Interagency Guidance on Third-Party Relationships: Risk Management, 37920-37937 [2023-12340]

Agencies

• FEDERAL DEPOSIT INSURANCE CORPORATION
• FEDERAL RESERVE SYSTEM
• Office of the Comptroller of the Currency
• DEPARTMENT OF THE TREASURY

[Federal Register Volume 88, Number 111 (Friday, June 9, 2023)]
[Notices]
[Pages 37920-37937]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-12340]


-----------------------------------------------------------------------

FEDERAL RESERVE SYSTEM

[Docket No. OP-1752]

FEDERAL DEPOSIT INSURANCE CORPORATION

RIN 3064-ZA26

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

[Docket ID OCC-2021-0011]


Interagency Guidance on Third-Party Relationships: Risk 
Management

AGENCY: The Board of Governors of the Federal Reserve System (Board), 
the Federal Deposit Insurance Corporation (FDIC), and the Office of the 
Comptroller of the Currency (OCC), Treasury.

ACTION: Final interagency guidance.

-----------------------------------------------------------------------

SUMMARY: The Board, FDIC, and OCC (collectively, the agencies) are 
issuing final guidance on managing risks associated with third-party 
relationships. The final guidance offers the agencies' views on sound 
risk management principles for banking organizations when developing 
and implementing risk management practices for all stages in the life 
cycle of third-party relationships. The final guidance states that 
sound third-party risk management takes into account the level of risk, 
complexity, and size of the banking organization and the nature of the 
third-party relationship. The agencies are issuing this joint guidance 
to promote consistency in supervisory approaches; it replaces each 
agency's existing general guidance on this topic and is directed to all 
banking organizations supervised by the agencies.

DATES: The guidance is final as of June 6, 2023.

FOR FURTHER INFORMATION CONTACT: 
    Board: Kavita Jain, Deputy Associate Director, (202) 452-2062, 
Chandni Saxena, Manager, (202) 452-2357, Timothy Geishecker, Lead 
Financial Institution and Policy Analyst, (202) 475-6353, or David 
Palmer, Lead Financial Institution and Policy Analyst, (202) 452-2904, 
Division of Supervision and Regulation; Matthew Dukes, Counsel, (202) 
973-5096, Division of Consumer and Community Affairs; or Claudia Von 
Pervieux, Senior Counsel, (202) 452-2552, Evans Muzere, Senior Counsel, 
(202) 452-2621, or Alyssa O'Connor, Senior Attorney, (202) 452-3886, 
Legal Division, Board of Governors of the Federal Reserve System, 20th 
and C Streets NW, Washington, DC 20551. For users of telephone systems 
via text telephone (TTY) or any TTY-based Telecommunications Relay 
Services (TRS), please call 711 from any telephone, anywhere in the 
United States.
    FDIC: Thomas F. Lyons, Associate Director, Risk Management Policy, 
[email protected], (202) 898-6850), or Judy E. Gross, Senior Policy 
Analyst, [email protected], (202) 898-7047, Policy & Program 
Development, Division of Risk Management Supervision; Paul Robin, 
Chief, [email protected], (202) 898-6818, Supervisory Policy Section, 
Division of Depositor and Consumer Protection; or Marguerite 
Sagatelian, Senior Special Counsel, [email protected], (202) 898-
6690 or Jennifer M. Jones, Counsel, [email protected], (202) 898-6768, 
Supervision, Legislation & Enforcement Branch, Legal Division, Federal 
Deposit Insurance Corporation; 550 17th Street NW, Washington, DC 
20429.
    OCC: Kevin Greenfield, Deputy Comptroller for Operational Risk 
Policy, Tamara Culler, Governance and Operational Risk Policy Director, 
Emily Doran, Governance and Operational Risk Policy Analyst, or Stuart 
Hoffman, Governance and Operational Risk Policy Analyst, Operational 
Risk Policy Division, (202) 649-6550; or Eden Gray, Assistant Director, 
Tad Thompson, Counsel, or Graham Bannon, Attorney, Chief Counsel's 
Office, (202) 649-5490, Office of the Comptroller of the Currency, 400 
7th Street SW, Washington, DC 20219. If you are deaf, hard of hearing, 
or have a speech disability, please dial 7-1-1 to access 
telecommunications relay services.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Introduction
II. Discussion of Comments on the Proposed Guidance
    A. General Support for the Proposed Guidance
    B. Terminology and Scope
    C. Tailored Approach to Third-Party Risk Management
    D. Specific Types of Third-Party Relationships
    E. Risk Management Life Cycle
    F. Subcontractors
    G. Oversight and Accountability
    H. Other Matters Raised
III. Paperwork Reduction Act
IV. Text of Final Interagency Guidance on Third-Party Relationships

I. Introduction

    Banking organizations \1\ routinely rely on third parties for a 
range of products, services, and other activities (collectively, 
activities). The use of third parties can offer banking organizations 
significant benefits, such as quicker and more efficient access to 
technologies, human capital, delivery channels, products, services, and 
markets. Banking organizations' use of third parties does not remove 
the need for sound risk management. On the contrary, the use of third 
parties, especially those using new technologies, may present elevated 
risks to banking organizations and their customers, including 
operational, compliance, and strategic risks. Importantly, the use of 
third parties does not diminish or remove banking organizations'

[[Page 37921]]

responsibilities to ensure that activities are performed in a safe and 
sound manner and in compliance with applicable laws and regulations, 
including but not limited to those designed to protect consumers (such 
as fair lending laws and prohibitions against unfair, deceptive or 
abusive acts or practices) and those addressing financial crimes.
---------------------------------------------------------------------------

    \1\ For a description of the banking organizations supervised by 
each agency, refer to the definition of ``appropriate Federal 
banking agency'' in section 3(q) of the Federal Deposit Insurance 
Act (12 U.S.C. 1813(q)). This guidance is relevant to all banking 
organizations supervised by the agencies.
---------------------------------------------------------------------------

    The agencies have each previously issued general guidance for their 
respective supervised banking organizations to address appropriate risk 
management practices for third-party relationships, each of which is 
rescinded and replaced by this final guidance: the Board's 2013 
guidance,\2\ the FDIC's 2008 guidance,\3\ and the OCC's 2013 guidance 
and its 2020 frequently asked questions (herein, OCC FAQs).\4\ By 
issuing this interagency guidance, the agencies aim to promote 
consistency in their third-party risk management guidance and to 
clearly articulate risk-based principles for third-party risk 
management. Further, the agencies have observed an increase in the 
number and type of banking organizations' third-party relationships. 
Accordingly, the final guidance is intended to assist banking 
organizations in identifying and managing risks associated with third-
party relationships and in complying with applicable laws and 
regulations.\5\
---------------------------------------------------------------------------

    \2\ SR Letter 13-19/CA Letter 13-21, ``Guidance on Managing 
Outsourcing Risk'' (December 5, 2013, updated February 26, 2021).
    \3\ FIL-44-2008, ``Guidance for Managing Third-Party Risk'' 
(June 6, 2008).
    \4\ OCC Bulletin 2013-29, ``Third-Party Relationships: Risk 
Management Guidance,'' and OCC Bulletin 2020-10, ``Third-Party 
Relationships: Frequently Asked Questions to Supplement OCC Bulletin 
2013-29.'' Additionally, the OCC also issued foreign-based third-
party guidance, OCC Bulletin 2002-16, ``Bank Use of Foreign-Based 
Third-Party Service Providers: Risk Management Guidance,'' which is 
not being rescinded but instead supplements the final guidance.
    \5\ These include the ``Interagency Guidelines Establishing 
Standards for Safety and Soundness,'' and the ``Interagency 
Guidelines Establishing Information Security Standards,'' which were 
adopted pursuant to the procedures of section 39 of the Federal 
Deposit Insurance Act and section 505 of the Graham Leach Bliley 
Act, respectively. See 12 CFR part 30, appendices A and B (OCC); 
part 208, appendices D-1 and D-2 (Board); and part 364, appendices A 
and B (FDIC).
---------------------------------------------------------------------------

II. Discussion of Comments on the Proposed Guidance

    On July 19, 2021, the agencies published for comment proposed 
guidance on managing risks associated with third-party relationships 
(proposed guidance).\6\ The 60-day comment period initially ended on 
September 17, 2021. In response to commenters' requests for additional 
time to analyze and respond to the proposal, the agencies extended the 
comment period until October 18, 2021.\7\
---------------------------------------------------------------------------

    \6\ ``Proposed Interagency Guidance on Third-Party 
Relationships: Risk Management,'' 86 FR 38182 (July 19, 2021).
    \7\ ``Proposed Interagency Guidance on Third-Party 
Relationships: Risk Management,'' 86 FR 50789 (September 10, 2021).
---------------------------------------------------------------------------

    The agencies invited comment on all aspects of the proposed 
guidance. To help solicit feedback, the agencies posed 18 questions 
within the request for comment, organized across the following themes: 
General, Scope, Tailored Approach to Third-Party Risk Management, 
Third-Party Relationships, Due Diligence and Collaborative 
Arrangements, Subcontractors, Information Security, and the OCC's 2020 
FAQs. The agencies collectively received 82 comment letters from 
banking organizations, financial technology (fintech) companies and 
other third-party providers, trade associations, consultants, 
nonprofits, and individuals.\8\
---------------------------------------------------------------------------

    \8\ Comments can be accessed at: https://www.regulations.gov/document/OCC-2021-0011-0001/comment (OCC); https://www.federalreserve.gov/apps/foia/ViewComments.aspx?doc_id=OP-1752&doc_ver=1 (Board); and https://www.fdic.gov/resources/regulations/federal-register-publications/2021/2021-proposed-interagency-guidance-third-party-rel-rm-3064-za26.html (FDIC).
---------------------------------------------------------------------------

A. General Support for the Proposed Guidance

    In general, commenters supported the agencies' efforts to issue 
joint principles-based guidance on third-party risk management. 
Commenters agreed with the proposal's overarching message regarding the 
importance of banking organizations adopting sound risk management 
practices that are commensurate with the level of risk and complexity 
of their respective third-party relationships. They agreed that a 
principles-based approach to third-party risk management can be adapted 
to a wide range of relationships and scaled for banking organizations 
of different sizes and complexity.
    There were varying views among commenters on the level of detail 
included in the proposed guidance. While some commenters found the 
language to be too prescriptive, others noted that it had the right 
level of detail to enable banking organizations to use the guidance in 
a risk-based fashion. Other commenters specifically requested that the 
agencies establish minimum required ``standards'' or incorporate 
greater specificity on supervisory expectations. Commenters also 
offered differing perspectives on whether or how to incorporate the 
concepts from the OCC FAQs.\9\
---------------------------------------------------------------------------

    \9\ The agencies included the OCC's 2020 FAQs as an exhibit when 
issuing the proposed guidance and sought comment on whether any of 
the concepts in the OCC FAQs should be incorporated into the 
interagency guidance. See 86 FR 38196.
---------------------------------------------------------------------------

    In response to comments received, the agencies underscore that 
supervisory guidance does not have the force and effect of law and does 
not impose any new requirements on banking organizations.\10\ The 
guidance addresses key principles banking organizations can leverage 
when developing and implementing risk management processes tailored to 
the risk profile and complexity of their third-party relationships.
---------------------------------------------------------------------------

