Banking Agencies Propose Guidance on Managing Third-Party Risk

The U.S. Federal Reserve along with the FDIC and other banking agencies are seeking public comment on proposed guidance on managing risks associated with third-party relationships. The proposed guidance would offer a framework for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that considers the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship. The proposed guidance would replace each agency’s existing guidance on this topic and would be directed to all banking organizations supervised by the agencies. The proposed guidance describes third-party relationships as business arrangements between a banking organization and another entity, by contract or otherwise. The proposed guidance also describes the third-party risk management life cycle and identifies principles applicable to each stage of the life cycle, including: (1) developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party; (2) performing proper due diligence in selecting a third party; (3) negotiating written contracts that articulate the rights and responsibilities of all parties; (4) having the board of directors and management oversee the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews; (5) conducting ongoing monitoring of the third party’s activities and performance; and (6) developing contingency plans for terminating the relationship in an effective manner.