made certain revisions to improve clarity and emphasize flexibility. The revised term eliminates imprecise concepts like "significant investment" and "significant bank function," instead focusing on illustrative, risk-based characteristics, such as activities that could cause significant risk to the banking organization if the third party fails to meet expectations or that have significant impacts on customers or the banking organization's financial condition or operation. The agencies have incorporated concepts from OCC FAQs 7, 8, and 9, recognizing that an activity that is critical for one banking organization may not be critical for another. Some banking organizations may assign a criticality or risk level to each third-party relationship, while others may identify critical activities and those third parties associated with such activities. Regardless of a banking organization's approach, applying a sound methodology to designate which activities and third-party relationships receive more comprehensive oversight is key for effective risk management.
In response to the comments requesting alignment with other issuances, the agencies note that this guidance is intended to provide examples of considerations that may be helpful to all banking organizations, regardless of size. It is important for each banking organization to assess risks presented by each of its third-party relationships and tailor its risk management processes accordingly. To the extent that specific laws and regulations may be applicable, for example, recovery or resolution planning to large banking organizations,[13] those banking organizations may desire to leverage definitions and approaches in those laws and regulations when developing and implementing third-party risk management, such as identifying third-party relationships that that support higher-risk activities, including critical activities. Moreover, to the extent that other guidance may be relevant to certain banking organizations, such as the Sound Practices Paper, which is intended for the largest and most complex banking organizations,[14] such organizations may choose to reference relevant terms and concepts contained in those other issuances when implementing their third-party risk management processes.
C. Tailored Approach to Third-Party Risk Management
Commenters offered views on appropriately tailoring the risk management principles discussed in the guidance to meet the different needs of individual banking organizations, and particularly community banking organizations. For example, some commenters asserted that smaller, less complex banking organizations do not need to adopt the same risk management approaches adopted by larger, more complex banking organizations. As such, they asked that the guidance include language either to clarify the flexibility of the guidance with respect to the size of banking organizations or to the risk presented by certain third-party relationships. Some commenters suggested that the guidance make allowances for banking organizations to explicitly accept the risk of the relationship, in lieu of establishing full due diligence practices, based on the banking organization's risk profile and individual circumstances of the relationship.
Commenters also suggested that the agencies could provide examples of appropriate practices specific to smaller banking organizations or of the specific risks that certain categories of third parties or critical activities may pose to smaller banking organizations. Several commenters requested some form of acknowledgment that smaller banking organizations may lack the necessary resources to thoroughly vet third parties, and thus should be afforded some form of "safe harbor" relating to third-party risk management to allow them to compete in the digital era.
In addition, commenters suggested incorporating concepts from OCC FAQs 5, 6, and 7 to help reinforce flexibility for community banking organizations (acknowledging, for example, that banking organizations may have limited negotiating power, that there is no one way for banks to structure their third-party risk management processes, and that not all relationships warrant the same level of oversight or risk management).
In response to these comments, the agencies reiterate that the guidance is relevant to all banking organizations. The agencies have incorporated concepts from OCC FAQ 9, clarifying language in the guidance about tailoring third-party risk management processes based on risk. The guidance notes that not all third-party relationships present the same level or type of risk and therefore not all relationships require the same extent of oversight or risk management. It also states that as part of sound risk management, it is the responsibility of each banking organization to analyze the risks associated with each third-party relationship and to calibrate its risk management processes, commensurate with the banking organization's size, complexity, and risk profile and with the nature of its third-party relationships.
Banking organizations have flexibility in their approach to assessing the risk posed by each third-party relationship and deciding the relevance of the considerations discussed in the guidance. To reinforce this flexibility and provide clarity on third-party risk management implementation, especially for community banking organizations, the agencies have streamlined and simplified certain sections of the guidance. The agencies have also incorporated into the final guidance concepts from OCC FAQs 5, 6, and 7 discussed above.