    \10\ See 12 CFR part 4, appendix A to subpart F (OCC); 12 CFR 
part 262, appendix A (Board); and 12 CFR part 302, appendix A 
(FDIC).
---------------------------------------------------------------------------

B. Terminology and Scope

    Commenters offered views on the description of the terms ``business 
arrangement,'' ``third-party relationship,'' and ``critical 
activities.''
1. Description of the Terms ``Business Arrangement'' and ``Third-Party 
Relationship''
    Some commenters suggested that the term ``business arrangement'' is 
overly broad and inconsistent with the risk-based approach of the 
guidance. For example, some commenters believed that without narrowing 
the term, banking organizations may face an undue burden when 
implementing their risk management processes. Several commenters 
offered suggestions to narrow or modify the term ``business 
arrangement.'' These suggestions included focusing on material 
relationships, scoping out low-risk activities, and limiting 
arrangements to only those that are continuous and/or governed by a 
written contract.
    Similarly, some commenters suggested that the term ``third-party 
relationship'' was overly broad and may divert banking organizations 
from focusing sufficiently on those relationships that present higher 
risk. These commenters suggested applying a materiality standard (for 
example, those third parties supporting critical activities) or 
excluding certain categories of third-party relationships (for example, 
affiliates or bank-to-bank relationships).
    A few commenters recommended incorporating some of the more 
detailed discussions from OCC FAQs 1 and 2 elaborating on and providing 
examples of ``business arrangements'' and ``third-party 
relationships.''
    With respect to these comments, the agencies believe the scope of 
the term

[[Page 37922]]

``business arrangement'' in the proposed guidance captures the full 
range of third-party relationships that may pose risk to banking 
organizations, and the final guidance does not change that scope. These 
relationships have evolved, and may continue to evolve, over time to 
encompass a large range of activities, justifying the use of broad 
terminology. The agencies have incorporated concepts from OCC FAQs 1 
and 2. Although the terms ``business arrangement'' and ``third-party 
relationship'' are broad, the guidance does not suggest that all 
relationships require the same level or type of oversight or risk 
management, since different relationships present varying levels of 
risk. The guidance states that, as part of sound risk management, a 
banking organization analyzes the risks associated with each third-
party relationship and adjusts its risk management practices, 
commensurate with the banking organization's size, complexity, and risk 
profile and with the nature of its third-party relationships. The 
agencies have removed from the final guidance the proposed text, which 
stated that the term ``business arrangement'' generally excludes 
customer relationships. Since some business relationships may 
incorporate elements or features of a customer relationship, the 
removal of the proposed text is intended to reduce ambiguity.
2. Description of the Term ``Critical Activities''
    Commenters expressed views on the term ``critical activities,'' 
suggesting that the agencies provide banking organizations flexibility 
in determining which activities are higher risk and critical in nature 
or requested clarification on or limitation of the scope and 
application of the term. Some commenters requested the agencies provide 
further examples of critical activities or clarify whether banking 
organizations could employ risk-tiering processes to identify critical 
activities.
    Commenters provided other suggestions that they thought would 
improve the description of ``critical activities,'' such as:
     Merging the concepts of ``critical activities'' and 
``significant bank functions;''
     Reconsidering whether certain factors articulated within 
the proposed guidance should be determinative of criticality;
     Clarifying whether a certain monetary threshold would 
determine whether an activity requires a ``significant investment in 
resources to implement the third-party relationship and manage the 
risk;'' \11\
---------------------------------------------------------------------------

    \11\ ``Proposed Interagency Guidance on Third-Party 
Relationships: Risk Management'', 86 FR 38182, at 38187 (July 19, 
2021); https://www.federalregister.gov/documents/2021/07/19/2021-15308/proposed-interagency-guidance-on-third-party-relationships-risk-management.
---------------------------------------------------------------------------

     Incorporating the concept from OCC FAQ 8 that not every 
relationship involving critical activities is necessarily a critical 
third-party relationship; and
     Aligning the concept of criticality in the proposed 
guidance with similar concepts in existing, related guidance (for 
example, the definitions for ``critical operations'' and ``core 
business line'' used in the Interagency Paper on Sound Practices to 
Strengthen Operational Resilience \12\ (Sound Practices Paper)) to 
facilitate banking organizations' adoption of comprehensive risk 
management strategies.
---------------------------------------------------------------------------

    \12\ ``Interagency Paper on Sound Practices to Strengthen 
Operational Resilience,'' Federal Reserve SR 20-24 (November 2, 
2020); OCC Bulletin 2020-94 (October 30, 2020); and FDIC FIL-103-
2020 (November 2, 2020).
---------------------------------------------------------------------------

    The agencies considered the range of comments on the term 
``critical activities'' and have made certain revisions to improve 
clarity and emphasize flexibility. The revised term eliminates 
imprecise concepts like ``significant investment'' and ``significant 
bank function,'' instead focusing on illustrative, risk-based 
characteristics, such as activities that could cause significant risk 
to the banking organization if the third party fails to meet 
expectations or that have significant impacts on customers or the 
banking organization's financial condition or operation. The agencies 
have incorporated concepts from OCC FAQs 7, 8, and 9, recognizing that 
an activity that is critical for one banking organization may not be 
critical for another. Some banking organizations may assign a 
criticality or risk level to each third-party relationship, while 
others may identify critical activities and those third parties 
associated with such activities. Regardless of a banking organization's 
approach, applying a sound methodology to designate which activities 
and third-party relationships receive more comprehensive oversight is 
key for effective risk management.
    In response to the comments requesting alignment with other 
issuances, the agencies note that this guidance is intended to provide 
examples of considerations that may be helpful to all banking 
organizations, regardless of size. It is important for each banking 
organization to assess risks presented by each of its third-party 
relationships and tailor its risk management processes accordingly. To 
the extent that specific laws and regulations may be applicable, for 
example, recovery or resolution planning to large banking 
organizations,\13\ those banking organizations may desire to leverage 
definitions and approaches in those laws and regulations when 
developing and implementing third-party risk management, such as 
identifying third-party relationships that that support higher-risk 
activities, including critical activities. Moreover, to the extent that 
other guidance may be relevant to certain banking organizations, such 
as the Sound Practices Paper, which is intended for the largest and 
most complex banking organizations,\14\ such organizations may choose 
to reference relevant terms and concepts contained in those other 
issuances when implementing their third-party risk management 
processes.
---------------------------------------------------------------------------

