Office of the Comptroller of the Currency, FDIC, Fed: Interagency Guidance on Third-Party Relationships – Risk Management (Part 3 of 3)

WASHINGTON, June 12 -- The U.S. Department of Treasury Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation and Federal Reserve System have issued a notice, published in the Federal Register on June 9, 2023, entitled "Interagency Guidance on Third-Party Relationships: Risk Management."

Here are excerpts:

(Continued from Part 2 of 3)

* * *

D. Governance

There are a variety of ways for banking organizations to structure their third-party risk management processes. Some banking organizations disperse accountability for their third-party risk management processes among their business lines.[17] Other banking organizations may centralize the processes under their compliance, information security, procurement, or risk management functions. Regardless of how a banking organization structures its process, the following practices are typically considered throughout the third-party risk management life cycle,[18] commensurate with risk and complexity.

1. Oversight and Accountability

Proper oversight and accountability are important aspects of third-party risk management because they help enable a banking organization to minimize adverse financial, operational, or other consequences. A banking organization's board of directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable. The board also provides clear guidance regarding acceptable risk appetite, approves appropriate policies, and ensures that appropriate procedures and practices have been established. A banking organization's management is responsible for developing and implementing third-party risk management policies, procedures, and practices, commensurate with the banking organization's risk appetite and the level of risk and complexity of its third-party relationships.

In carrying out its responsibilities, the board of directors (or a designated board committee) typically considers the following factors, among others:

- Whether third-party relationships are managed in a manner consistent with the banking organization's strategic goals and risk appetite and in compliance with applicable laws and regulations;

- Whether there is appropriate periodic reporting on the banking organization's third-party relationships, such as the results of management's planning, due diligence, contract negotiation, and ongoing monitoring activities; and

- Whether management has taken appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified, including through ongoing monitoring and independent reviews.

When carrying out its responsibilities, management typically performs the following activities, among others:

- Integrating third-party risk management with the banking organization's overall risk management processes;

- Directing planning, due diligence, and ongoing monitoring activities;

- Reporting periodically to the board (or designated committee), as appropriate, on third-party risk management activities;

* Providing that contracts with third parties are appropriately reviewed, approved, and executed;

- Establishing appropriate organizational structures and staffing (level and expertise) to support the banking organization's third-party risk management processes;

- Implementing and maintaining an appropriate system of internal controls to manage risks associated with third-party relationships;

- Assessing whether the banking organization's compliance management system is appropriate to the nature, size, complexity, and scope of its third-party relationships;

- Determining whether the banking organization has appropriate access to data and information from its third parties;

- Escalating significant issues to the board and monitoring any resulting remediation, including actions taken by the third party; and

- Terminating business arrangements with third parties when they do not meet expectations or no longer align with the banking organization's strategic goals, objectives, or risk appetite.

2. Independent Reviews

It is important for a banking organization to conduct periodic independent reviews to assess the adequacy of its third-party risk management processes. Such reviews typically consider the following factors, among others:

- Whether the third-party relationships align with the banking organization's business strategy, and with internal policies, procedures, and standards;

- Whether risks of third-party relationships are identified, measured, monitored, and controlled;

- Whether the banking organization's processes and controls are designed and operating adequately;

- Whether appropriate staffing and expertise are engaged to perform risk management activities throughout the third-party risk management life cycle, including involving multiple disciplines across the banking organization, as appropriate; and

- Whether conflicts of interest or appearances of conflicts of interest are avoided or eliminated when selecting or overseeing third parties.

A banking organization may use the results of independent reviews to determine whether and how to adjust its third-party risk management process, including its policies, reporting, resources, expertise, and controls. It is important that management respond promptly and thoroughly to issues or concerns identified and escalate them to the board, as appropriate.

3. Documentation and Reporting

It is important that a banking organization properly document and report on its third-party risk management process and specific third-party relationships throughout their life cycle. Documentation and reporting, key elements that assist those within or outside the banking organization who conduct control activities, will vary among banking organizations depending on the risk and complexity of their third-party relationships. Examples of processes that support effective documentation and internal reporting that the agencies have observed include, but are not limited to:

- A current inventory of all third-party relationships (and, as appropriate to the risk presented, related subcontractors) that clearly identifies those relationships associated with higher-risk activities, including critical activities;

- Planning and risk assessments related to the use of third parties;

- Due diligence results and recommendations;

- Executed contracts;

- Remediation plans and related reports addressing the quality and sustainability of the third party's controls;

- Risk and performance reports required and received from the third party as part of ongoing monitoring;

- If applicable, reports related to customer complaint and inquiry monitoring, and any subsequent remediation reports;

- Reports from third parties of service disruptions, security breaches, or other events that pose, or may pose, a material risk to the banking organization;

- Results of independent reviews; and

- Periodic reporting to the board (including, as applicable, dependency on a single provider for multiple activities).

E. Supervisory Reviews of Third-Party Relationships

The concepts discussed in this guidance are relevant for all third-party relationships and are provided to banking organizations to assist in the tailoring and implementation of risk management practices commensurate to each banking organization's size, complexity, risk profile, and the nature of its third-party relationships. Each agency will review its supervised banking organizations' risk management of third-party relationships as part of its standard supervisory processes. Supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.

In their evaluations of a banking organization's third-party risk management, examiners consider that banking organizations engage in a diverse set of third-party relationships, that not all third-party risk relationships present the same risks, and that banking organizations accordingly tailor their practices to the risks presented. Thus, the scope of the supervisory review depends on the degree of risk and the complexity associated with the banking organization's activities and third-party relationships. When reviewing third-party risk management processes, examiners typically conduct the following activities, among others:

- Assess the ability of the banking organization's management to oversee and manage the banking organization's third-party relationships;

- Assess the impact of third-party relationships on the banking organization's risk profile and key aspects of financial and operational performance, including compliance with applicable laws and regulations;

- Perform transaction testing or review results of testing to evaluate the activities performed by the third party and assess compliance with applicable laws and regulations;

- Highlight and discuss any material risks and deficiencies in the banking organization's risk management process with senior management and the board of directors as appropriate;

- Review the banking organization's plans for appropriate and sustainable remediation of any deficiencies, particularly those associated with the oversight of third parties that involve critical activities; and

- Consider supervisory findings when assigning the components of the applicable rating system and highlight any material risks and deficiencies in the Report of Examination.

When circumstances warrant, an agency may use its legal authority to examine functions or operations that a third party performs on a banking organization's behalf. Such examinations may evaluate the third party's ability to fulfill its obligations in a safe and sound manner and comply with applicable laws and regulations, including those designed to protect customers and to provide fair access to financial services. The agencies may pursue corrective measures, including enforcement actions, when necessary to address violations of laws and regulations or unsafe or unsound banking practices by the banking organization or its third party.

Michael J. Hsu,

Acting Comptroller of the Currency.

By order of the Board of Governors of the Federal Reserve System.

Ann E. Misback,

Secretary of the Board.

Federal Deposit Insurance Corporation.

Dated at Washington, DC, on June 1, 2023.

James P. Sheesley,

Assistant Executive Secretary.

Footnotes

1. For a description of the banking organizations supervised by each agency, refer to the definition of "appropriate Federal banking agency" in section 3(q) of the Federal Deposit Insurance Act (12 U.S.C. 1813(q)). This guidance is relevant to all banking organizations supervised by the agencies.

2. SR Letter 13-19/CA Letter 13-21, "Guidance on Managing Outsourcing Risk" (December 5, 2013, updated February 26, 2021).

3. FIL-44-2008, "Guidance for Managing Third-Party Risk" (June 6, 2008).

4. OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance," and OCC Bulletin 2020-10, "Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29." Additionally, the OCC also issued foreign-based third-party guidance, OCC Bulletin 2002-16, "Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance," which is not being rescinded but instead supplements the final guidance.

5. These include the "Interagency Guidelines Establishing Standards for Safety and Soundness," and the "Interagency Guidelines Establishing Information Security Standards," which were adopted pursuant to the procedures of section 39 of the Federal Deposit Insurance Act and section 505 of the Graham Leach Bliley Act, respectively. See12 CFR part 30, appendices A and B (OCC); part 208, appendices D-1 and D-2 (Board); and part 364, appendices A and B (FDIC).

6. "Proposed Interagency Guidance on Third-Party Relationships: Risk Management," 86 FR 38182 (July 19, 2021).

7. "Proposed Interagency Guidance on Third-Party Relationships: Risk Management," 86 FR 50789 (September 10, 2021).

8. Comments can be accessed at: https://www.regulations.gov/document/OCC-2021-0011-0001/comment (OCC); https://www.federalreserve.gov/apps/foia/ViewComments.aspx?doc_id=OP-1752&doc_ver=1 (Board); and https://www.fdic.gov/resources/regulations/federal-register-publications/2021/2021-proposed-interagency-guidance-third-party-rel-rm-3064-za26.html (FDIC).

9. The agencies included the OCC's 2020 FAQs as an exhibit when issuing the proposed guidance and sought comment on whether any of the concepts in the OCC FAQs should be incorporated into the interagency guidance. See86 FR 38196.

10. See12 CFR part 4, appendix A to subpart F (OCC); 12 CFR part 262, appendix A (Board); and 12 CFR part 302, appendix A (FDIC).

11. "Proposed Interagency Guidance on Third-Party Relationships: Risk Management", 86 FR 38182, at 38187 (July 19, 2021); https://www.federalregister.gov/documents/2021/07/19/2021-15308/proposed-interagency-guidance-on-third-party-relationships-risk-management.

12. "Interagency Paper on Sound Practices to Strengthen Operational Resilience," Federal Reserve SR 20-24 (November 2, 2020); OCC Bulletin 2020-94 (October 30, 2020); and FDIC FIL-103-2020 (November 2, 2020).

