Banking regulators issue joint guidance on third-party risk management

Federal banking regulators today issued long-awaited joint guidance for financial institutions when managing risks associated with third-party relationships, including relationships with technology providers. The three agencies—the Federal Reserve, FDIC and OCC—also said they plan to develop additional resources to assist community banks in managing third-party risks. The guidance replaces each agency’s existing guidance on third-party risk management.

The guidance establishes principles for all banking organizations to consider when developing and implementing risk management practices governing third-party relationships, according to the agencies. The document offers direction and expectations for all stages in those relationships, including planning, due diligence and third-party selection, contract negotiation, and termination. It also offers guidance for conducting independent reviews and maintaining documentation.

The guidance stresses that the agencies will review a bank’s risk management practices of third-party relationships as part of their standard supervisory processes. Among other things, supervisors typically assess the ability of a bank’s management to oversee and manage its third-party relationships; evaluate the effects of those relationships on the bank’s risk profile; and perform transaction testing to evaluate the activities performed by the third party and assess compliance with applicable laws and regulations, according to the document.