Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

Federal Banking Agencies Issue Proposed Guidance on Risk Management for Third-Party Relationships

By Ronald K. Vaske & Glen P. Trudel on July 16, 2021
Email this postTweet this postLike this postShare this post on LinkedIn
U.S. Federal Reserve Building

The Federal Reserve, FDIC, and OCC released on July 13, 2021 proposed guidance for banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements.  The proposal is the first time that the three agencies have proposed third-party risk management guidance on an interagency basis.  Comments on the proposal will be due no later than 60 days after the date it is published in the Federal Register.  The proposed guidance covers all types of third-party relationships, including those involving regulatory compliance under the Bank Secrecy Act.

The proposed guidance is based on the OCC’s existing 2013 third-party risk management guidance and includes changes to reflect that the guidance’s applicability would be extended to banking organizations supervised by all three federal banking agencies.  In March 2020, the OCC issued a revised set of FAQs to supplement its 2013 guidance that was intended to clarify the existing guidance and reflect evolving industry trends.  The proposed guidance includes the revised FAQs as an exhibit and the agencies seek comment on the extent to which the concepts discussed in the FAQs should be incorporated into the final guidance and whether there are additional concepts that would be helpful to include.

The proposed guidance states:

A third-party relationship is any business arrangement between a banking organization and another entity, by contract or otherwise.  A third-party relationship may exist despite a lack of contract or remuneration.  Third-party relationships can include relationships with entities such as vendors, financial technology (fintech) companies, affiliates, and the banking organization’s holding company.  While a determination of whether a banking organization’s relationship constitutes a business arrangement may vary depending on the facts and circumstances, third-party business arrangements generally exclude a bank’s customer relationships.

The proposed guidance sets forth principles for managing risk in each stage of a third-party relationship life cycle consisting of:

  • Planning for a relationship
  • Due diligence and third-party selection
  • Contract negotiation
  • Oversight and accountability
  • Ongoing monitoring
  • Termination

The proposed guidance also discusses the process that examiners will typically follow when reviewing a banking organization’s third-party risk management.

The principles provided by the proposed guidance are generalized in nature and there is no discussion in the guidance of how such principles should be applied to specific types of third-party relationships.  The OCC’s 2020 revised FAQs did address specific types of third-party relationships, such as relationships with data aggregators that collect customer-permissioned data from banks (including where aggregators engage in screen scraping activities), cloud computing providers, and relationships involving the use of alternative data.  As noted above, the agencies ask for comment on the extent to which the concepts discussed in the FAQs should be incorporated into the final guidance and whether there are additional concepts that would be helpful to include.  In addition, the series of questions on which the agencies request comment include:

  • Whether there is a need for greater detail in any areas
  • How the proposed description of third-party relationships could be clearer
  • The extent to which the discussion of “business arrangement” in the proposed guidance provides sufficient clarity to permit banking organizations to identify those arrangements for which the guidance is appropriate
  • What additional information the guidance could provide on managing the risks associated with third-party platforms that directly engage with end customers
  • How the guidance could further assist banking organizations in appropriately managing the compliance risks of business arrangements in which a third party engages in activities for which there are regulatory compliance requirements
  • What additional information the proposed guidance could provide for banking organizations to consider when managing risks related to different types of relationships with third parties (e.g. partnerships, joint ventures), including technology companies
  • What revisions would better assist banking organizations in assessing’s third-party risk as technologies evolve

CFPB-supervised banks and CFPB supervised non-banks to which the banking agencies’ guidance would not apply should take note that in 2016, the CFPB began to examine service providers to institutions it supervises on a regular, systematic basis, particularly those supporting the mortgage industry.  In 2016, the CFPB issued a revised bulletin titled “Compliance Bulletin and Policy Guidance 2016-02, Service Providers” setting forth its expectations for managing the risks of service provider relationships.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. To learn more about Ballard Spar’s Anti-Money Laundering Team, please click here.

  • Posted in:
    Corporate Compliance, Corporate Finance
  • Blog:
    Money Laundering Watch
  • Organization:
    Ballard Spahr LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Boston ERISA & Insurance Litigation Blog
  • Stridon News and Insights
  • Taft Class Action & Consumer Insights
  • Labor and Employment Law Insights
  • Age of Disruption
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo