Federal banking regulators shine a light on third-party risk management again | Eversheds Sutherland (United States) LLP

Federal banking regulators have once again demonstrated their interest in banking supervision and managing third-party relationship risk through a series of guidelines and proposed guidelines released in the third quarter of 2021. Federal Reserve, FDIC and the OCC published proposals for interagency guidance on third-party relationship risk management in July1 and one guide for community banks on conducting due diligence on financial technology companies in August. Then, in September, the Federal Reserve released a guide on community bank access to innovation through partnerships. These guidance documents, which we discuss separately below, have a common theme: Partnering with third parties can have significant benefits for banks, including a faster and more efficient way to access new technologies, but Regulators expect banks to manage third party risk with policies, processes and programs.

  1. Inter-agency guidance offered
The proposed interagency guidance released earlier this year is intended to replace and harmonize three pre-existing guidance documents: the Fed’s “Guidance on Managing Outsourcing Risks”, released in December 2013;2 the FDIC’s “Third Party Risk Management Guidelines”, published in June 2008;3 and the document “Third-Party Relationships: Risk Management Guidance” of the OCC published in October 20134 and completed by a FAQ in March 2020.5 The stated purpose of the proposed guidance is to help banks identify and manage the risks inherent in third party vendors, outsourcing and other business relationships and to comply with applicable laws and regulations.

The proposed interagency guidelines are largely based on the 2013 OCC guidelines and propose to incorporate the OCC 2020 FAQ. In line with the 2013 OCC guidelines, the proposed interagency guidelines provide that a bank’s third-party risk management program should be commensurate with its size, complexity and risk profile, and that third-party relationships involving Critical activities in particular must be subject to comprehensive and rigorous rules. supervision by banks. In accordance with the OCC FAQ 2020, the proposed guidelines describe critical activities as important banking functions that could (i) expose the bank to significant risk if the third party does not meet expectations, (ii) lead to significant impacts on customers, (iii) require a significant investment of resources for implementation and management, or (iv) have a major impact on the bank’s operations if the bank cannot find an alternative third party or bring in the internal activity.

The proposed guidelines would oblige banks to manage third-party risk at all stages of the relationship lifecycle, in particular:

  • Planning;
  • Due diligence and selection;
  • Contract negotiation;
  • Permanent monitoring of the relationship; and
  • End of the relationship (including transition of the activity internally or to a new third-party service provider).

With respect to due diligence and contract negotiation, the proposed guidelines build on many of the 2013 OCC guidelines, including:

  • Advising banks to exercise due diligence with regard to the third party’s strategies and objectives, its financial position, business experience, fee and remuneration structure (including incentives for risky behavior) , qualification of third party principals, risk management and controls, information security, information technology, operational resilience, incident management, use of subcontractors, the program of insurance and contractual agreements with third parties likely to cause conflicts; and
  • Address, where applicable, the following in written contracts with third parties: nature and scope of relationship and services, service level agreements, responsibilities for providing information and reports regarding the relationship or services services, audit rights and associated corrective actions, compliance with laws and regulations, remuneration and fees, ownership and licensing of relevant data, technology and intellectual property, confidentiality, information security, data use rights , operational resilience and business continuity, indemnification, insurance requirements, dispute resolution, limitations of liability (and ensuring that they are commensurate with the level of risk), termination rights, handling of complaints from customers and the use of subcontractors (including rights of notice or consent).

Although the proposed interagency guidance is substantially similar to the existing guidance of the three agencies on third party oversight, the promulgation of the final guidance is likely to cause banks to reassess their third party oversight and risk management programs. which may result in new and changed requirements in banks’ manuals for negotiating agreements with fintechs and other vendors and outsourced providers.

  1. Guides for engaging community banks with FinTechs

The August Guide to Conducting Fintech Due Diligence and the September Guide to Accessing Innovation Through Partnerships are aimed at community banks and are published as voluntary guides rather than ‘as binding guidelines. However, the guides contain several common themes with the proposed interagency guidance discussed above, and community banks would therefore be wise to pay attention to them despite their status as a “voluntary guide”.

