On July 19, 2021, the Office of the Comptroller of the Currency (“OCC”) in conjunction with the
Federal Deposit Insurance Corporation (“FDIC”) and the Board of Governors of the Federal
Reserve System (the “Federal Reserve”) published proposed guidance (“Interagency Guidance” or “Guidance”) with respect to the management of third-party relationships in the banking sector. OCC, FDIC and the Federal Reserve invited feedback from interested parties with respect to the
proposed guidance through September 17, 2021.
If adopted, the proposed Interagency Guidance would apply to “any business arrangement
between a banking organization and another entity, by contract or otherwise.” This intentionally
expansive definition means that banking organizations would be required to implement a
comprehensive third-party risk management (“TPRM”) framework that accounts for the full
lifecycle of its relationships with suppliers, vendors, financial technology (fintech) providers,
affiliates, and even holding companies. Although long a critical component of the U.S.
Department of Justice’s (“DOJ’s”) own guidance on the evaluation of corporate compliance
programs more generally, the proposed Interagency Guidance is the first cohesive attempt by
U.S. regulators to require more formal TPRM practices from entities operating specifically in
the U.S. banking sector.
The Guidance emphasizes that banking organizations adopt a risk-based approach to TPRM that
encompasses: (1) appropriate planning; (2) due diligence and third-party selection; (3) contract
negotiation; (4) ongoing monitoring; and (5) termination of the third-party relationship.
In the planning phase of the TPRM lifecycle, banking organizations are required to identify and
assess the risks associated with the proposed business arrangement and take “commensurate
steps for appropriate risk management.” The planning phase includes due consideration of the
business arrangement’s strategic purpose, its complexity, the risk posed by the arrangement to
the organization, and the potential benefit to be derived from the relationship. The planning
phase further includes an assessment of the proposed arrangement’s impact on the banking
organization’s other strategic initiatives, its employees, and its customers.
The Interagency Guidance also stresses the need for situationally appropriate due diligence
based on the risk posed by the potential business arrangement. In this context, the new
Interagency Guidance echoes the DOJ’s own repeated emphasis on risk-based due diligence.
Because not all third party relationships are equal in significance or risk, the Guidance
emphasizes the need for banking organizations to allocate more due diligence resources to
proposed business arrangements that pose the highest or most critical risks to the organization
holistically. In conducting such due diligence, the Guidance notes that banking organizations
should broadly assess a third party’s ability to perform the activity expected, adhere to the
banking organization’s policies, comply with all applicable laws and regulations, and operate in
a safe and sound manner.
Contract negotiation constitutes another critical component of the TPRM lifecycle as addressed
in the Guidance. Among other things, banking organizations are required to consider a full
panoply of contractual provisions, including performance metrics and benchmarks, inspection
and audit rights, confidentiality obligations, indemnification, insurance requirements, and default
and termination triggers. When the proposed arrangement involves a foreign party, the Guidance specifically notes that careful consideration should be given to choice of law provisions and that
the banking organization retain local counsel to carefully scrutinize the enforceability of each
contractual provision in conjunction with other ramifications implicated by the third party
engagement (e.g., compliance with applicable privacy laws and jurisdictionally-specific
regulations addressing the cross-border flow of information).
Ongoing monitoring of the third party relationship is another essential component of the recently
published Guidance. Once the third party is engaged, it is incumbent upon the banking
organization to conduct periodic audits and performance reviews in conjunction with the
provision of services by the third party. In this vein, the banking organization should require the
third party to furnish it with periodic audit and control testing reports, and if necessary, conduct
physical site visits and engage representatives of the third party to confirm the “quality and
sustainability” of its controls and capacity to meet agreed upon service-level expectations.
Notably, the Guidance requires that the banking organization dedicate sufficient staff with the
requisite “expertise, authority and accountability” to perform periodic monitoring. Because many
banking organizations lack specific TPRM expertise, it is conceivable that impacted
organizations may need to supplement their existing independent audit and/or compliance
functions with additional personnel to appropriately manage third party relationships.
Last, but by no means least, is the Guidance’s stipulation that the organization carefully consider
the ramifications of terminating a third party agreement. In so doing, the Guidance specifies that
the banking organization carefully consider what capabilities, resources and time are required to
transition the activity undertaken by the third party either laterally to another third party or
centrally within the banking organization itself. The banking organization must also consider the
risks associated with data retention and/or destruction, information connection and access control
issues, disposition of joint intellectual property rights, and other concerns that require
engagement with the third party well after the arrangement has been concluded.
The key takeaway from the proposed Interagency Guidance is that banking organizations, like all
other organizations generally, face similar risks and challenges from the engagement of third
parties. In an era of increased enforcement activity involving an organization’s intermediaries,
agents and service providers, it is critical that banking organizations proactively mitigate the risk
associated with such engagements. Because banking organizations are a critical component of
the international economic infrastructure, it is all the more important that these risks be managed
in a professional, diligent, and consistent manner.