    \13\ See 12 CFR part 243 (Regulation QQ); 12 CFR part 30, 
appendix E.
    \14\ The practices are addressed to domestic banks with more 
than $250 billion in total consolidated assets or banks with more 
than $100 billion in total assets and other risk characteristics. 
See note 12.
---------------------------------------------------------------------------

C. Tailored Approach to Third-Party Risk Management

    Commenters offered views on appropriately tailoring the risk 
management principles discussed in the guidance to meet the different 
needs of individual banking organizations, and particularly community 
banking organizations. For example, some commenters asserted that 
smaller, less complex banking organizations do not need to adopt the 
same risk management approaches adopted by larger, more complex banking 
organizations. As such, they asked that the guidance include language 
either to clarify the flexibility of the guidance with respect to the 
size of banking organizations or to the risk presented by certain 
third-party relationships. Some commenters suggested that the guidance 
make allowances for banking organizations to explicitly accept the risk 
of the relationship, in lieu of establishing full due diligence 
practices, based on the banking organization's risk profile and 
individual circumstances of the relationship.
    Commenters also suggested that the agencies could provide examples 
of appropriate practices specific to smaller banking organizations or 
of the specific risks that certain categories of third parties or 
critical activities may pose to smaller banking organizations. Several 
commenters requested some form of acknowledgment that smaller banking 
organizations may lack the necessary

[[Page 37923]]

resources to thoroughly vet third parties, and thus should be afforded 
some form of ``safe harbor'' relating to third-party risk management to 
allow them to compete in the digital era.
    In addition, commenters suggested incorporating concepts from OCC 
FAQs 5, 6, and 7 to help reinforce flexibility for community banking 
organizations (acknowledging, for example, that banking organizations 
may have limited negotiating power, that there is no one way for banks 
to structure their third-party risk management processes, and that not 
all relationships warrant the same level of oversight or risk 
management).
    In response to these comments, the agencies reiterate that the 
guidance is relevant to all banking organizations. The agencies have 
incorporated concepts from OCC FAQ 9, clarifying language in the 
guidance about tailoring third-party risk management processes based on 
risk. The guidance notes that not all third-party relationships present 
the same level or type of risk and therefore not all relationships 
require the same extent of oversight or risk management. It also states 
that as part of sound risk management, it is the responsibility of each 
banking organization to analyze the risks associated with each third-
party relationship and to calibrate its risk management processes, 
commensurate with the banking organization's size, complexity, and risk 
profile and with the nature of its third-party relationships.
    Banking organizations have flexibility in their approach to 
assessing the risk posed by each third-party relationship and deciding 
the relevance of the considerations discussed in the guidance. To 
reinforce this flexibility and provide clarity on third-party risk 
management implementation, especially for community banking 
organizations, the agencies have streamlined and simplified certain 
sections of the guidance. The agencies have also incorporated into the 
final guidance concepts from OCC FAQs 5, 6, and 7 discussed above.

D. Specific Types of Third-Party Relationships

    Commenters pointed to types of third-party relationships that may 
pose heightened or novel risk management considerations. A number of 
commenters discussed a banking organization's use of third parties for 
technological advances and innovations, including relationships with 
fintech companies. Some commenters raised particular risks presented by 
data aggregators and suggested a range of approaches to address these 
risks. Suggestions included interagency coordination on a Consumer 
Financial Protection Bureau (CFPB) rulemaking on consumer access to 
financial records.\15\ In addition, some commenters expressed concern 
that the discussion in OCC FAQ 4 on third-party risk management 
expectations related to data aggregators may unintentionally result in 
outsized burdens on banking organizations. Other commenters asked for 
additional flexibility for banking organizations to manage 
relationships with third parties in relatively concentrated industries, 
mentioning cloud computing as an example.
---------------------------------------------------------------------------

    \15\ See 12 U.S.C. 5533. As required by the Dodd-Frank Wall 
Street Reform and Consumer Protection Act, the agencies are 
participating in consultations with the CFPB related to the 
rulemaking.
---------------------------------------------------------------------------