As the digitization of banking services becomes necessary to remain competitive, fintech partnerships have grown in importance for community banks which may not have the IT department or technology budget to keep up with the internal innovation and development of larger companies. national and multinational. banks. Regulators recognize that fintech partnerships can provide access to expertise, access to improved products and services, increased efficiency, reduced costs and increased competitiveness for community banks that do not have the technical staff or staff. budget available to their largest national and multinational banks for innovation. But, in line with proposed interagency guidelines, the guides caution community banks to properly oversee their relationships with third parties.

The August guide Conducting Due Diligence on Financial Technology Companies focuses on the following six main due diligence topics:

  • Business experience and qualifications – assess fintech business experience, overall operational and managerial skills, customer referrals, assessment of customer complaints and other past operational issues, property and license rights on critical intellectual property, the use of subcontractors and other customers;
  • Financial condition – examine the financial statements, reports and other financial data of the fintech to assess its ability to remain in business. The guide also recommends understanding the source of fintech funding (for example, cash flow from operations, debt, or equity injections), the competitive landscape of fintech, and whether it depends on one or more. ‘a small number of major clients;
  • Legal and regulatory compliance – assess the knowledge and compliance of fintech with legal and regulatory requirements. Determine if it has the appropriate licenses, seek legal action and be diligent in legal actions, settlements, enforcement actions, fines and customer complaints;
  • Risk management and controls – assess the effectiveness of fintech’s risk management policies, processes and controls to assess its ability to operate in a safe and healthy manner;
  • Information security – assess fintech’s information security program to assess the adequacy and integrity of its processes for processing and protecting sensitive data; and
  • Operational resilience – assess the ability of fintech to continue or resume operations following a disaster or other disruptive event, including assessment of business continuity and disaster recovery plans, location of data centers and effective responses to past disruptions.

The September guide to community banking access to innovation through partnerships is the result of the Fed’s conversations with more than 40 community banks, fintechs and other industry stakeholders. This guide summarizes (i) the different types of partnerships and the associated benefits and risks for each and (ii) the key elements of the success of these types of partnerships as observed by community banks and their fintech partners.

The guide discusses three types of relationships with third parties:

  • Operational technological partnerships – fintech provides a solution to improve the internal processes of the bank, its monitoring capacities or its technical infrastructure.
  • VScustomer-oriented partnerships – the bank uses fintech to improve a customer-oriented product or activity, such as the bank’s mobile banking application, account opening tools or P2P tools. In this model, however, the interaction with the customer is always with the bank.
  • Front-end fintech partnerships – here, fintech interacts directly with the customer by providing banking products and services. This includes banking as a service offerings.

Key elements of a successful fintech partnership identified in the guide include:

  • Top-down commitment to innovation within the bank.
  • Alignment with priorities and objectives between fintech and banking. Here, the guide notes that banks prefer to work with fintechs who understand what it means to be a fiduciary and are willing to partner with the bank for their compliance obligations in addition to the tech solution.
  • A thoughtful approach to connectivity, noting that banks prefer third-party solutions that (i) can integrate seamlessly with bank systems, and (ii) facilitate the flow of data between banking systems and segments.


1 Proposal for Interagency Guidance on Third Party Relations: Risk Management, 86 Fed. Reg. 38182-38204 (July 19, 2021).
2 Guidance on Managing Outsourcing Risk, SR Letter 13-19 / CA Letter 13-21 (December 5, 2013, updated February 26, 2021).
3 Guidelines for the management of risks related to third parties, FIL-44-2008 (June 6, 2008).
4 relationships with third parties; Risk Management Guidelines, OCC Bulletin 2013-29 (October 30, 2013).
5 Relations with third parties: Frequently asked questions to complete the OCC Bulletin 2013-29, OCC Bulletin 2020-10 (March 5, 2020).

[View source.]

Michael J. Birnbaum

Leave a Reply

Your email address will not be published.