Regulators offer guidance on 3rd party risk management

(July 23, 2021) Comments are due to federal banking regulators Sept. 17 about proposed guidance on third-party risk management at banks – including that related to deals with financial technology (fintech) firms – issued by the federal banking agencies.

The joint announcement and guidance came as a surprise after the three agencies had historically issued separate rule-making on third party risk.

Under the proposal, announced July 13 and based on 2013 guidance issued by the OCC, financial institutions are offered a framework for what the agencies say is “based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.”

The guidance also underscores that banks that outsource services or operational functions remain responsible for ensuring those activities are conducted “in a safe and sound manner and in compliance with all applicable laws and regulations, including consumer protection laws.”

The agencies said the proposed guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance.


OCC Bulletin 2021-31: Third-Party Relationships — Notice and Request for Comment on Proposed Interagency Guidance