Board of Governors of the Federal Reserve System

While I strongly support appropriate supervisory expectations for banks managing third-party risks,¹ I cannot support this interagency guidance. The Federal Reserve's past third-party risk management guidance was supplemented by several implementation aids and tools.² These tools reflected significant efforts to provide clear, usable, and more appropriately tailored expectations for small banks when considering third-party risk management. The interagency guidance fails to take similar measures to mitigate regulatory burden on smaller institutions.

Regulatory guidance can play an important role in promoting risk management practices by encouraging dialogue between the bank and its examiners and by establishing reasonable and clear supervisory expectations. Although this guidance suggests that a sound third-party risk management framework should be appropriately tailored to a bank's level of risk, complexity, and size, it does not provide the necessary clarity or supplemental tools to facilitate small bank implementation.

The guidance contemplates that the agencies plan to develop additional resources to assist smaller, non-complex community banks in managing relevant third-party risks, but provides no timeline for development of these resources. It also makes clear that these additional resources will not be available for some time. This leaves one to wonder why the rush to publish without appropriate tools available for small banks.

In fact, the guidance acknowledges these fundamental differences among banks, but it applies the same expectations to all banks, regardless of their size and complexity. Developing the necessary resources to promote third-party risk management for community banks, institutions that stand to gain significantly from clarity in this area, should have taken place concurrently with the development of the guidance.³

The Federal Reserve previously issued guidance and provided supervisory tools to help community banks understand and meet supervisory expectations in this area. The new guidance—instead of incorporating and building upon these efforts—leaves uncertainty about whether community banks can rely on the previous guidance, tools, and feedback provided by examiners on third-party risk management in the past.⁴ We should strive to provide appropriate, clear guidance and expectations together with tools that enable community bank compliance, rather than the one-size-fits all approach adopted by this new interagency guidance.

My expectation is that community banks will find the new guidance challenging to implement. In fact, our own Federal Reserve regional bank supervisors have indicated that we should provide additional resources for community banks upon implementation to provide appropriate expectations and ensure that small banks understand and can effectively use the guidance to inform their third-party risk management processes. I am confident that community banks will do what is necessary to meet supervisory expectations, but I am disappointed that the agencies failed to make the upfront investment to reduce unnecessary confusion and burden on community banks.

While today's guidance may be a helpful step to promote sound third-party risk management and enhance interagency consistency among regulators, it is also part of a troubling pattern of the agencies' deviation from the risk-based, tailored approach to supervising and regulating banks. This follows a similar decision to forego a tailored approach in the implementation date for recent revisions to Regulation II.⁵ Smaller banks are a vital part of the banking system. Their core purpose is to serve the diverse range of communities and businesses that are not well-served by any other financial institutions. These examples of providing one size fits all regulatory expectations for banks, including small banks, and failing to appropriately consider and mitigate the compliance and implementation burden imposed on these small banks, signals a concerning trend in our regulatory approach.

1. It is imperative that banks identify and manage their risks, including third-party risks. See Michelle W. Bowman, "The Innovation Imperative: Modernizing Traditional Banking (PDF)" (speech at the Independent Community Bankers of America ICBA Live 2023 Conference, Honolulu, Hawaii, March 14, 2023) ("All banks should understand regulatory expectations with respect to due diligence, risk management, and ongoing compliance when engaging in third-party relationships. Banking regulators can support this approach by providing clear expectations and the tools smaller banks may need to help them meet these expectations."); Michelle W. Bowman, "Welcoming Remarks (PDF)" (speech at the Midwest Cyber Workshop, organized by the Federal Reserve Banks of Chicago, Kansas City, and St. Louis, February 15, 2023); Michelle W. Bowman, "Community Banking in the Age of Innovation (PDF)" (speech at the "Fed Family" Luncheon at the Federal Reserve Bank of San Francisco, San Francisco, California, April 11, 2019). Return to text

2. See Board of Governors of the Federal Reserve System, FDIC, and OCC, "Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks (PDF)" (Washington: Board of Governors, FDIC, OCC, August 2021); Board of Governors of the Federal Reserve System, Federal Reserve Publishes Paper Describing Landscape of Partnerships Between Community Banks and Fintech Companies, news release, September 9, 2021. Return to text

3. The unique challenges faced by community banking organizations when engaging in third-party risk management are well-known, and highlight the need for additional resources. See U.S. Department of Treasury, A Financial System that Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation (PDF) (Washington: Department of Treasury, July 2018) ("Smaller, nonbank fintech firms and banks have raised concerns that the overall burden of the third-party supervisory regime stifles the ability of new firms to partner with banks. . . . [C]ommunity banks have expressed concern about their capacity to undertake the requisite due diligence and ongoing vendor management (especially with larger vendors)."). Return to text

4. While the guidance expressly indicates that some generally applicable guidance for the Federal Reserve has been rescinded, it also notes that "(l)ongstanding principles of third-party risk management set forth in this guidance are applicable to all third-party relationships, including those with fintech companies." Return to text

5. For example, banks and credit unions have requested additional time to comply with the Board's rule revising Regulation II, and the Board has failed to provide even a short, reasonable extension of the effective date to address the significant concerns raised. See Letter from the American Bankers Association, Consumer Bankers Association, Credit Union National Association, National Association of Federally-Insured Credit Unions, and The Clearing House to Ms. Ann E. Misback, Secretary of the Board of Governors of the Federal Reserve System (February 10, 2023) (noting that an extension of the effective date would be appropriate to provide sufficient time for thousands of community banks and credit unions to implement changes to their core banking software and payments infrastructure); Letter from the Independent Community Bankers of America to Ms. Ann E. Misback, Secretary of the Board of Governors of the Federal Reserve System (February 13, 2023) (suggesting that an extension of the effective date would be appropriate to allow banks to adopt tools to monitor new risks from the rule, to revise policies and procedures, and to mitigate the risks of fraudulent transactions or transactions that are declined unnecessarily). Return to text