Board of Governors of the Federal Reserve System

Third Party Risk Management - May 2024

Introduction

Community banks engage with third parties to compete in and respond to an evolving financial services landscape. Third-party relationships can offer community banks access to new technologies, risk-management tools, human capital, delivery channels, products, services, and markets. A community bank's reliance on third parties, however, reduces its direct operational control over activities¹ and may introduce new risks or increase existing risks, including, but not limited to, operational, compliance, financial, and strategic risks.

Due to the varied risks associated with third-party relationships, it is important for community banks to appropriately identify, assess, monitor, and control these risks as well as ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.² These laws and regulations include, but are not limited to, those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering).

Engaging a third party does not diminish or remove a bank's responsibility to operate in a safe and sound manner and to comply with applicable legal and regulatory requirements, including consumer protection laws and regulations, just as if the bank were to perform the service or activity itself. A community bank may engage an external party to conduct aspects of its third-party risk management. However, the bank cannot abrogate its responsibility to employ effective risk-management practices, including when using a third party to conduct third-party risk management on behalf of the bank.

About This Guide

In June 2023, the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the agencies) issued the Interagency Guidance on Third-Party Relationships: Risk Management (TPRM Guidance).³ The TPRM Guidance includes sound risk-management principles for banking organizations to consider when developing and implementing risk-management practices for all stages in the life cycle of third-party relationships.

This guide is intended to assist community banks when developing and implementing their third-party risk-management practices. This guide is not a substitute for the TPRM Guidance.⁴ Rather, it is intended to be a resource for community banks to consider when managing the risk of third-party relationships. This guide is not a checklist and does not prescribe specific risk-management practices or establish any safe harbors for compliance with laws or regulations. While this guide is intended for use by community banks, other banks may find it useful. Some additional resources that can help support a bank's development and implementation of its risk-management program are listed in the appendix to this guide. The agencies underscore that supervisory guidance does not have the force and effect of law and does not impose any new requirements on banks.

Guide Contents

The guide provides potential considerations, resources, and examples through each stage of the third-party risk-management life cycle and is organized under the following topics:

• Risk Management. Discussion on risk considerations.
• Third-Party Relationship Life Cycle. The five stages of the life cycle are explained.
• Governance. Considerations for governance related to third-party risk.
• Appendix. Additional resources that can help support a bank's development and implementation of its third-party risk-management practices.

Excerpts from the TPRM Guidance are also highlighted within boxes in each section.

Risk Management

Not all third-party relationships present the same level of risk, and therefore not all relationships require the same level of oversight. As part of sound risk management, community banks apply more rigorous risk-management practices throughout the third-party relationship life cycle for third parties that support higher-risk activities, including critical activities. A community bank may adjust and update its third-party risk-management practices commensurate with its size, complexity, and risk profile by periodically analyzing the risks associated with each third-party relationship. It is important to involve bank staff with the requisite knowledge and skills in each stage of the risk-management life cycle.

This guide includes considerations illustrating how a community bank may apply risk-management practices in different stages of the third-party relationship life cycle. An important initial step is identifying third-party relationships that support higher-risk activities, including critical activities. In determining whether an activity is higher risk, banks may assess various factors, such as if the third party has access to sensitive data (including customer data), processes transactions, or provides essential technology and business services.

Third-Party Relationship Life Cycle

Effective third-party risk management generally follows a continuous life cycle for third-party relationships. The five stages of the life cycle are set forth in figure 1, surrounded by the governance practices of Oversight and Accountability, Independent Reviews, and Documentation and Reporting.

For every stage, a community bank's level or type of oversight may vary, commensurate with its size, complexity, and risk profile as well as with the nature of the specific third-party relationship.

Planning

Careful planning enables a community bank to consider potential risks in the proposed third-party relationship. In addition, risk assessments are an important component of managing third-party relationships and help a bank evaluate the extent of risk-management resources and practices for effective oversight of the proposed third-party relationship throughout the subsequent stages of the third-party relationship life cycle.

