A closer look at interagency guidance on third-party risk management

Financial institutions are continuing to expand their use of products and services from third-party providers, including many vendors in the financial technology (fintech), payment and cryptocurrency space. In July of 2021, the Office the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve System (collectively, the agencies) issued proposed interagency guidance for third-party risk management. With increasing use of third-parties, the interagency guidance is targeted to provide financial institutions an updated framework to address the risks and life cycle of third-parties.

Currently, each agency has its own framework for third-party risk management. This proposed guidance would replace each agency’s existing frameworks and provide a single framework with guidance for financial institutions to follow. The proposed framework would continue to focus on developing a risk-based principles approach to third-party risk management. Historically, the OCC’s 2013 Guidance with the 2020 FAQs was considered to be the more robust framework amongst the three agencies, and most of the proposed guidance is based on the OCC framework. This would indicate for non-OCC regulated institutions to pay closer attention to the proposed interagency guidance.

The proposed guidance continues to highlight that banks still bear responsibility for oversight of the third party and for ensuring that the financial institution is still complying with laws and regulations. The framework also addresses supervisory reviews of third parties, which would occur if an examiner feels a financial institution did not properly assess the third party, or for other instances as deemed necessary by the examiners.

The framework also outlines how financial institutions can adopt a risk-based approach that provides processes and procedures that adjust based upon the level of risk and complexity of the third party. The interagency proposed framework will align with the OCC’s existing third-party risk management life cycle, which includes:

• Planning
• Due diligence and third-party selection
• Contract negotiation
• Ongoing monitoring
• Termination

Financial institutions should stay tuned as the interagency proposed guidance continues review and is finalized.

For more information on this topic, or to learn how Baker Tilly’s Value Architects™ can assist your organization,