Banking regs seek consistency via new TPRM guidance

The Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC), and Treasury Department’s Office of the Comptroller of the Currency (OCC) cited their desire for promoting consistency and clearly articulating risk-based principles for third-party risk management in publishing the 68-page document. The guidance supersedes previous iterations put forward by the Fed in 2013, FDIC in 2008, and OCC in 2013.

The guidance, which is directed at all supervised banks, “states that sound third-party risk management takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” The agencies cited an increase in the number and type of banks’ third-party relationships, including with financial technology (fintech) partners, as a driver behind the new documentation.

“[I]t is important for a banking organization to understand how the arrangement with a third party, including a fintech company, is structured so that the banking organization may assess the types and levels of risks posed and determine how to manage those third-party relationships accordingly,” the guidance stated.

Comments on the guidance solicited in 2021 sought clarifications regarding the risk management life cycle, including:

• Due diligence: Commenters raised concerns third parties might be unable or unwilling to disclose certain information and suggested the guidance should be scaled to reflect varying levels of risks posed by third parties. The agencies responded by stating they “do not believe it would be appropriate for banking organizations to conduct reduced due diligence based solely on a third party’s entity type” and that it is the responsibility of the bank to assess third-party risks regardless of the information available.
• Contract negotiation: Comments stated the guidance should acknowledge the need for greater flexibility in certain contract negotiations. The guidance noted banks might have limited negotiating power in certain instances and should understand any resulting limitations.
• Ongoing monitoring: Despite comments pushing the agencies to encourage continuous, real-time monitoring, they declined to back any specific approach. Instead, they reiterated “a banking organization’s ongoing monitoring, like other third-party risk management processes, should be appropriate for the risks associated with each third-party relationship.”

“[T]he use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations,” the guidance emphasized. The agencies concluded the document by reminding financial institutions they could face enforcement if unsafe or unsound banking practices are observed among their third parties.