FRB, FDIC and OCC propose risk management guidance on third-party relationships

The Federal Reserve Board ("FRB"), the FDIC and OCC (collectively, the "Agencies") proposed risk management guidance for the third-party relationships of banking organizations.

The proposal is based on the OCC's existing third-party risk management guidance. The proposal is intended to promote consistency across the banking agencies. If finalized, it will replace the guidance that each agency released independently.

The proposed guidance would:

  • provide banking organizations with a suggested framework for the development of third-party relationship risk management practices, accounting for (i) the organization's level of risk, complexity and size and (ii) the type of third-party relationship;

  • highlight the requirement of comprehensive oversight of third-party relationships that support critical activities;

  • emphasize that the use of a third party does not eliminate a banking organization's responsibility to conduct an activity in "a safe and sound manner," compliant with relevant laws and regulations; and

  • suggest that banking organizations put in place third-party risk management processes that are proportionate to (i) the third-party relationship's identified level of risk and complexity and (ii) the organizational structure of the banking organization.

The proposed guidance identified the following applicable principles for each stage in the life cycle of a third-party relationship:

  • creating a plan that (i) describes the banking organization's strategy, (ii) pinpoints the inherent risks of engaging with the third party and (iii) explains how the banking organization will select, evaluate and supervise the third party;

  • conducting adequate due diligence in choosing a third party;

  • negotiating written contracts that explain in detail the rights and duties of all parties;

  • having the board of directors and management (i) supervise the organization's risk management procedures, (ii) maintain records and reporting for oversight accountability and (iii) conduct independent reviews;

  • monitoring the third party's activities and performance on an ongoing basis; and

  • developing contingency plans for discontinuing the relationship.

Comments on the proposed guidance must be received within 60 days of its publication in the Federal Register.

Get unlimited access to all Global Banking Regulation Review content