Hsu: Third-party risk management guidance offers flexibility for smaller banks

Regulators acknowledge that proper due diligence of third-party vendor relationships can be a struggle for smaller banks with their limited resources, which is why recent interagency guidance on the subject provides flexibility in how smaller institutions approach those reviews, Acting Comptroller of the Currency Michael Hsu said today.

The OCC, Federal Reserve and FDIC last week issued long-awaited joint guidance for financial institutions when managing risks associated with third-party relationships. They also pledged to develop additional resources to assist community banks in managing third-party risks. Speaking during a Q&A at an online conference on minority depository institutions, Hsu said regulators received many comments while drafting the document about the struggle smaller institutions face in performing due diligence.

“We acknowledge that and we say, ‘look, smaller banks, you can rely on group efforts, joint efforts, certifications—other ways to skin the cat,’” Hsu said. “You don’t each have to do your own due diligence over and over and over again. If there’s other mechanisms, we’re open to that. So we built that in explicitly recognizing that space needs to be built out.”

Still, support among policymakers for the guidance isn’t unanimous. In a statement accompanying the release of the document, Fed Governor Michelle Bowman said she was concerned that community banks would find it difficult to implement. “I am confident that community banks will do what is necessary to meet supervisory expectations, but I am disappointed that the agencies failed to make the upfront investment to reduce unnecessary confusion and burden on community banks,” she said.