Potential Considerations

• What are the underlying activities to be performed, and what are the bank and third party's prospective roles in the activities?
• What legal and compliance requirements will apply to the prospective third-party activities?
• What are the benefits of the relationship, and how would the relationship align with the bank's strategic plan?
• What risk-management and governance practices (including internal controls) will be necessary to manage and mitigate the potential risks?
• What are the financial implications of entering into and maintaining the business arrangement?
• What are the direct contractual costs and indirect costs to augment or alter bank staffing, processes, and technology?
• Do the expected benefits of the relationship exceed the potential costs and risks?
• How will the bank integrate third-party technology with the bank's existing systems and infrastructure? What changes would need to be made to the bank's technology to ensure compatibility, and what would be the associated risks and costs? Does staff have the requisite skills to manage risks associated with integrating the third party's technology into the bank's environment (if not, how will the bank integrate the technology)?
• What physical and/or system access would the third party have to bank facilities, systems, and records, and what record-keeping processes would the bank require the third party to implement?
• What interaction will the third party have with customers, and how would customer complaints be handled?
• What are the information security implications, and how will the third party access, process, and protect customers' information?
• Has the bank considered how to exit the activity or transition the activity to an alternative third party or in-house?

Potential Sources of Information

• The bank's strategic plan to assess the proposed activity's alignment with the bank's risk appetite, policies, and business objectives.
• The bank's budget or cost-benefit analysis to assess the financial considerations of the relationship.
• The bank's human resources staff to assess whether management and staff have the expertise and capacity to manage the relationship.
• The bank's internal policies, processes, and controls to assess the impact to the bank of entering into and managing the proposed relationship.
• The bank's inventory of existing third-party relationships to assess whether an existing relationship could support the new activity.
• The bank's technology infrastructure and staff to assess how readily it could integrate with a third party to support the new activity.
• The perspectives of the bank's subject matter experts, including those in information technology, legal, and compliance risk.
• Board policies, including risk limits, to assess alignment with the proposed third-party relationship.

Due Diligence and Third-Party Selection

Due diligence is the process by which a community bank assesses, before entering into a third-party relationship, a particular third party's ability to perform the activity as expected, adhere to the community bank's policies, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner. Effective due diligence assists with the selection of capable and reliable third parties to perform activities for, through, or on behalf of the community bank. If the bank cannot obtain desired due diligence information from the third party, the bank may consider alternative information, controls, or monitoring.

Potential Considerations

• Has the third party demonstrated financial and operational capability to meet its obligations to the bank? If no, what alternative information is available?
• What resources and expertise are available at the third party to support the activity?
• What third-party policies, processes, and internal controls support performance of the service in alignment with the bank's expectations and standards?
• Has the third party demonstrated an ability to comply with applicable laws and regulations, including anti-money laundering and countering the financing of terrorism (AML/CFT) as well as fair lending and consumer protection laws and regulations (as applicable)?
• Is the third party's information security program consistent with the bank's program and expectations related to protecting the confidentiality, integrity, and availability of information?
• Does the third party demonstrate the ability to effectively operate through and recover from both internal and external operational incidents or disruptions?
• How has the third party performed in the past during periods of economic or financial stress?
• Does the third party rely on subcontractors, and could that reliance pose additional or heightened risk to the bank?
• Does the third party use technologies that could introduce additional risk?
• Does the third party have a robust consumer complaint program? Does it have a history of prompt and satisfactory resolution of consumer complaints?
• Is the third party involved in ongoing litigation or other public matters of concern?
• Can the third party demonstrate that it has successfully provided the prospective services for other banks or similar clients?

Potential Sources of Information

• The third party's audited financial statements and other financial information to assess the third party's financial condition.
• The third party's licenses and any other legal authority necessary to perform the activity.
• The third party's relevant policies and procedures, including those related to AML/CFT, to assess the effectiveness of its risk-management practices, control environment, and alignment with the bank's expectations and standards and with applicable legal requirements.
• Independent reviews of the effectiveness of those policies and procedures, including AML/CFT.
• The third party's strategic plan or other disclosures to assess whether the business strategy and its agreements with other entities pose new or increased risks.
• The third party's staffing levels and qualifications to assess whether the third party's resources can fulfill its obligations to the bank, including those of principals and other key personnel related to the activity.
• The third party's training program to assess if its employees understand their duties and responsibilities, are knowledgeable about applicable laws and regulations, and have requisite certifications and licenses.
• The volume and nature of consumer complaints against the third party.
• The Office of Foreign Assets Control Specially Designated Nationals and Blocked Persons list ("SDN List") and all other sanctions lists to ensure the third party and its employees, contractors, or grantees are not sanctioned by the U.S. government.
• System and Organization Controls (SOC) reports, independent assessments, and industry certifications to assess the third party's operational risk management and internal controls.
• Audit reports to assess the third party's risk management and internal controls.
• References and feedback from peer institutions or clients that are currently using the third party's service.
• The third party's current insurance coverage to determine if sufficient for the activity.
• Disclosures and information in the media or in any of the third party's publications, including its website, to assess potential risks to the bank.
• Internet searches of the third party's company name to determine whether it has been partnered with institutions subject to consent orders related to third-party transactions or conducts business with companies that misrepresent deposit insurance coverage.

