Financial technology companies (fintechs) and other third parties in bank partnerships are routinely subject to scrutiny by their banking partner customers. The Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, the “Banking Agencies”) have issued final guidance on managing risks associated with third-party relationships, which is effective as of June 6, 2023. The Banking Agencies issued the joint guidance to “promote consistency in supervisory approaches” and it replaces the Banking Agencies’ existing general guidance on third-party relationship risk management. The final guidance offers the Banking Agencies’ views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships. The final guidance states that sound third-party risk management accounts for the level of risk, complexity, size of the banking organization, and the nature of the third-party relationship.
Discussion of Comments on the Proposed Guidance
The Banking Agencies received 82 comment letters from banking organizations, fintechs, and other third-party providers, such as trade associations, consultants, nonprofits, and individuals. The Banking Agencies considered all the comments received in developing the final guidance.
General Support for the Proposed Guidance
In general, commenters supported the Banking Agencies’ efforts to issue joint principles-based guidance on third-party risk management. Commenters agreed with the proposal’s overarching message regarding the importance of banking organizations adopting sound risk management practices that are commensurate with the level of risk and complexity of their respective third-party relationships. They agreed that a principles-based approach to third-party risk management can be adapted to a wide range of relationships and scaled for banking organizations of different sizes and complexity.
Specific Comments on the Proposed Guidance
Commenters provided specific feedback on several aspects of the proposed guidance. Some of the most common comments included:
- The need for more guidance on specific types of third-party relationships. Commenters requested more guidance on specific types of third-party relationships, such as cloud computing providers, fintech companies, and service providers located outside of the United States. In particular, the Banking Agencies stated that they recognize that “some banking organizations are forming relationships with fintech companies, including under new or novel structures and arrangements.” As a result, the final guidance stresses it is “important for a banking organization to understand how the arrangement with a third party, including a fintech company, is structured so that the banking organization may assess the types and levels of risks posed and determine how to manage those third-party relationships accordingly.”
- The need for more guidance on the use of subcontractors. Commenters requested more guidance on the use of subcontractors by third parties and comments largely focused on whether the guidance could be clarified to promote additional flexibility in how banking organizations manage the risk associated with subcontractors.
- The need for more guidance on information security. Commenters requested more guidance on information security, including the use of encryption and other security measures to protect customer data.
The Banking Agencies have incorporated several of the comments received into the final guidance. The final guidance includes the following key features:
- A risk-based approach to third-party risk management. The final guidance emphasizes the need for banking organizations to adopt a risk-based approach to third-party risk management. This means that banking organizations should assess the level of risk associated with each third-party relationship and implement appropriate risk management controls to mitigate those risks.
- A focus on the life cycle of third-party relationships. The final guidance emphasizes the need for banking organizations to manage third-party risk throughout the life cycle of each third-party relationship. This includes due diligence, monitoring, and termination of relationships. For foreign-based third parties, including foreign-based fintechs, the final guidance emphasizes the need to perform diligence and contract negotiation regarding any choice-of-law or jurisdictional contract provisions to understand whether contracts and covenants may be subject to the interpretation of foreign courts and law. The guidance acknowledges that banking organizations may use the services of industry utilities or consortiums, consult with other organizations, or engage in joint efforts to supplement its due diligence.
- A requirement for periodic review of third-party risk management. The final guidance requires banking organizations to periodically review their third-party risk management practices to ensure that they are effective in mitigating the risks associated with third-party relationships.
* * * * *
The final guidance on third-party risk management provides banking organizations with a framework for managing the risks associated with third-party relationships. The guidance is principles-based and can be adapted to the specific needs of banking organizations of all sizes and complexity. The guidance is an important tool for banking organizations to help them protect their customers, their assets, and their reputation.
2023 OLA Legal Issues Conference
Bank Provider of BaaS Dinged by OCC; Blueprint for Fintech Partnerships?
Fintech Guide to Bank Partnerships: A Practical and Legal Roadmap
Fintech Companies Might Need to Register with CFPB Under Proposed Rule