D. Specific Types of Third-Party Relationships
Commenters pointed to types of third-party relationships that may pose heightened or novel risk management considerations. A number of commenters discussed a banking organization's use of third parties for technological advances and innovations, including relationships with fintech companies. Some commenters raised particular risks presented by data aggregators and suggested a range of approaches to address these risks. Suggestions included interagency coordination on a
Some commenters also noted that third-party risk management processes may be applied differently, based on the specific type of relationship. For example, several commenters stated that arrangements with affiliates may present different or lower risks than those with unaffiliated third parties, and suggested that, as a result, a banking organization's third-party risk management may differ for affiliates and non-affiliates. Certain commenters also suggested that third parties that are already supervised or regulated (including some foreign-regulated entities) present less risk to banking organizations such that a banking organization's risk management could be tailored accordingly (for example, through reduced due diligence).
Commenters also suggested the agencies enhance discussion in the proposed guidance on foreign-based third parties, including clearly explaining this term, describing typical risks and accompanying risk management strategies, and addressing the possibility of incompatible legal obligations between jurisdictions. In the final guidance, the agencies have included a footnote to address questions surrounding the term "foreign-based third party" and have retained applicable considerations for foreign-based third parties within relevant sections of the risk management life cycle.
With respect to comments about technological advances and innovation, the agencies recognize that some banking organizations are forming relationships with fintech companies, including under new or novel structures and arrangements. Depending on the specific circumstances, including the activities performed, such relationships may introduce new or increase existing risks to a banking organization, such as those risks identified by some commenters. For example, in some third-party relationships, the respective roles and responsibilities of a banking organization and a third party may differ from those in other third-party relationships. Additionally, depending on how the business arrangement is structured, the banking organization and the third party each may have varying degrees of interaction with customers. Longstanding principles of third-party risk management set forth in this guidance are applicable to all third-party relationships, including those with fintech companies. Therefore, it is important for a banking organization to understand how the arrangement with a third party, including a fintech company, is structured so that the banking organization may assess the types and levels of risks posed and determine how to manage those third-party relationships accordingly. The agencies did not incorporate concepts from OCC FAQ 4, opting to provide broad risk management guidance.
The agencies considered other comments in relation to specific types of third-party relationships but decided not to exclude any specific third-party relationships from the scope of the guidance; rather, the guidance is relevant to managing all third-party relationships. Because third-party relationships present varying levels and types of risk, the guidance notes that not all relationships require the same level or type of oversight or risk management.
This principles-based guidance provides a flexible, risk-based approach to third-party risk management that can be adjusted to the unique circumstances of each third-party relationship. The agencies do not believe it would be appropriate to prescribe alternative approaches or to broadly assume lower levels of risk based solely on the type of a third party. For example, while a third-party relationship with an affiliate may have different characteristics and risks as compared to those with non-affiliated third parties, affiliate relationships may not always present lower risks. The same is true for third parties that are subject to some form of regulation.
The agencies also incorporated concepts from OCC FAQs 7 and 9, reiterating that as part of sound risk management, it is the responsibility of each banking organization to analyze the risks associated with each third-party relationship and to calibrate its risk management practices, commensurate with the banking organization's size, complexity, and risk profile and with the nature of its third-party relationships.
E. Risk Management Life Cycle
Commenters made a wide range of suggestions in the risk management life cycle section of the proposed guidance. Commenters expressed mixed views on the level of detail provided with respect to the various aspects of the risk management life cycle as well as the meaning of certain concepts. Some commenters raised concerns that the level of detail made the guidance overly burdensome on smaller banks. Other commenters recommended that the agencies expand the discussion to include additional stages within the risk management life cycle; a risk management matrix; or practical, illustrative examples throughout all stages of the life cycle.
In response to these comments, the agencies have clarified and streamlined the guidance and removed details that were duplicative, not useful, or that could be interpreted as prescriptive. The agencies also reiterate that the guidance is principles-based. Examples of considerations are merely illustrative, not requirements, and may not be applicable or material to each banking organization or each third-party relationship. The examples are not intended to be interpreted as exhaustive or to be used as a checklist. The agencies support a risk-based approach for banking organizations to assess the risk posed by a third-party relationship and tailor their third-party risk management processes accordingly.
