Privacy & Information Security Law Blog

On June 6, 2023, the Federal Deposit Insurance Corporation (“FDIC”), the Board of Governors of the Federal Reserve System (“FRB”) and the Office of the Comptroller of the Currency (“OCC”) issued their final Interagency Guidance on Third-Party Relationships (“Guidance”). The Guidance provides principles that banking organizations should consider when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.

The new Guidance replaces each agency’s existing guidance regarding risk management practices for third-party relationships, including the FRB’s 2013 guidance, the FDIC’s 2008 guidance, and the OCC’s 2013 guidance and 2020 frequently asked questions. The Guidance is not legally binding and does not impose any new requirements on banking organizations, but outlines principles banking organizations can leverage when developing and implementing risk management processes adapted to the risks and complexity of their third-party relationships. In publishing the Guidance, the agencies emphasized that “the use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.”

The Guidance addresses business arrangements between a banking organization and another legal entity. Notably, the Guidance provides that a third-party relationship may exist despite the absence of a contract or remuneration. Examples of third-party relationships include outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, joint ventures and services provided by affiliates and subsidiaries.

Under the Guidance, a banking organization should analyze the risks associated with each third-party relationship and tailor risk management practices, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of the third-party relationship. Where third-party relationships support higher-risk activities, including “critical activities,” banking organizations should implement more comprehensive and rigorous oversight and management. An activity may be considered “critical” if it could (1) cause a banking organization to face significant risk if the third party fails to meet expectations; (2) have significant customer impacts; or (3) have a significant impact on a banking organization’s financial condition or operations.

The Guidance provides that effective management of third-party relationships follows a continuous, five-stage life cycle that includes: (1) planning, (2) due diligence and third-party selection, (3) contract negotiation, (4) ongoing monitoring and (5) termination. The planning stage allows a banking organization to evaluate the risk profile of a third-party relationship and consider risk management before entering into the relationship. Certain third-party relationships may require a greater degree of planning and consideration. For example, where a third-party relationship involves critical activities, a banking organization may present plans to and seek the approval of the organization’s board of directors.

The second stage, due diligence, includes assessing a third party’s ability to: (1) perform the activity as expected, (2) adhere to a banking organization’s policies related to the activity, (3) comply with all applicable laws and regulations, and (4) conduct the activity in a safe and sound manner. The Guidance provides that the scope and degree of the due diligence should be commensurate with the level of risk and complexity of the third-party relationship. As part of due diligence, a banking organization typically considers factors, including but not limited to the following with respect to the third party: (1) strategies and goals; (2) legal and regulatory compliance; (3) financial condition; (4) business experience; (5) qualifications and backgrounds of key personnel and other HR considerations; (6) risk management; (7) information security; (8) management of information systems; (9) operational resilience; (10) incident reporting and management processes; (11) physical security; (12) reliance on subcontractors; (13) insurance coverage; and (14) contractual arrangements with other parties.

If a banking organization determines that a contract is needed with a third party, the organization begins contract negotiation, the third stage of the lifecycle. During this stage, a banking organization typically negotiates contract provisions to facilitate risk management and oversight and specify the expectations and obligations of both parties, tailoring the provisions to the risk and complexity of the third-party relationship. The Guidance states that a banking organization’s board of directors should be aware of and, as appropriate, approve of contracts involving higher-risk activities. During contract negotiations, a banking organization may consider factors such as (1) the nature and scope of arrangement; (2) performance measures or benchmarks; (3) responsibilities for providing, receiving and retaining information; (4) the right to audit and require remediation; (5) responsibility for compliance with applicable laws and regulations; (6) costs and compensation; (7) ownership and license; (8) confidentiality and integrity; (9) operational resilience and business continuity; (10) indemnification and limits on liability; (11) insurance; (12) dispute resolution; (13) customer complaints; (14) subcontracting; (15) foreign-based third parties; (16) default and termination; and (17) regulatory supervision.

Through ongoing monitoring, the fourth stage of the life cycle, a banking organization can: (1) confirm the quality and sustainability of a third party’s controls and ability to meet contractual obligations; (2) escalate significant issues or concerns, such as material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk; and (3) respond to such significant issues or concerns when identified. Monitoring activities typically include: (1) review of reports regarding the third party’s performance and the effectiveness of its controls; (2) periodic visits and meetings with third-party representatives to discuss performance and operational issues; and (3) regular testing of the banking organization’s controls that manage risks from its third-party relationships, particularly when supporting higher-risk activities, including critical activities.

When a banking organization enters the last stage of the life cycle, termination, it must terminate third-party relationships in an efficient manner, including where activities are transitioned to another third party, managed internally or suspended.

The Guidance indicates that, in structuring a third-party risk management process, banking organizations typically consider oversight and accountability, independent reviews and documentation and reporting. The banking organization’s board of directors should provide oversight and accountability. In particular, the board should oversee third-party risk management, provide clear guidance regarding acceptable risk tolerance, approve relevant policies and ensure the establishment of appropriate procedures and practices. The third-party risk management processes also should include periodic independent reviews to evaluate the adequacy of the processes, as well as proper documentation of and reporting on the processes and individual third-party relationships.