    Some commenters also noted that third-party risk management 
processes may be applied differently, based on the specific type of 
relationship. For example, several commenters stated that arrangements 
with affiliates may present different or lower risks than those with 
unaffiliated third parties, and suggested that, as a result, a banking 
organization's third-party risk management may differ for affiliates 
and non-affiliates. Certain commenters also suggested that third 
parties that are already supervised or regulated (including some 
foreign-regulated entities) present less risk to banking organizations 
such that a banking organization's risk management could be tailored 
accordingly (for example, through reduced due diligence).
    Commenters also suggested the agencies enhance discussion in the 
proposed guidance on foreign-based third parties, including clearly 
explaining this term, describing typical risks and accompanying risk 
management strategies, and addressing the possibility of incompatible 
legal obligations between jurisdictions. In the final guidance, the 
agencies have included a footnote to address questions surrounding the 
term ``foreign-based third party'' and have retained applicable 
considerations for foreign-based third parties within relevant sections 
of the risk management life cycle.
    With respect to comments about technological advances and 
innovation, the agencies recognize that some banking organizations are 
forming relationships with fintech companies, including under new or 
novel structures and arrangements. Depending on the specific 
circumstances, including the activities performed, such relationships 
may introduce new or increase existing risks to a banking organization, 
such as those risks identified by some commenters. For example, in some 
third-party relationships, the respective roles and responsibilities of 
a banking organization and a third party may differ from those in other 
third-party relationships. Additionally, depending on how the business 
arrangement is structured, the banking organization and the third party 
each may have varying degrees of interaction with customers. 
Longstanding principles of third-party risk management set forth in 
this guidance are applicable to all third-party relationships, 
including those with fintech companies. Therefore, it is important for 
a banking organization to understand how the arrangement with a third 
party, including a fintech company, is structured so that the banking 
organization may assess the types and levels of risks posed and 
determine how to manage those third-party relationships accordingly. 
The agencies did not incorporate concepts from OCC FAQ 4, opting to 
provide broad risk management guidance.
    The agencies considered other comments in relation to specific 
types of third-party relationships but decided not to exclude any 
specific third-party relationships from the scope of the guidance; 
rather, the guidance is relevant to managing all third-party 
relationships. Because third-party relationships present varying levels 
and types of risk, the guidance notes that not all relationships 
require the same level or type of oversight or risk management.
    This principles-based guidance provides a flexible, risk-based 
approach to third-party risk management that can be adjusted to the 
unique circumstances of each third-party relationship. The agencies do 
not believe it would be appropriate to prescribe alternative approaches 
or to broadly assume lower levels of risk based solely on the type of a 
third party. For example, while a third-party relationship with an 
affiliate may have different characteristics and risks as compared to 
those with non-affiliated third parties, affiliate relationships may 
not always present lower risks. The same is true for third parties that 
are subject to some form of regulation.
    The agencies also incorporated concepts from OCC FAQs 7 and 9, 
reiterating that as part of sound risk management, it is the 
responsibility of each banking organization to analyze the risks 
associated with each third-party relationship and to calibrate its risk 
management practices, commensurate with the banking organization's 
size, complexity, and risk

[[Page 37924]]

profile and with the nature of its third-party relationships.

E. Risk Management Life Cycle

    Commenters made a wide range of suggestions in the risk management 
life cycle section of the proposed guidance. Commenters expressed mixed 
views on the level of detail provided with respect to the various 
aspects of the risk management life cycle as well as the meaning of 
certain concepts. Some commenters raised concerns that the level of 
detail made the guidance overly burdensome on smaller banks. Other 
commenters recommended that the agencies expand the discussion to 
include additional stages within the risk management life cycle; a risk 
management matrix; or practical, illustrative examples throughout all 
stages of the life cycle.
    In response to these comments, the agencies have clarified and 
streamlined the guidance and removed details that were duplicative, not 
useful, or that could be interpreted as prescriptive. The agencies also 
reiterate that the guidance is principles-based. Examples of 
considerations are merely illustrative, not requirements, and may not 
be applicable or material to each banking organization or each third-
party relationship. The examples are not intended to be interpreted as 
exhaustive or to be used as a checklist. The agencies support a risk-
based approach for banking organizations to assess the risk posed by a 
third-party relationship and tailor their third-party risk management 
processes accordingly.
    In addition to these general comments, commenters provided thoughts 
on specific stages of the risk management life cycle, which are 
addressed below:
1. Due Diligence and Collaborative Arrangements
    The due diligence and third-party selection stage of the risk 
management life cycle drew particular attention from commenters. Some 
raised concerns with the feasibility of banking organizations 
performing the full range of due diligence outlined in the proposal, 
noting that third parties or their related subcontractors may be unable 
or unwilling to disclose certain information. These commenters stated 
that the extent of due diligence described may be beyond certain 
banking organizations' expertise or not be fully applicable for most 
relationships. Other commenters suggested that banking organizations 
could engage in less stringent due diligence for certain types of third 
parties. Suggestions to address these concerns included revising the 
guidance to scale due diligence to the risk posed by the third party, 
limiting the burden of certain due diligence practices, and 
acknowledging shortcomings in accessing certain information.
    Other commenters focused on steps to reduce the burdens of due 
diligence, by facilitating collaboration among banking organizations 
and reliance on certifications. For example, many commenters expressed 
support for proposed language on shared due diligence or collaboration 
between banking organizations.
    In some cases, commenters noted challenges with shared due 
diligence or collaboration among banking organizations, such as 
antitrust or privacy considerations and the ability to meet due 
diligence needs in a shared framework. Some commenters recommended 
solutions, such as joint data collections and assessments across 
banking organizations and third parties. Other commenters asked the 
agencies to incorporate and expand upon the discussions in OCC FAQs 14 
and 24 that banking organizations may rely on industry-accepted 
certifications and/or other reports.
    Commenters also suggested that the guidance address due diligence 
options when banking organizations have difficulty gaining access to 
information necessary to perform due diligence and audits. Several 
commenters recommended that the guidance be tailored for or scope out 
certain third parties that may be resistant to due diligence efforts. 
Banking organizations may not be able to seek out alternatives to these 
third parties, especially where the industry is particularly 
concentrated. Another commenter noted that the use of on-site audits or 
visits has declined over time and could be inefficient and costly, 
especially for third parties with operations in several physical 
locations (such as cloud computing service providers).
    With respect to commenters focused on specific third-party 
relationships, the agencies reiterate that relationships present 
varying levels of risk and not all relationships require the same level 
or type of oversight or risk management. However, the agencies do not 
believe it would be appropriate for banking organizations to conduct 
reduced due diligence based solely on a third party's entity type.
    With respect to commenters focused on steps to limit the burdens of 
due diligence, including collaboration with other banking organizations 
and engaging with third parties that specialize in conducting due 
diligence, the agencies note that such collaborative efforts could be 
beneficial and reduce burden, especially for community banking 
organizations, and have made certain clarifying revisions to the 
guidance in that regard. However, use of any collaborative efforts does 
not abrogate the responsibility of banking organizations to manage 
third-party relationships in a safe and sound manner and consistent 
with applicable laws and regulations (including antitrust laws). It is 
important for the banking organization to evaluate the conclusions from 
such collaborative efforts based on the banking organization's own 
specific circumstances and performance criteria for the activity. A 
banking organization engaging an external party to supplement risk 
management, including due diligence, constitutes establishing a 
business arrangement; such a relationship would typically be covered by 
the banking organization's third-party risk management processes. The 
agencies have incorporated into the final guidance concepts from OCC 
FAQs 12, 13, and 25.
    With respect to those commenters focused on circumstances in which 
banking organizations may have difficulty gaining access to 
information, the agencies acknowledge challenges in some circumstances. 
Consistent with the concepts from OCC FAQs 1, 5, and 17, the guidance 
provides that in such circumstances, banking organizations should 
consider taking steps to mitigate the risks or, if the risks cannot be 
mitigated, to determine whether the residual risks are acceptable. The 
guidance also states that when assessing the risk of a third-party 
relationship, banking organizations may consider information available 
from various sources. For example, the agencies incorporated concepts 
from OCC FAQs 14 and 24, recognizing that banking organizations may 
consider public regulatory disclosures when considering the risks 
presented by the specific third party. If the banking organization has 
concerns that the relationship falls outside of its risk appetite, it 
should consider making alternative choices.
    As the guidance emphasizes, it is the responsibility of the banking 
organization to identify and evaluate the risks associated with each 
third-party relationship and to tailor its risk management practices, 
commensurate with the banking organization's size, complexity, and risk 
profile, as well as with the nature of its third-party relationships. 
As such, the agencies have not excluded any specific third-party 
relationships from the scope of the guidance.