In addition to these general comments, commenters provided thoughts on specific stages of the risk management life cycle, which are addressed below:
1. Due Diligence and Collaborative Arrangements
The due diligence and third-party selection stage of the risk management life cycle drew particular attention from commenters. Some raised concerns with the feasibility of banking organizations performing the full range of due diligence outlined in the proposal, noting that third parties or their related subcontractors may be unable or unwilling to disclose certain information. These commenters stated that the extent of due diligence described may be beyond certain banking organizations' expertise or not be fully applicable for most relationships. Other commenters suggested that banking organizations could engage in less stringent due diligence for certain types of third parties. Suggestions to address these concerns included revising the guidance to scale due diligence to the risk posed by the third party, limiting the burden of certain due diligence practices, and acknowledging shortcomings in accessing certain information.
Other commenters focused on steps to reduce the burdens of due diligence, by facilitating collaboration among banking organizations and reliance on certifications. For example, many commenters expressed support for proposed language on shared due diligence or collaboration between banking organizations.
In some cases, commenters noted challenges with shared due diligence or collaboration among banking organizations, such as antitrust or privacy considerations and the ability to meet due diligence needs in a shared framework. Some commenters recommended solutions, such as joint data collections and assessments across banking organizations and third parties. Other commenters asked the agencies to incorporate and expand upon the discussions in OCC FAQs 14 and 24 that banking organizations may rely on industry-accepted certifications and/or other reports.
Commenters also suggested that the guidance address due diligence options when banking organizations have difficulty gaining access to information necessary to perform due diligence and audits. Several commenters recommended that the guidance be tailored for or scope out certain third parties that may be resistant to due diligence efforts. Banking organizations may not be able to seek out alternatives to these third parties, especially where the industry is particularly concentrated. Another commenter noted that the use of on-site audits or visits has declined over time and could be inefficient and costly, especially for third parties with operations in several physical locations (such as cloud computing service providers).
With respect to commenters focused on specific third-party relationships, the agencies reiterate that relationships present varying levels of risk and not all relationships require the same level or type of oversight or risk management. However, the agencies do not believe it would be appropriate for banking organizations to conduct reduced due diligence based solely on a third party's entity type.
With respect to commenters focused on steps to limit the burdens of due diligence, including collaboration with other banking organizations and engaging with third parties that specialize in conducting due diligence, the agencies note that such collaborative efforts could be beneficial and reduce burden, especially for community banking organizations, and have made certain clarifying revisions to the guidance in that regard. However, use of any collaborative efforts does not abrogate the responsibility of banking organizations to manage third-party relationships in a safe and sound manner and consistent with applicable laws and regulations (including antitrust laws). It is important for the banking organization to evaluate the conclusions from such collaborative efforts based on the banking organization's own specific circumstances and performance criteria for the activity. A banking organization engaging an external party to supplement risk management, including due diligence, constitutes establishing a business arrangement; such a relationship would typically be covered by the banking organization's third-party risk management processes. The agencies have incorporated into the final guidance concepts from OCC FAQs 12, 13, and 25.
With respect to those commenters focused on circumstances in which banking organizations may have difficulty gaining access to information, the agencies acknowledge challenges in some circumstances. Consistent with the concepts from OCC FAQs 1, 5, and 17, the guidance provides that in such circumstances, banking organizations should consider taking steps to mitigate the risks or, if the risks cannot be mitigated, to determine whether the residual risks are acceptable. The guidance also states that when assessing the risk of a third-party relationship, banking organizations may consider information available from various sources. For example, the agencies incorporated concepts from OCC FAQs 14 and 24, recognizing that banking organizations may consider public regulatory disclosures when considering the risks presented by the specific third party. If the banking organization has concerns that the relationship falls outside of its risk appetite, it should consider making alternative choices.
