October 29, 2021

Federal banking regulators continue their emphasis on bank oversight and management of risk from third party relationships through a series of guidance and proposed guidance published in the third quarter of 2021.

The Federal Reserve, FDIC and OCC published proposed interagency guidance on managing risk of third-party relationships in July 1 and a guide for community banks on conducting due diligence on fintech companies in August. Then, in September, the Federal Reserve issued a guide on community bank access to innovation through partnerships.

These guidance documents, highlighted here, have a common focus: partnering with third parties can have significant advantages for banks, including a quicker and more efficient process to access new technologies, but regulators expect banks to manage third-party risk with appropriate policies, processes and programs.

Proposed Interagency Guidance

The proposed interagency guidance published earlier this year is intended to replace and complement three pre existing guidance documents: the Fed’s “Guidance on Managing Outsourcing Risk,” issued December 2013;2 the FDIC’s “Guidance for Managing Third-Party Risk,” issued June 2008;3 and the OCC’s “Third-Party Relationships: Risk Management Guidance,” issued October 20134 and supplemented with FAQs in March 2020.5 The stated purpose of the proposed guidance is to help banks with identifying and addressing risks incumbent in third party vendors, outsourcing and other business relationships and complying with applicable statutes and regulations.


The proposed interagency guidance is largely based on the OCC’s 2013 guidance and proposes to incorporate the OCC’s 2020 FAQ. Consistent with the 2013 OCC guidance, the proposed interagency guidance provides that a bank’s third-party risk management program should be commensurate with its size, complexity and risk profile, and that third-party relationships involving critical activities in particular should be subject to comprehensive and rigorous oversight by banks. In line with the OCC’s 2020 FAQ, the proposed guidance

describes critical activities as significant bank functions that could (a) cause the bank to face significant risk if the third party fails to meet expectations, (b) result in significant customer impacts, (c) require significant investment in resources to implement and manage, or (d) have a major impact on the bank’s operations if the bank cannot find an alternative third party or bring the activity in-house.


The proposed guidance would require banks to manage third-party risk at all stages of the relationship lifecycle, including:

· Planning;

· Due Diligence and selection;

· Contract Negotiation;

· Ongoing Monitoring of the relationship; and

· Termination of the relationship (including transition of the activity in-house or to a new third-party provider).

With respect to Due Diligence and contract negotiation, the proposed guidance takes many cues from the OCC’s 2013 guidance, including:

· Advising banks to perform extensive due diligence with respect to the third party’s strategies and goals, financial condition, business experience, fee and compensation structure (including incentives to risky behavior), qualification of the third party’s principles, risk management and controls, information security, information technology, operational resilience, incident management, use of subcontractors, insurance program, and contractual arrangements with third parties that may cause conflicts; and

· Addressing as appropriate the following in written contracts with third parties: the nature and scope of the relationship and services, service level agreements, responsibilities for providing information and reporting regarding the relationship or services, audit rights and related remediation, compliance with laws and regulations, compensation and fees, ownership and licensing of relevant data, technology and

intellectual property, confidentiality, information security, data use rights, operational resilience and business continuity, indemnification, insurance requirements, dispute resolution, limitations on liability (and ensuring they are proportionate to the level of risk), termination rights, handling of customer complaints, and use of subcontractors (including notice or consent rights).

While the proposed interagency guidance is substantively similar to the three agencies’ existing guidance on third party oversight, promulgation of the final guidance is likely to cause banks to re-assess their third-party oversight and risk management programs, which may result in new and modified requirements in banks’ for negotiating agreements with fintechs and other vendors and outsourced providers.


The Modevity Vendor Risk Management Services will provide clients with a powerful automated branded process for vendor assessment questionnaires and a powerful due diligence vendor risk rating reporting service with continuous vendor monitoring.

Modevity has implemented the full range of powerful database technologies, AI and open-source tools that enable our team of research analysts to quickly obtain a complete vendor risk profile. Our client companies will no longer need to implement Vendor Risk Management & Assessment software and staff resources – providing substantial organizational cost savings to their organization.

Modevity Contact info:

Tom J. Canova, Co-Founder, CMO

Phone: (610) 251-0700 E-mail: sales@modevity.com


#VendorRiskManagement, # #KYC, #Compliance, #AML, #RiskManagement, #Sanctions, #BSA, #KYC, #CustomerDueDiligence, #VRM, #CDD, #DueDiligence #Thirdpartyrisk

Post Details


October 29, 2021