Contract Negotiation

Before entering a contractual relationship with a third party, a community bank typically considers contract provisions that meet its business objectives, regulatory obligations, and risk-management policies and procedures. The community bank typically negotiates contract provisions that facilitate effective risk management and oversight, including terms that specify the expectations and obligations of both the community bank and the third party. When a community bank has limited negotiating power, it is important for bank management to understand any resulting limitations and consequent risks. Possible actions that bank management might take in such circumstances include determining whether the contract can still meet the community bank's needs, whether the contract would result in increased risk to the community bank, and whether residual risks are acceptable.

Potential Considerations

• To what extent does the contract specify the parties' responsibilities and cover all aspects of the relationship (including costs, reimbursements, and other liabilities)?
• What provisions does the bank need to include regarding termination events (for example, default or force majeure), continuity planning, and associated costs and fees?
• What are the governance and escalation protocols regarding the third party's performance and security measures or benchmarks?
• To what extent does the contract enable the bank to obtain timely information it needs to perform adequate ongoing monitoring, demonstrate compliance with applicable laws and regulations, and respond to regulatory requests? For example, will the bank have access to application and loan data, account opening and customer information, audit reports, suspicious activity monitoring information, and reports to identify safety and soundness and consumer compliance issues?
• What arrangements will be negotiated for sharing and using information, technology, and intellectual property?
• Does the contract specify limitations on the third party's use and retention of data (including customer data) related to the activity, including its disclosure, storage, delivery to the bank, and destruction?
• Does the contract appropriately address the bank's right to access its data at the third party and the process by which the bank will access its records and data (including customer data)?
• When and how will the third party notify the bank of a disruption, including degradation or interruptions in delivery, and how will the third party assist the bank with continuation of the activity?
• When and how will the third party notify the bank of strategic changes, such as mergers and acquisitions and leadership changes?
• What continuity plans, processes, and controls will the third party maintain to ensure contract adherence, including recovery time and recovery point objectives?
• For higher-risk activities, including critical activities, what are likely scenarios for breach of contract, and has the bank considered the potential exposure and cost?

Potential Sources of Information

• The bank's risk assessment and due diligence findings to determine the provisions to include in the contract.
• The third party's proposed service level agreements to set applicable performance and security metrics.
• Assessments from business units regarding their business needs and customer service objectives to determine performance and security measures to include in the contract.
• Contract provisions outlining the bank's access to the third party's audit, testing, and self-assessment reports for ongoing monitoring.
• Legal, compliance, and other stakeholders' perspectives to advise bank management on the contract provisions to appropriately protect the bank's interests.

Ongoing Monitoring

A community bank's ongoing monitoring of the third party's performance enables bank management to determine if the third party is performing as required for the duration of the contract. The bank may also use information from ongoing monitoring to adapt and refine its risk-management practices.

Potential Considerations

• Is the third party performing its obligations under the contract?
• Has the third party's financial condition changed, including declining revenues or increasing debt obligations?
• Has the third party complied with applicable laws, regulations, and service level agreements?
• Do audit and test results indicate the third party is managing risks and meeting contractual obligations and regulatory requirements effectively?
• Is the third party demonstrating an ability to maintain its systems within the bank's availability requirements (e.g., latency, bandwidth, and uptime)?
• Is the third party demonstrating reliability throughout its relationship with the bank?
• How do the third party's business continuity and disaster recovery plans and practices demonstrate its capability to respond and recover from service disruptions?
• Has the third party maintained the confidentiality, availability, and integrity of customer data (where applicable) and the bank's systems, information, and data?
• Do reports from the third party align with the bank's internal reports and observations?
• Has the third party's performance changed due to mergers, acquisitions, or divestitures?
• Has the bank's reliance on the third party to conduct bank activities changed over the life of the relationship?
• For third parties that interact with customers or access customer data, has the third party responded appropriately to the bank's requests for its records and information?
• Have there been changes in the third party's strategy, corporate culture, leadership, or risk exposure? If so, what is the impact on the relationship with the bank?