As the guidance emphasizes, it is the responsibility of the banking organization to identify and evaluate the risks associated with each third-party relationship and to tailor its risk management practices, commensurate with the banking organization's size, complexity, and risk profile, as well as with the nature of its third-party relationships. As such, the agencies have not excluded any specific third-party relationships from the scope of the guidance.
2. Contract Negotiation
Commenters identified a range of suggestions on how the guidance approaches contract negotiations. Several commenters expressed concern that the section was overly detailed, that many contracts may not contain all of the contractual considerations discussed in the proposed guidance, and that such considerations might be treated as a mandatory checklist. Other commenters found the nature and extent of contractual language in the proposed guidance helpful in practice for informing a banking organization's contract negotiations.
Several commenters stated that the guidance should acknowledge the need for greater flexibility in certain contract negotiations. For example, some commenters requested that the guidance recognize that banking organizations may lack sufficient leverage in negotiations with larger third parties and may struggle to get certain "typical" provisions into the contract.
Further, several commenters recommended that the agencies provide additional support to smaller institutions to increase their collective negotiating power with respect to third parties, such as by creating a tool or supporting a collective group to facilitate negotiations. Some commenters proposed that the guidance include language from several of the OCC FAQs to clarify additional considerations regarding limited negotiating power and use of collaborative efforts when negotiating contracts.
In response to these comments, the agencies have incorporated concepts from OCC FAQs 5 and 13, acknowledging that a banking organization may have limited negotiating power in certain instances and should understand any resulting limitations. As the guidance states, many of the same considerations for collaborative arrangements apply throughout the risk management life cycle.
The agencies have streamlined some of the considerations in this section but believe that the overall scope of the discussion would be useful to banking organizations in understanding and preparing for contract negotiations.
3. Ongoing Monitoring
Several commenters recommended that the agencies revise the proposed guidance to encourage banks to adopt active, continuous, real-time monitoring, arguing that this approach is preferable to engaging in periodic assessments. Others requested the guidance provide additional information on alternative monitoring arrangements (such as certifications), collaborative monitoring arrangements, and reliance on external parties to supplement ongoing monitoring.
The agencies are not encouraging any specific approach to ongoing monitoring. Rather, the guidance continues to state that a banking organization's ongoing monitoring, like other third-party risk management processes, should be appropriate for the risks associated with each third-party relationship, commensurate with the banking organization's size, complexity, and risk profile and with the nature of its third-party relationships. Additionally, the guidance states that banking organizations may consider collaborative arrangements or the use of external parties to supplement ongoing monitoring.
F. Subcontractors
Commenters expressed a variety of views on banking organizations' relationships with subcontractors. These comments largely focused on whether the guidance could be clarified to promote additional flexibility in how banking organizations manage the risks associated with subcontractors, which pose challenges not necessarily present in a direct third-party relationship.
Various commenters emphasized the importance of managing risks posed by subcontractors, especially those that are material to a service being provided to a banking organization; those with access to sensitive, nonpublic information; those that perform higher-risk activities, including critical activities; those with access to the banking organization's infrastructure; and those within extended chains of subcontractors. However, many of these commenters expressed concern regarding the potential challenges in overseeing and conducting effective due diligence on subcontractors, such as a banking organization's lack of a relationship with (contractually or otherwise), and leverage over, subcontractors. These commenters suggested either narrowing the guidance's discussion on subcontractors (for example, excluding relationships beyond third parties) or refocusing a banking organization's oversight to a third party's ability to manage its subcontractors. Commenters also suggested that, in line with OCC FAQ 11, a banking organization could require a third party to bind its subcontractors to any obligations and standards of the third party.
