It is no secret that the Federal Reserve, the FDIC, and the OCC have zeroed in on banks' use of third parties for products, services, and other operations, the risks those arrangements may pose, and banks' responsibility to properly manage those risks. Supervisory scrutiny and public enforcement actions since the 2023 spring bank failures, as well as the release of the final interagency guidance on third-party risk management (Original Guidance), all clearly demonstrate that trend (see our coverage here). We estimate that approximately one in four recent public enforcement actions against banks have expressly noted deficiencies in how the target institution managed third-party service provider risks.
The agencies recently released a new guide directed to community banks (New Guide) as a companion to—and not a replacement for—the Original Guidance. The New Guide provides helpful and clear explanations, potential considerations and information sources, and hypothetical examples that illustrate the now-familiar five-stage life cycle explained in the Original Guidance. The New Guide also references potential considerations and resources for related governance practices. It is a useful tool for community banks and larger banks, likely reflecting the agencies' supervisory observations over the last year.
Key Takeaways
- Not a replacement. The New Guide does not change the Original Guidance or its five-stage life-cycle framework of planning, due diligence, contract negotiation, ongoing monitoring, and termination.
- More examples. Banks are still ultimately responsible for managing their third-party service provider relationships, activities, and associated risks. Banks must ultimately ensure that all of their operations, in-house or outsourced, are conducted in a safe and sound manner and in compliance with applicable legal and regulatory requirements, including consumer protection and financial crimes laws and regulations, just as if the bank were performing the activities itself.
- Governance. The governance practices included in the New Guide underscore that the agencies (presumably all of them, notwithstanding the FDIC's proposed guidelines) look to the bank's board of directors as ultimately responsible for providing oversight for third-party risk management and holding management accountable for its role. On the other hand, management is responsible for developing and implementing third-party risk management policies, procedures, and practices, commensurate with the bank's risk appetite and the level of risk and complexity of its third-party relationships. Internal controls, independent reviews, and documentation are key components too. We note that how a bank approaches its governance expectations is likely to inform its management rating, among other applicable ratings.
- Not just for community banks. We encourage banks of any size to review the New Guide and review the practical considerations, examples, and potential sources of information identified and other aspects of the New Guide to see how their own approaches compare.
- Not just for banks. We also encourage non-bank service providers and other entities that work with banks to review the New Guide to see how their practices and contracts may be affected by bank or supervisory scrutiny under the Original Guidance and as clarified by the New Guide and how they might better position themselves to work with banks in an atmosphere of increasingly heightened supervisory and enforcement activity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.