Proposed interagency guidance on third-party risk management

The federal banking agencies—the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and the Board of Governors of the Federal Reserve System (Federal Reserve)—published proposed interagency guidance about third-party risk management in the Federal Register on July 19, 2021. The proposed guidance is meant to harmonize the banking agencies’ expectations about how banks manage third-party relationships. The preamble to the proposed guidance suggests that “[t]he agencies seek to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party risk management.”

Each of the agencies has issued guidance in the past. The OCC issued Bulletin 2013-29, which explains the OCC’s expectations about how banks under its jurisdiction should manage risks that arise from third-party relationships. The OCC also issued a series of frequently asked questions (FAQs) in 2017 to supplement Bulletin 2013-29. The OCC replaced those FAQs with Bulletin 2020-10, which expanded upon the 2017 FAQs. Both the 2020 FAQs and the rescinded 2017 FAQs, which have been incorporated within the 2020 set, address several issues related to financial technology companies that may help banks provide services to their customers (e.g., cloud service providers, data aggregators, etc.). The FDIC issued its own guidance in 2008 about how to manage third-party risk, while the Federal Reserve issued guidance in 2013 about how to manage outsourcing risk.


continue reading »