With respect to these comments, the agencies acknowledge the risks and added complexity that may be involved with respect to a third party's use of subcontractors. The agencies also recognize concerns by commenters interpreting the guidance to mean banking organizations are expected to assess or oversee all subcontractors of a third party. Accordingly, consistent with the concepts in OCC FAQ 11, the agencies have revised the guidance, focusing on a banking organization's approach to evaluating its third party's own processes for overseeing subcontractors and managing risks. As the guidance clarifies, relationships with a third party, including a third party's use of subcontractors, should be evaluated based on the risk the relationship poses to the banking organization, which may include assessing whether a third party's use of subcontractors may heighten or raise additional risk to the banking organization and applying mitigating factors, as appropriate. The agencies have also made streamlining changes to improve clarity and promote flexibility, including by removing use of the term "critical subcontractor."
G. Oversight and Accountability
Commenters provided suggestions as to the proper role of a banking organization's board of directors and management with respect to effective third-party risk management. Some commenters, for example, stated that the proposed guidance implied excessive board involvement in day-to-day management activity. Others suggested that the guidance could further clarify the role of the board of directors in risk management activities, specifically those aspects of third-party risk management that could appropriately be executed and overseen by senior management. Some commenters similarly suggested the guidance clarify the authority of management to establish policies governing third-party relationships. A few commenters requested the guidance provide granularity on the types, depth, and frequency of information necessary for board review, including for ongoing monitoring. Additionally, several commenters suggested incorporating into the guidance and elaborating upon OCC FAQs 6 and 26, which discuss the board's responsibility for overseeing the development of an effective third-party risk management process, and its role in contract approval. Some commenters also requested "Oversight and Accountability" and its related subsections in the proposed guidance be better differentiated from the phases of the risk management life cycle, as the concepts and related activities occur throughout the risk management life cycle.
The agencies have incorporated concepts from OCC FAQs 6 and 26, reorganizing the guidance to make clear that oversight and accountability happens throughout the risk management life cycle and is not a specific stage. Further, the agencies have made changes to clarify and distinguish the board's responsibilities from management's responsibilities and to avoid the appearance of a prescriptive approach to the board's role in the risk management life cycle, while still emphasizing that the board has ultimate oversight responsibility to ensure that the banking organization operates in a safe and sound manner and in compliance with applicable laws and regulations.
H. Other Matters Raised
Commenters also offered other thoughts and suggestions relating to the guidance. Commenters noted that it would be helpful to have a period prior to the guidance taking effect to permit banking organizations to adapt processes accordingly. Several commenters also recommended that the agencies leverage, refer to, or combine recent, relevant regulations and policy issuances (such as the "Computer-Security Incident Notification rule,"[16] "Third-Party Due Diligence Guide for
Several commenters shared considerations regarding, and requested insight into, the agencies' examinations of banking organizations' third-party risk management processes. Some commenters suggested that any final guidance include a separate section outlining specific examination procedures to set clear and consistent expectations regarding the examination process.
Commenters provided thoughts on incorporating any or all of the OCC's FAQs. Several commenters suggested including relevant FAQs as an appendix or separate section rather than incorporating them throughout any final guidance, complementing principle-based guidance with more issue-specific FAQs to provide practical context. Others thought that the existence of a separate set of FAQs would create unnecessary confusion for examiners and the industry. In response, the agencies have not incorporated issue-specific FAQs where it was determined the matters are adequately reflected in other issuances published since the OCC FAQs were last updated.
Several commenters requested greater coordination among federal, state, and foreign regulators with respect to this guidance. Specifically, a few commenters suggested that other federal government agencies, such as the
Some commenters suggested that the agencies develop additional guidance and educational resources on a wide array of separate topics that a banking organization's third-party risk management processes could touch upon, such as consumer protection issues, artificial intelligence, alternative data uses, and other novel developments, citing the agencies' crypto-asset "policy sprints" as an example. For example, as to consumer protection issues, some commenters expressed concern with certain third-party relationships, such as so-called "rent-a-charter" arrangements that they believe are improperly used by non-bank third parties to preempt state usury laws. Multiple commenters requested that the agencies update the guidance to warn or discourage banking organizations about certain risks, such as high-interest loans or conflicts with state laws. Several commenters also suggested that the agencies use their existing authorities (such as under the Bank Service Company Act[20] ) to address the risks of what those commenters perceived as "systemically important" third-party service providers, or to otherwise assist banking organizations' third-party risk management efforts. Other commenters suggested the agencies and the
In response to these comments, given the broad, principles-based approach of this guidance, the agencies have not revised the guidance to address specific topics or types of relationships. Separate guidance on certain topics or relationships already exists; these types of specific guidance issuances, unless expressly rescinded, would remain unaffected by this guidance. While certain topics (including those raised by commenters) are not explicitly discussed in the final guidance, the broad-based scope of the guidance captures the full range of third-party relationships. With respect to requests that would require statutory or regulatory changes, or may be outside the authority of the agencies, such requests cannot be addressed by this guidance.
