Pub. 11 2022 Issue 3 27 Proposed Guidance closely tracks that published by the OCC in 2013 and expands it to apply to institutions supervised by all three federal banking agencies. Its stated goal is to provide a framework based on sound risk-management principles that banking organizations may use to address the risks associated with third-party relationships, emphasizing that, although use of third parties can offer more efficient access to technologies, human capital, products, and services, it does not remove the need for sound risk management. Similar to the 2013 OCC guidance, “third-party relationships” are defined as “business arrangements between a banking organization and another entity, by contract or otherwise.” This goes beyond the FRB’s narrower application (service providers only) and would include relationships with vendors, fintech companies, affiliates, and a bank’s holding company. A third-party relationship may exist despite the lack of a contract or any payment for services. The Proposed Guidance describes the third-party risk management lifecycle and identifies principles applicable to each stage of it, including: 1. Developing a plan that outlines the bank’s strategy, identifies the inherent risks of the activity with the third party, and details how the bank will identify, assess, select, and oversee the third party 2. Performing proper due diligence in selecting a third party 3. Negotiating written contracts that articulate the rights and responsibilities of all parties 4. Having the board of directors and management oversee the bank’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews 5. Conducting ongoing monitoring of the third party’s activities and performance 6. Developing contingency plans for terminating the relationship in an effective manner It includes comprehensive action items and considerations for each stage of the lifecycle but also acknowledges that not all relationships present the same level of risk. The Proposed Guidance allows banks the latitude to engage in more comprehensive and rigorous oversight and management of third-party relationships that support “critical activities” and to adopt risk-management practices commensurate with the with the level of risk and complexity of the bank’s relationships and operations. The Proposed Guidance is not yet final. Federal regulators requested comments, and various stakeholders have provided feedback. Much of the feedback is positive and expresses support for the effort to promote consistency between agencies; however, comments have also proposed modifications, including limiting the application to written contracts pursuant to which a bank receives services on an ongoing basis (excluding ad hoc arrangements with limited duration) and clarifying that the listed due-diligence factors and contractual considerations are not intended to apply to all third-party relationships and should not be viewed as a mandatory checklist (especially for low-risk relationships that do not involve critical activities). Comments have also requested that any final guidance give banks sufficient time to adapt, given that banks primarily regulated by the FDIC and FRB are currently subject to less detailed standards. Any final guidance may differ from the proposed version, but the Proposed Guidance gives banks a good indication of the potential standard going forward. Ben Streckert is a Madison-based attorney with Husch Blackwell LLP and is a member of the firm’s Banking & Finance practice team. He assists banks, bank holding companies, and other financial institutions on a range of transactional and regulatory matters, including bank holding company formations, capital raises and private securities offerings, mergers, acquisitions, and branch purchases. His regulatory work includes matters involving the FDIC, OCC, Federal Reserve, and state regulators. Agency scrutiny of the third-party risks to banking institutions has only increased over time, as has the federal government’s vigilance regarding cybersecurity, which has been elevated to the level of a national security concern. Banking is at the heart of the matter.
RkJQdWJsaXNoZXIy ODQxMjUw