Interagency Guidance on Third-Party Relationships: Risk Management

  • Source:

Treliant Takeaway:

Regulators have and will continue to pay close attention to banking institution’s third-party risk management programs. While third-party risk management has been a key focus for most banks for many years, it is very important now that they are evaluating the scope and strength of their third-party risk management programs and practices relative to this final guidance. This is particularly important for any institution that has, is, or will be investing in innovative technologies, becoming more decentralized, more dependent on third-party support, and increasing the complexity of their third-party relationships of all variations, including vendors, suppliers, and partnerships, which describes the majority of the banking industry today. This guidance is also very important for those banks involved in fintech and technology partnerships or that are pursuing technology as a service offering. The industry has become highly dependent on these increasingly complex relationships as banks strive to innovate, meet customer demands, and control costs and efficiency.

Treliant has deep experience in the design, implementation, and assessment of third-party risk management practices, and most importantly, in ensuring the size, scope, and complexity of your program is appropriate for your organization, sustainable and scalable. We have a robust portfolio of fintech partner banks and understand the unique aspects of those third-party relationships. We can assist you in evaluating your third-party risk management practices relative to the interagency guidance, assessing the effectiveness of your risk management practices and their relationship to the level of risk, complexity, size of your organization, and nature of the third-party relationship(s), and implementing the appropriate enhancements to ensure your risk practices enable you to demonstrate safe and sound management of third-party relationships.


On June 6, 2023, the OCC, FDIC, and Federal Reserve finalized the much-anticipated third-party risk management guidance originally proposed in July 2021. This final guidance rescinds and replaces each agency’s existing third-party guidance including the Federal Reserve Board’s 2013 guidance, the FDIC’s 2008 guidance, the OCC’s 2013 guidance, and the OCC’s 2020 frequently asked questions (OCC FAQs).

There were 82 comment letters in response to the proposed guidance, heavily focused on the use and interpretation of terms such as, ‘business arrangement’, ‘third-party relationship’, and ‘critical activities’, how to tailor the guidance to institutions of varying sizes, complexity and risk profile, types of third-party relationships covered by the guidance, Board governance expectations and the complexities of sub-contractor oversight. The final guidance is reflective of the reality that the number and types of third-party relationships have grown in volume and complexity, and as a result, is intended to be broadly applicable, flexible, risk and principles-based and not overly prescriptive, and strives to establish a consistent lens for how all regulatory agencies will view third-party risks and the expectations for effective risk management. While the general theme that the activities performed by a third-party do not diminish a bank’s responsibility to operate in a safe and sound manner and must comply with all applicable laws and regulations to the same extent as if the activities were performed by the banking organization itself, and the stages of a third-party relationship life cycle are relatively unchanged, they provide meaningful clarity on many important topics. Important clarifications and enhancements from the original proposed guidance include:

  • flexibility regarding how this guidance is implemented, and permission to tailor it in a manner that is most suited to the organization;
  • clarity on the definition of critical activities and critical third-parties, the risks associated with them, and related considerations for contracting, ongoing monitoring, and governance;
  • related to sub-contractors/fourth-party relationships – the focus is now primarily on the bank’s assessment and ongoing monitoring of the effectiveness of the third-party’s oversight and risk management of that party, and related contractual, oversight and governance consideration;
  • allowance for institutions to consider collaborative agreements and the use of external parties to support and supplement their ongoing monitoring activities;
  • guidance for Board governance of third-parties that is less prescriptive, risk-based and considering of the bank’s size, complexity, risk profile and maturity; and
  • emphasis on the importance of periodic independent reviews of the adequacy of the institution’s third-party risk management program.

Ready to Talk?

We work with you to understand your needs, so we can tailor our approach to your engagement. Learn more when you connect with our team.