Pub. 14 2023 Issue 2

Interagency Guidance on Third-Party Relationships Continues to Require a Tailored Approach Based on Risk Profile and Complexity By Sandra M. Murphy, Esq. and Amy J. Tawney, Esq., Bowles Rice On June 6, 2023, the federal banking regulators issued final joint guidance to assist all banking organizations in managing risks with third-party relationships. The guidance replaces each federal banking regulator’s existing general third-party guidance to promote consistency in the supervisory review of third-party relationships. The proposed interagency guidance issued in July 2021 was revised to clarify that the guidance does not have the force and effect of law and does not impose any new requirements on banks. However, the final guidance explicitly applies to fintech relationships, including those where the fintech interacts directly with the bank’s customers or serves as an intermediary providing services to the bank’s customers. The recent formal written agreement between the OCC and Blue Ridge Bank NA regarding its fintech partnerships and risk compliance illustrates the heightened regulatory scrutiny of fintech partnerships. Regulatory concern with these partnerships likely contributed to the termination of Blue Ridge Bankshares’ planned merger of equals with FVCBancorp, Inc. For banks involved with fintech partnerships, especially those considering merger and acquisition activity, it is important to review the final guidance and adjust their internal risk management processes if necessary. The guidance remains principles-based and risk-based to enable each bank to develop and implement its own risk management processes that are tailored to the bank’s size, complexity, risk profile, and nature of its third-party relationships. The guidance includes lists of items a bank could consider in each stage of the life cycle of a thirdparty relationship. These lists provide examples, but not requirements, of risk management considerations. The banking regulators have noted that additional resources will be developed to assist smaller, non-complex community banks in managing relevant third-party risk. Third-Party Relationship Life Cycle The guidance lays out the five stages of the life cycle for thirdparty relationships and includes recommended best practices that banks should consider in each stage. The stages and recommended best practices are as follows: 1. Planning • Understand the strategic purpose and how it aligns with the bank’s overall strategic goals, risk appetite and broader corporate policies • Identify and assess benefits and risks • Consider volume, use of subcontractors, technology needed, interaction with customers and use of foreignbased third parties • Evaluate estimated costs • Evaluate the impact on employees, including dual employees and potential outsourcing 12 West Virginia Banker