On June 6, 2023, the federal banking regulators issued final joint guidance to assist all banking organizations in managing risks with third-party relationships. The guidance replaces each federal banking regulator’s existing general third-party guidance to promote consistency in the supervisory review of third-party relationships.

The proposed interagency guidance issued in July 2021 was revised to clarify that the guidance does not have the force and effect of law and does not impose any new requirements on banks. However, the final guidance explicitly applies to fintech relationships, including those where the fintech interacts directly with the bank’s customers or serves as an intermediary providing services to the bank’s customers. The recent formal written agreement between the OCC and Blue Ridge Bank NA regarding its fintech partnerships and risk compliance illustrates the heightened regulatory scrutiny of fintech partnerships. Regulatory concern with these partnerships likely contributed to the termination of Blue Ridge Bankshares’ planned merger of equals with FVCBancorp, Inc. For banks involved with fintech partnerships, especially those considering merger and acquisition activity, it is important to review the final guidance and adjust their internal risk management processes if necessary.

The guidance remains principles-based and risk-based to enable each bank to develop and implement its own risk management processes that are tailored to the bank’s size, complexity, risk profile, and nature of its third-party relationships. The guidance includes lists of items a bank could consider in each stage of the life cycle of a third-party relationship. These lists provide examples, but not requirements, of risk management considerations. The banking regulators have noted that additional resources will be developed to assist smaller, non-complex community banks in managing relevant third-party risk.

Third-Party Relationship Life Cycle

The guidance lays out the five stages of the life cycle for third-party relationships and includes recommended best practices that banks should consider in each stage. The stages and recommended best practices are as follows:

1. Planning

• • Understand the strategic purpose and how it aligns with the bank’s overall strategic goals, risk appetite and broader corporate policies
  • Identify and assess benefits and risks
  • Consider volume, use of subcontractors, technology needed, interaction with customers and use of foreign-based third parties
  • Evaluate estimated costs
  • Evaluate the impact on employees, including dual employees and potential outsourcing
  • Assess third-party’s access to customer information and interactions with customers
  • Understand potential information security implications
  • Determine how to select, assess, and oversee the third-party, including monitoring for compliance with applicable laws
  • Determine the bank’s ability to provide adequate oversight and management on an ongoing basis
  • Outline the bank’s contingency plans if need to transition to another third-party or bring the product in-house

2. Due Diligence and Third-Party Selection

The guidance provides that the scope and degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship, with more diligence required for critical activities. The guidance permits the use of external parties to assist with due diligence but notes that such use does not abrogate the responsibility of the bank to manage the third-party relationship. The guidance lists the following factors that should be considered as part of due diligence of the third-party: strategies and goals; legal and regulatory compliance; financial condition; business experience; qualification and backgrounds of key personnel and other human resources considerations; risk management (policies, processes and internal controls); information security; management of information systems; operational resilience; incident reporting and management processes; physical security; reliance on subcontractors; insurance coverage and contractual arrangements with other parties.

3. Contract Negotiation

The guidance addresses the difficulty in negotiating contracts and the importance of banks in understanding their negotiating power and consequential risks. The guidance notes that the board of directors should be aware of and, as appropriate, approve or delegate approval of contracts involving high-risk activities and that legal counsel review may be warranted prior to execution of a contract. The factors listed in the guidance for consideration during contract negotiation include the nature and scope of arrangement; performance measures or benchmarks; responsibilities for providing, receiving and retaining information; the right to audit and require remediation; the responsibility for compliance with applicable laws and regulations; costs and compensation; ownership and licensing; confidentiality and integrity; operational resilience and business continuity; indemnification and limits on liability; insurance; dispute resolution; customer complaints; subcontracting; foreign-based third-parties; default and termination and regulatory supervision.

4. Ongoing Monitoring

The guidance notes that effective third-party risk management includes ongoing monitoring throughout the duration of the third-party relationship commensurate with the level of risk and complexity of the relationship and the activity performed by the third-party. Factors that should be considered as part of ongoing monitoring include:

• The overall effectiveness of the third-party relationship
• Changes to the third-party’s business strategy, financial condition, insurance coverage and key personnel
• Relevant audits, testing results and other reports that address capability of third-party to manage risks and meet contractual obligations and regulatory requirements
• Ongoing compliance with applicable laws and regulations
• Performance measured against contractual obligations
• Reliance on and use of subcontractors and risk management process for monitoring subcontractors
• Employee training
• Response to changing threats, new vulnerabilities and incidents impacting the activity
• Ability to maintain confidentiality and integrity of banking organization’s systems, information and data
• Volume, nature and trends of customer inquiries and complaints and adequacy of responses

5. Termination

When a bank needs to terminate a third-party relationship, the guidance recommends consideration of the following factors:

• Options for effective transition of services
• Relevant capabilities, resources and time frame required to transition the activity
• Costs and fees associated with termination
• Management of risks associated with data retention and destruction
• Handling of joint intellectual property
• Managing impact on customers

The guidance provides that the board of directors of the bank has the ultimate responsibility for providing oversight for third-party risk management and holding management accountable. The board must consider whether third-party relationships are managed consistent with the bank’s strategic goals and risk appetite, whether there is appropriate periodic reporting on the third-party relationship and whether management has taken appropriate actions to remedy performance issues or changing risks. The guidance also lists certain activities that management should perform when carrying out their responsibilities in developing and implementing third-party risk management policies, procedures and practices.

Although the final guidance is broadly consistent with the regulator’s existing guidance and should not require significant updates to a bank’s third-party risk management framework, we recommend that bank management review the considerations set forth in the guidance against the bank’s existing risk-management policies and procedures to ensure that there are not areas that have been overlooked.