13. See12 CFR part 243 (Regulation QQ); 12 CFR part 30, appendix E.

14. The practices are addressed to domestic banks with more than $250 billion in total consolidated assets or banks with more than $100 billion in total assets and other risk characteristics. See note 12.

15. See12 U.S.C. 5533. As required by the Dodd-Frank Wall Street Reform and Consumer Protection Act, the agencies are participating in consultations with the CFPB related to the rulemaking.

16. 12 CFR part 53 (OCC); 12 CFR 225, subpart N (Board); 12 CFR 304, subpart C (FDIC).

17. "Conducting Due Diligence on Financial Technology Companies A Guide for Community Banks," Board, FDIC, OCC (August 2021), available at: https://www.occ.gov/news-issuances/news-releases/2021/nr-ia-2021-85a.pdf.

18. "Comptroller's Handbook: Model Risk Management," OCC (August 2021), available at: https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/model-risk-management/pub-ch-model-risk.pdf.

19. FDIC FIL-50-2016, "Examination Guidance for Third-Party Lending" (July 29, 2016). This proposed examination guidance was not finalized.

20. 12 U.S.C. 1861 et seq.

21. 5 CFR 1320.3(b)(2).

1. For a description of the banking organizations supervised by each agency, refer to the definition of "appropriate Federal banking agency" in section 3(q) of the Federal Deposit Insurance Act (12 U.S.C. 1813(q)). This guidance is relevant to all banking organizations supervised by the agencies.

2. Supervisory guidance does not have the force and effect of law and does not impose any new requirements on banking organizations. See 12 CFR 4, subpart F, appendix A (OCC); 12 CFR 262, appendix A (FRB) 12 CFR 302, appendix A (FDIC).

3. See12 U.S.C. 1831p-1. The agencies implemented section 1831p-1 by regulation through the "Interagency Guidelines Establishing Standards for Safety and Soundness ." See12 CFR part 30, appendix A (OCC), 12 CFR part 208, appendix D-1 (Board); and 12 CFR part 364, appendix A (FDIC).

4. References to applicable laws and regulations throughout this guidance include but are not limited to those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive or abusive acts or practices) and those addressing financial crimes.

5. This guidance is relevant for all third-party relationships, including situations in which a supervised banking organization provides services to another supervised banking organization.

6. The term "business arrangement" is meant to be interpreted broadly and is synonymous with the term "third-party relationship."

7. When a banking organization uses a third-party assessment service or utility, it has a business arrangement with that entity. Therefore, the arrangement should be incorporated into the banking organization's third-party risk management processes.

8. The term "foreign-based third-party" refers to third parties whose servicing operations are located in a foreign country and subject to the law and jurisdiction of that country. Accordingly, this term does not include a U.S.-based subsidiary of a foreign firm because its servicing operations are subject to U.S. laws. This term does include U.S. third parties to the extent that their actual servicing operations are located in or subcontracted to entities domiciled in a foreign country and subject to the law and jurisdiction of that country.

9. Dual employees are employed by both the banking organization and the third party.

10. Any collaborative activities among banks must comply with antitrust laws. Refer to the Federal Trade Commission and U.S. Department of Justice's "Antitrust Guidelines for Collaborations Among Competitors" (April 2000), available at https://www.ftc.gov/sites/default/files/documents/public_events/joint-venture-hearings-antitrust-guidelines-collaboration-among-competitors/ftcdojguidelines-2.pdf.

11. For example, those of the National Institute of Standards and Technology, Accredited Standards Committee X9, and the International Standards Organization.

12. Disruptive events could include technology-based failures, human error, cyber incidents, pandemic outbreaks, and natural disasters.

13. For example, regulatory requirements regarding incident notification include the FBAs' "Computer Security Incident Notification Rule." See12 CFR 53 (OCC); 12 CFR 225, subpart N (Board); 12 CFR 304, subpart C (FDIC).

14. Third parties may enlist the help of suppliers, service providers, or other organizations, which this guidance collectively refers to as subcontractors.

15. See12 U.S.C. 1464(d)(7)(D) and 1867(c)(1).

16. Refer to important considerations discussed in "Due Diligence and Third-Party Selection" of this guidance when a banking organization chooses to engage external resources to supplement its third-party risk management.

17. Each applicable business line can provide valuable input into the third-party risk management process, for example, by completing risk assessments, reviewing due diligence information, and evaluating the controls over the third-party relationship.

18. Refer to Figure 1: Stages of the Risk Management Life Cycle.

[FR Doc. 2023-12340 Filed 6-8-23; 8:45 am]

BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P

* * *

The document was published in the Federal Register: https://www.federalregister.gov/documents/2023/06/09/2023-12340/interagency-guidance-on-third-party-relationships-risk-management

TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact MYRON STRUCK, editor, [email protected], Springfield, Virginia; 703/304-1897; https://targetednews.com