[[Page 37925]]

2. Contract Negotiation
    Commenters identified a range of suggestions on how the guidance 
approaches contract negotiations. Several commenters expressed concern 
that the section was overly detailed, that many contracts may not 
contain all of the contractual considerations discussed in the proposed 
guidance, and that such considerations might be treated as a mandatory 
checklist. Other commenters found the nature and extent of contractual 
language in the proposed guidance helpful in practice for informing a 
banking organization's contract negotiations.
    Several commenters stated that the guidance should acknowledge the 
need for greater flexibility in certain contract negotiations. For 
example, some commenters requested that the guidance recognize that 
banking organizations may lack sufficient leverage in negotiations with 
larger third parties and may struggle to get certain ``typical'' 
provisions into the contract.
    Further, several commenters recommended that the agencies provide 
additional support to smaller institutions to increase their collective 
negotiating power with respect to third parties, such as by creating a 
tool or supporting a collective group to facilitate negotiations. Some 
commenters proposed that the guidance include language from several of 
the OCC FAQs to clarify additional considerations regarding limited 
negotiating power and use of collaborative efforts when negotiating 
contracts.
    In response to these comments, the agencies have incorporated 
concepts from OCC FAQs 5 and 13, acknowledging that a banking 
organization may have limited negotiating power in certain instances 
and should understand any resulting limitations. As the guidance 
states, many of the same considerations for collaborative arrangements 
apply throughout the risk management life cycle.
    The agencies have streamlined some of the considerations in this 
section but believe that the overall scope of the discussion would be 
useful to banking organizations in understanding and preparing for 
contract negotiations.
3. Ongoing Monitoring
    Several commenters recommended that the agencies revise the 
proposed guidance to encourage banks to adopt active, continuous, real-
time monitoring, arguing that this approach is preferable to engaging 
in periodic assessments. Others requested the guidance provide 
additional information on alternative monitoring arrangements (such as 
certifications), collaborative monitoring arrangements, and reliance on 
external parties to supplement ongoing monitoring.
    The agencies are not encouraging any specific approach to ongoing 
monitoring. Rather, the guidance continues to state that a banking 
organization's ongoing monitoring, like other third-party risk 
management processes, should be appropriate for the risks associated 
with each third-party relationship, commensurate with the banking 
organization's size, complexity, and risk profile and with the nature 
of its third-party relationships. Additionally, the guidance states 
that banking organizations may consider collaborative arrangements or 
the use of external parties to supplement ongoing monitoring.

F. Subcontractors

    Commenters expressed a variety of views on banking organizations' 
relationships with subcontractors. These comments largely focused on 
whether the guidance could be clarified to promote additional 
flexibility in how banking organizations manage the risks associated 
with subcontractors, which pose challenges not necessarily present in a 
direct third-party relationship.
    Various commenters emphasized the importance of managing risks 
posed by subcontractors, especially those that are material to a 
service being provided to a banking organization; those with access to 
sensitive, nonpublic information; those that perform higher-risk 
activities, including critical activities; those with access to the 
banking organization's infrastructure; and those within extended chains 
of subcontractors. However, many of these commenters expressed concern 
regarding the potential challenges in overseeing and conducting 
effective due diligence on subcontractors, such as a banking 
organization's lack of a relationship with (contractually or 
otherwise), and leverage over, subcontractors. These commenters 
suggested either narrowing the guidance's discussion on subcontractors 
(for example, excluding relationships beyond third parties) or 
refocusing a banking organization's oversight to a third party's 
ability to manage its subcontractors. Commenters also suggested that, 
in line with OCC FAQ 11, a banking organization could require a third 
party to bind its subcontractors to any obligations and standards of 
the third party.
    With respect to these comments, the agencies acknowledge the risks 
and added complexity that may be involved with respect to a third 
party's use of subcontractors. The agencies also recognize concerns by 
commenters interpreting the guidance to mean banking organizations are 
expected to assess or oversee all subcontractors of a third party. 
Accordingly, consistent with the concepts in OCC FAQ 11, the agencies 
have revised the guidance, focusing on a banking organization's 
approach to evaluating its third party's own processes for overseeing 
subcontractors and managing risks. As the guidance clarifies, 
relationships with a third party, including a third party's use of 
subcontractors, should be evaluated based on the risk the relationship 
poses to the banking organization, which may include assessing whether 
a third party's use of subcontractors may heighten or raise additional 
risk to the banking organization and applying mitigating factors, as 
appropriate. The agencies have also made streamlining changes to 
improve clarity and promote flexibility, including by removing use of 
the term ``critical subcontractor.''