Potential Sources of Information

• Service level agreements and standards to assess the third party's performance and to confirm that existing provisions continue to address risks and the bank's expectations.
• Audited and other financial reports to confirm the third party's financial condition remains sound and in compliance with contractual requirements.
• Audits and reports to confirm the third party's compliance with all applicable laws and regulations.
• Internal reports to review changes in the bank's risk assessment and supporting risk-management processes.
• The bank and third party's contingency testing results to evaluate the ability to respond to and recover from service disruptions or degradations.
• Review and testing of control effectiveness to assess whether the third party's control environment remains sound, including SOC reports and self-assessments to industry standards.
• Information security testing results to assess the third party's ability to maintain the confidentiality, availability, and integrity of customer data (where applicable) and the bank's systems, information, and data.
• Customer complaints to assess the volume and subject matter of complaints and the timeliness and appropriateness of the third party's response to them.
• Communication with the third party to assess changes in key processes.
• The third party's staffing and succession plans and organizational charts to assess changes in the third party's key personnel involved in the activity and to determine whether key personnel have assumed responsibilities that may detract from their ability to perform under the third party's agreement with the bank (e.g., affiliation with other entities).
• Training materials provided to the third party and bank staff for continued education.
• Public filings, news articles, social media, and customer feedback about experiences with the third party.

Termination

A community bank may choose to end its relationship with a third party for a variety of reasons. A bank typically considers the impact of a potential termination during the planning stage of the life cycle. This consideration may help to mitigate costs and disruptions caused by termination, particularly for higher-risk activities, including critical activities.

Potential Considerations

• How will the termination affect the bank's operations and its compliance with applicable laws and regulations? Will any higher-risk activities, including critical activities, be affected?
• What are the financial implications of terminating the relationship?
• What alternative third parties are available to which the bank can transition, or can the bank perform the activity in-house?
• How ready are bank staff, systems, and control environments to move the outsourced activity in-house, if needed?
• How will the bank and the third party handle intellectual property?
• What access to bank systems or information has the third party been granted? How and when will this access be removed?
• If the third party has access to bank or customer data, when and how will the bank confirm that the data has been returned or destroyed?
• Will the bank have access to data to meet its AML/CFT requirements and other recordkeeping obligations?
• How will the bank manage risks associated with the termination or migration, including the impact on customers?
• What additional controls and processes will the bank put in place during the transition?

Potential Sources of Information

• The bank's contract with the third party, to verify how parties may exit the relationship and the conditions under which fees or penalties will be imposed for early termination.
• The bank's budget to assess the impact of costs and fees associated with termination.
• Any outlines of steps or resources that the bank had previously developed to support its exit from the activity or to transition the activity to an alternative third party or in-house.
• Inventory of the bank or customers' data at the third party to support risk management associated with data retention and destruction, information system connections and access control, or other control concerns.
• Assessments of the bank's systems, processes, and human resources to determine whether the bank has the capability, resources, and time to transition the activity to another third party or bring the activity in-house with limited disruption to the bank's operations.
• The bank's third-party inventory to assess existing relationships with other third parties to transition the activity to them, if appropriate.
• The bank's considerations for transitioning customer accounts with limited disruption to customers and the bank's operations.

Governance

Community banks typically consider the following governance practices throughout the third-party relationship life cycle: oversight and accountability, independent reviews, and documentation and reporting.

Potential Considerations

• How do the bank's policies and procedures promote effective third-party risk-management governance?
• How do documentation and reporting enable the bank's board of directors to consistently oversee third-party risk management?
• How does the bank's board of directors hold management accountable for third-party risk management?
• Do the bank's governance structure and internal control environment effectively promote compliance with bank policies and procedures and applicable laws and regulations?
• Has the bank accurately assessed the resources required (including level and expertise of staffing) to manage third-party risks?
• Does the bank effectively document and maintain a current inventory of all third-party relationships that clearly identifies those relationships associated with higher-risk activities, including critical activities?
• Has the bank effectively evaluated the accuracy and timeliness of risk and performance reporting?
• Has the bank effectively conducted periodic independent reviews of the bank's third-party risk management?
• When and how does the bank's management inform its board of directors about third-party risks?

