- Bank regulators issued long-awaited guidance Tuesday on how financial institutions should approach third-party relationships, such as tie-ups with fintech firms.
- The guidance, issued by the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp., outlines best practices to “identify, assess, monitor, and control” relationships with third-party providers, and replaces each agency’s existing guidance on the topic.
- Aimed at helping banks address the operational, compliance and strategic risks that come with third-party tie-ups, regulators said the document rescinds and replaces the Fed’s 2013 guidance, the FDIC’s 2008 guidance, and the OCC’s 2013 guidance and its 2020 frequently asked questions.
While regulators said the new text promotes consistency and clarity in their third-party risk management guidance, they emphasized that it does not impose any new requirements on banking organizations.
Regulators acknowledged that not all partnerships warrant the same level of oversight, noting “not all third-party relationships present the same risks.”
“[A]s part of sound risk management, it is the responsibility of each banking organization to analyze the risks associated with each third-party relationship and to calibrate its risk management processes, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships,” the guidance said.
Regulators said banks have flexibility in their approach to assessing the risk posed by each third-party relationship.
“To reinforce this flexibility and provide clarity on third-party risk management implementation, especially for community banking organizations, the agencies have streamlined and simplified certain sections of the guidance,” according to the document.
Tuesday’s joint guidance comes as the growth of banking-as-a-service and fintech partnerships in the banking sector have grabbed the attention of regulatory agencies in recent years.
OCC Acting Comptroller Michael Hsu called out the complex nature of bank-fintech partnerships in a speech last year, saying the ventures could put the financial system at risk of a crisis if not properly supervised.
The Treasury Department in November said more oversight of the fintech sector and bank-fintech partnerships is needed to protect consumers and enable sustainable competition in the financial services industry.
Regulators described the new guidance as “principles-based,” which can be adjusted to the unique circumstances of each third-party relationship.
“The agencies do not believe it would be appropriate to prescribe alternative approaches or to broadly assume lower levels of risk based solely on the type of a third party,” the guidance said. “For example, while a third-party relationship with an affiliate may have different characteristics and risks as compared to those with non-affiliated third parties, affiliate relationships may not always present lower risks. The same is true for third parties that are subject to some form of regulation.”
In cases where a bank may not be able to gather certain information on potential partners — due to the firm’s brief operational history or existing policies against sharing information — regulators advised banks to obtain alternative information on the company, consult with industry utilities or consortiums, or consider using a different third party.
The guidance also encourages banks to consider the strategies and goals of a potential third-party firm, as well as its ownership structure, financial condition and incident reporting procedures.
An evaluation of the volume and types of subcontractors that a third party relies on also helps inform whether such arrangements pose additional or heightened risk to a bank, regulators said.
The guidance also encouraged firms to monitor third parties on an ongoing basis, and to direct-test the third party’s controls.
In a departure from the third-party risk management guidance regulators proposed in 2021, regulators removed the proposal’s exclusion of customer relationships from Tuesday’s document, a move that was criticized by FDIC Vice Chairman Jonathan McKernan.
In a statement Tuesday, the FDIC board member said the change, which was intended to reduce ambiguity, does the opposite.
“In my view, the exclusion’s removal itself creates ambiguity. The final guidance is now unclear as to whether or when it applies to arrangements involving depositors, borrowers, or other customers of traditional banking services,” he said.
The guidance did not receive support from Fed Governor Michelle Bowman, the only Fed member to oppose the finalization of the document.
Bowman, who said the Fed's “past third-party risk management guidance was supplemented by several implementation aids and tools,” said the new guidance fails to mitigate regulatory burden on smaller institutions.
“Regulatory guidance can play an important role in promoting risk management practices by encouraging dialogue between the bank and its examiners and by establishing reasonable and clear supervisory expectations,” she said in a statement Tuesday. “Although this guidance suggests that a sound third-party risk management framework should be appropriately tailored to a bank’s level of risk, complexity, and size, it does not provide the necessary clarity or supplemental tools to facilitate small bank implementation.”
Meanwhile, at least one trade group has come out in support of the newly released joint guidance.
“We applaud the Federal Reserve Board, FDIC, and OCC for taking a coordinated approach to provide clarity for banks looking to adopt leading technologies and partner with related third parties,” Penny Lee, CEO of the Financial Technology Association, said in a statement Tuesday. “Today’s guidance acknowledges the benefits that third parties like fintechs provide and offers a constructive framework to mitigate identifiable risks, including for smaller banks that may face unique challenges in this context.”