G. Oversight and Accountability

    Commenters provided suggestions as to the proper role of a banking 
organization's board of directors and management with respect to 
effective third-party risk management. Some commenters, for example, 
stated that the proposed guidance implied excessive board involvement 
in day-to-day management activity. Others suggested that the guidance 
could further clarify the role of the board of directors in risk 
management activities, specifically those aspects of third-party risk 
management that could appropriately be executed and overseen by senior 
management. Some commenters similarly suggested the guidance clarify 
the authority of management to establish policies governing third-party 
relationships. A few commenters requested the guidance provide 
granularity on the types, depth, and frequency of information necessary 
for board review, including for ongoing monitoring. Additionally, 
several commenters suggested incorporating into the guidance and 
elaborating upon OCC FAQs 6 and 26, which discuss the board's 
responsibility for overseeing the development of an effective third-
party risk management process, and its role in contract approval. Some 
commenters also requested ``Oversight and Accountability'' and its 
related subsections in the proposed guidance be better differentiated 
from the phases of the risk management life cycle, as the concepts and 
related activities occur

[[Page 37926]]

throughout the risk management life cycle.
    The agencies have incorporated concepts from OCC FAQs 6 and 26, 
reorganizing the guidance to make clear that oversight and 
accountability happens throughout the risk management life cycle and is 
not a specific stage. Further, the agencies have made changes to 
clarify and distinguish the board's responsibilities from management's 
responsibilities and to avoid the appearance of a prescriptive approach 
to the board's role in the risk management life cycle, while still 
emphasizing that the board has ultimate oversight responsibility to 
ensure that the banking organization operates in a safe and sound 
manner and in compliance with applicable laws and regulations.

H. Other Matters Raised

    Commenters also offered other thoughts and suggestions relating to 
the guidance. Commenters noted that it would be helpful to have a 
period prior to the guidance taking effect to permit banking 
organizations to adapt processes accordingly. Several commenters also 
recommended that the agencies leverage, refer to, or combine recent, 
relevant regulations and policy issuances (such as the ``Computer-
Security Incident Notification rule,'' \16\ ``Third-Party Due Diligence 
Guide for Community Banks,'' \17\ and the ``Model Risk Management'' 
booklet of the Comptroller's Handbook \18\) as part of any final third-
party risk management guidance. A few commenters made reference to the 
FDIC's 2016 proposed examination guidance for third-party lending,\19\ 
stating that, although not finalized, the 2016 proposed guidance set 
forth meaningful concepts about third-party lending relationships that 
could be useful in developing the final guidance.
---------------------------------------------------------------------------

    \16\ 12 CFR part 53 (OCC); 12 CFR 225, subpart N (Board); 12 CFR 
304, subpart C (FDIC).
    \17\ ``Conducting Due Diligence on Financial Technology 
Companies A Guide for Community Banks,'' Board, FDIC, OCC (August 
2021), available at: https://www.occ.gov/news-issuances/news-releases/2021/nr-ia-2021-85a.pdf.
    \18\ ``Comptroller's Handbook: Model Risk Management,'' OCC 
(August 2021), available at: https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/model-risk-management/pub-ch-model-risk.pdf.
    \19\ FDIC FIL-50-2016, ``Examination Guidance for Third-Party 
Lending'' (July 29, 2016). This proposed examination guidance was 
not finalized.
---------------------------------------------------------------------------

    Several commenters shared considerations regarding, and requested 
insight into, the agencies' examinations of banking organizations' 
third-party risk management processes. Some commenters suggested that 
any final guidance include a separate section outlining specific 
examination procedures to set clear and consistent expectations 
regarding the examination process.
    Commenters provided thoughts on incorporating any or all of the 
OCC's FAQs. Several commenters suggested including relevant FAQs as an 
appendix or separate section rather than incorporating them throughout 
any final guidance, complementing principle-based guidance with more 
issue-specific FAQs to provide practical context. Others thought that 
the existence of a separate set of FAQs would create unnecessary 
confusion for examiners and the industry. In response, the agencies 
have not incorporated issue-specific FAQs where it was determined the 
matters are adequately reflected in other issuances published since the 
OCC FAQs were last updated.
    Several commenters requested greater coordination among federal, 
state, and foreign regulators with respect to this guidance. 
Specifically, a few commenters suggested that other federal government 
agencies, such as the National Credit Union Administration, join the 
agencies in issuing this guidance. Another commenter urged the agencies 
to support federal legislative proposals that would clarify the 
authority of state regulators to examine third-party service providers 
together with the agencies.
    Some commenters suggested that the agencies develop additional 
guidance and educational resources on a wide array of separate topics 
that a banking organization's third-party risk management processes 
could touch upon, such as consumer protection issues, artificial 
intelligence, alternative data uses, and other novel developments, 
citing the agencies' crypto-asset ``policy sprints'' as an example. For 
example, as to consumer protection issues, some commenters expressed 
concern with certain third-party relationships, such as so-called 
``rent-a-charter'' arrangements that they believe are improperly used 
by non-bank third parties to preempt state usury laws. Multiple 
commenters requested that the agencies update the guidance to warn or 
discourage banking organizations about certain risks, such as high-
interest loans or conflicts with state laws. Several commenters also 
suggested that the agencies use their existing authorities (such as 
under the Bank Service Company Act \20\) to address the risks of what 
those commenters perceived as ``systemically important'' third-party 
service providers, or to otherwise assist banking organizations' third-
party risk management efforts. Other commenters suggested the agencies 
and the CFPB provide for automatic sharing of service provider reports 
of examination with service providers' client banking organizations or 
provide certifications relevant to a banking organization's due 
diligence.
---------------------------------------------------------------------------