Potential Sources of Information

• The bank's strategic plan to verify that the bank's third-party risk-management practices are aligned with its strategic objectives.
• Applicable policies and procedures to assess whether they address risks posed by third-party relationships.
• The bank's contingency testing plans to understand how the bank maintains operations during disruptions.
• Audit reports to assess the bank's risk management and pertinent internal controls.
• The bank management's periodic reporting to the board of directors on third parties that support higher-risk activities, including critical activities.
• Documentation of the bank's actions to remedy material third-party issues, including performance deterioration.
• Other internal reports regarding the bank's third-party relationships.

Appendix

Government Resources for Community Banking Organizations' Third‑Party Risk Management

These resources are not all inclusive, and other sources of information may be available, particularly on specific topics.

• Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed. Reg. 37,920 (June 6, 2023), https://www.federalregister.gov/documents/2023/06/09/2023-12340/interagency-guidance-on-third-party-relationships-risk-management.
• SR 21-15/CA 21-11, FIL 59-2021, and OCC Bulletin 2021-40: "Guide for Community Banking Organizations Conducting Due Diligence on Financial Technology Companies," https://www.federalreserve.gov/supervisionreg/srletters/sr2115.htm, https://www.fdic.gov/sites/default/files/2024-03/pr21075a.pdf, https://www.occ.gov/news-issuances/news-releases/2021/nr-ia-2021-85a.pdf.
• Federal Register (86 Fed. Reg. 66,424), SR 22-4/CA 22-3, FDIC: FIL-12-2022, and OCC Bulletin 2022-8: "Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers," https://www.federalregister.gov/documents/2021/11/23/2021-25510/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank.
• "Protecting Against Cyber Threats to Managed Service Providers and their Customers," Cybersecurity & Infrastructure Security Agency (CISA), Alert (AA22-131A), last modified May 11, 2022, https://www.cisa.gov/news-events/alerts/2022/05/11/protecting-against-cyber-threats-managed-service-providers-and-their.
• CISA, Securing Small and Medium-Sized Business (SMB) Supply Chains: A Resource Handbook to Reduce Information and Communication Technology Risks (Arlington: CISA, January 2023), https://www.cisa.gov/resources-tools/resources/securing-smb-supply-chains-resource-handbook.
• CISA Alert, "NCSC-UK Releases Guidance on Using MSP for Administering Cloud Services," last modified January 11, 2023, https://www.cisa.gov/news-events/alerts/2023/01/11/ncsc-uk-releases-guidance-using-msp-administering-cloud-services.
• Federal Financial Institutions Examination Council (FFIEC), "Joint Statement: Security in a Cloud Computing Environment," news release, April 30, 2020, https://www.ffiec.gov/press/pr043020.htm.
• FFIEC, Bank Secrecy Act/Anti-Money Laundering Examination Manual (Arlington: FFIEC, February 2015), https://bsaaml.ffiec.gov/manual.
• FFIEC, Cybersecurity Assessment Tool (Arlington: FFIEC, May 2017), https://www.ffiec.gov/pdf/cybersecurity/ffiec_cat_may_2017.pdf.
• FFIEC, Cybersecurity Resource Guide for Financial Institutions (Arlington: FFIEC, September 2022), https://www.ffiec.gov/press/pdf/FFIECCybersecurityResourceGuide2022ApprovedRev.pdf.
• FFIEC, Authentication and Access to Financial Institutions Services and Systems (Arlington: FFIEC, August 2021), https://www.ffiec.gov/guidance/Authentication-and-Access-to-Financial-Institution-Services-and-Systems.pdf.
• Financial Crimes Enforcement Network, "Interagency Statement on Sharing Bank Secrecy Act Resources," news release, October 3, 2018, https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources.
• National Institute of Standards and Technology (NIST), "NIST Cybersecurity Framework," https://www.nist.gov/cyberframework.
• National Security Agency – Cybersecurity Information, Mitigating Cloud Vulnerabilities (Washington: NSA, January 2020), https://media.defense.gov/2020/Jan/22/2002237484/-1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF.

Footnotes