The agencies actively monitor trends and developments in the financial services industry and will consider issuing additional guidance or educational resources as necessary and appropriate to convey the agencies' views. The agencies plan to develop additional resources to assist smaller, non-complex community banking organizations in managing relevant third-party risks. The agencies will continue to coordinate closely about risk management matters, including third-party risk management, to help promote consistency across banking organizations and across the agencies.
Regarding questions about each agency's approach to examining third-party risk management, each agency has its own processes and procedures for conducting supervisory activities, including examination work. The final guidance includes a brief discussion of the agencies' supervisory reviews, the scope of which is tailored to evaluate the risks inherent in a banking organization's third-party relationships and the effectiveness of a banking organization's third-party risk management processes.
III. Paperwork Reduction Act
The Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3521) (PRA) states that no agency may conduct or sponsor, nor is the respondent required to respond to, an information collection unless it displays a currently valid
The guidance does not revise any existing, or create any new, information collections pursuant to the PRA. Rather, any reporting, recordkeeping, or disclosure activities mentioned in the guidance are usual and customary and should occur in the normal course of business as defined in the PRA.[21] Consequently, no submissions will be made to the OMB for review.
* * *
(Continues with Part 2 of 3)
The document was published in the
TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact
Office of the Comptroller of the Currency, FDIC, Fed: Interagency Guidance on Third-Party Relationships – Risk Management (Part 3 of 3)
Kin Delivers Affordable Home and Property Insurance to Alabama Homeowners
Advisor News
- Election creates an opportunity for advisor/client dialogue
- Trump 2.0: Planning around uncertainty
- MDRT study: Nearly half of financial advisors’ clients seek financial advice on social media
- EBRI study uncovers concerning trends in retirement spending
- Innovative financial literacy’s greatest hits
More Advisor NewsAnnuity News
- Election creates an opportunity for advisor/client dialogue
- Luma Financial Technologies Expands into Life Insurance, Offering the First Integrated Technology Platform Solution for Life Insurance and Annuities
- VOYA RETIREMENT INSURANCE AND ANNUITY COMPANY – 3rd QUARTER FINANCIALS 2024
- Riley LaTour Appointed Chief Risk Officer for Somerset Reinsurance Ltd
- NAFA Honors Passionate Industry Champion Rod Mims with 2024 Bo Johnson Spirit Award
More Annuity NewsHealth/Employee Benefits News
- Idaho family fights for and wins coverage of treatment for daughter’s rare condition | Opinion
- Open enrollment for Access Health CT has begun
- Health Insurance Marketplace enrollment underway
- APS to drop health care provider, increase premiums next year
- Consumer Alert: James warns of health insurance scams
More Health/Employee Benefits NewsLife Insurance News
- Election creates an opportunity for advisor/client dialogue
- Best’s Market Segment Report: AM Best Maintains Stable Outlook on South Korea’s Non-Life Insurance Market
- AM Best Affirms Credit Ratings of Ameriprise Financial, Inc. and Its Subsidiaries
- Life insurance new premium surges 8% in third quarter, LIMRA finds
- Luma Financial Technologies Expands into Life Insurance, Offering the First Integrated Technology Platform Solution for Life Insurance and Annuities
More Life Insurance News