ABA Comments on Proposed Interagency Third-Party Risk Management Guidance

The American Bankers Association yesterday provided detailed feedback on interagency third-party risk management guidance proposed by the Federal Reserve, FDIC and OCC. The proposed guidance—which would replace guidance previously issued by the individual agencies—describes the third-party risk management life cycle and identifies principles applicable to the six stages of a third-party relationship, including: strategy and planning; due diligence; contract negotiation; governance and oversight; monitoring; and termination.

Expressing its support of the joint effort, ABA wrote that “[t]his undertaking is especially valuable, as a bank’s ability to compete in the marketplace depends increasingly on the institution’s ability to leverage the expertise of third-party service providers and manage those relationships prudently.” ABA also provided several suggestions for clarifying and improving the proposal.

Among other things, ABA emphasized that the final guidance should be limited to situations where there is a written contract between a bank and a third party where a bank receives services on an ongoing basis and should exclude ad hoc arrangements of limited duration. Beyond issuing the final interagency guidance, ABA also called on the agencies to take additional steps to improve coordination and communication on third-party risk management matters.

The association’s comments were informed by input from third-party risk managers, chief risk officers, model risk experts, cybersecurity practitioners, regulatory risk management professionals and bank legal counsel.