    \20\ 12 U.S.C. 1861 et seq.
---------------------------------------------------------------------------

    In response to these comments, given the broad, principles-based 
approach of this guidance, the agencies have not revised the guidance 
to address specific topics or types of relationships. Separate guidance 
on certain topics or relationships already exists; these types of 
specific guidance issuances, unless expressly rescinded, would remain 
unaffected by this guidance. While certain topics (including those 
raised by commenters) are not explicitly discussed in the final 
guidance, the broad-based scope of the guidance captures the full range 
of third-party relationships. With respect to requests that would 
require statutory or regulatory changes, or may be outside the 
authority of the agencies, such requests cannot be addressed by this 
guidance.
    The agencies actively monitor trends and developments in the 
financial services industry and will consider issuing additional 
guidance or educational resources as necessary and appropriate to 
convey the agencies' views. The agencies plan to develop additional 
resources to assist smaller, non-complex community banking 
organizations in managing relevant third-party risks. The agencies will 
continue to coordinate closely about risk management matters, including 
third-party risk management, to help promote consistency across banking 
organizations and across the agencies.
    Regarding questions about each agency's approach to examining 
third-party risk management, each agency has its own processes and 
procedures for conducting supervisory activities, including examination 
work. The final guidance includes a brief discussion of the agencies' 
supervisory reviews, the scope of which is tailored to evaluate the 
risks inherent in a banking organization's third-party relationships 
and the effectiveness of a banking organization's third-party risk 
management processes.

III. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3521) (PRA) 
states that no agency may conduct or sponsor, nor is the respondent 
required to respond to, an information collection unless it displays a 
currently valid Office of

[[Page 37927]]

Management and Budget (OMB) control number.
    The guidance does not revise any existing, or create any new, 
information collections pursuant to the PRA. Rather, any reporting, 
recordkeeping, or disclosure activities mentioned in the guidance are 
usual and customary and should occur in the normal course of business 
as defined in the PRA.\21\ Consequently, no submissions will be made to 
the OMB for review.
---------------------------------------------------------------------------

    \21\ 5 CFR 1320.3(b)(2).
---------------------------------------------------------------------------

IV. Text of Final Interagency Guidance on Third-Party Relationships

A. Overview
B. Risk Management
C. Third-Party Relationship Life Cycle
    1. Planning
    2. Due Diligence and Third-Party Selection
    3. Contract Negotiation
    4. Ongoing Monitoring
    5. Termination
D. Governance
    1. Oversight and Accountability
    2. Independent Reviews
    3. Documentation and Reporting
E. Supervisory Reviews of Third-Party Relationships

A. Overview

    The Board of Governors of the Federal Reserve System (Board), the 
Federal Deposit Insurance Corporation (FDIC), and the Office of the 
Comptroller of the Currency (OCC) (collectively, the agencies) have 
issued this guidance to provide sound risk management principles 
supervised banking organizations \1\ can leverage when developing and 
implementing risk management practices to assess and manage risks 
associated with third-party relationships.\2\
---------------------------------------------------------------------------

    \1\ For a description of the banking organizations supervised by 
each agency, refer to the definition of ``appropriate Federal 
banking agency'' in section 3(q) of the Federal Deposit Insurance 
Act (12 U.S.C. 1813(q)). This guidance is relevant to all banking 
organizations supervised by the agencies.
    \2\ Supervisory guidance does not have the force and effect of 
law and does not impose any new requirements on banking 
organizations. See 12 CFR 4, subpart F, appendix A (OCC); 12 CFR 
262, appendix A (FRB) 12 CFR 302, appendix A (FDIC).
---------------------------------------------------------------------------

    Whether activities are performed internally or via a third party, 
banking organizations are required to operate in a safe and sound 
manner \3\ and in compliance with applicable laws and regulations.\4\ A 
banking organization's use of third parties does not diminish its 
responsibility to meet these requirements to the same extent as if its 
activities were performed by the banking organization in-house. To 
operate in a safe and sound manner, a banking organization establishes 
risk management practices to effectively manage the risks arising from 
its activities, including from third-party relationships.\5\
---------------------------------------------------------------------------

    \3\ See 12 U.S.C. 1831p-1. The agencies implemented section 
1831p-1 by regulation through the ``Interagency Guidelines 
Establishing Standards for Safety and Soundness.'' See 12 CFR part 
30, appendix A (OCC), 12 CFR part 208, appendix D-1 (Board); and 12 
CFR part 364, appendix A (FDIC).
    \4\ References to applicable laws and regulations throughout 
this guidance include but are not limited to those designed to 
protect consumers (such as fair lending laws and prohibitions 
against unfair, deceptive or abusive acts or practices) and those 
addressing financial crimes.
    \5\ This guidance is relevant for all third-party relationships, 
including situations in which a supervised banking organization 
provides services to another supervised banking organization.
---------------------------------------------------------------------------

    This guidance addresses any business arrangement \6\ between a 
banking organization and another entity, by contract or otherwise. A 
third-party relationship may exist despite a lack of a contract or 
remuneration. Third-party relationships can include, but are not 
limited to, outsourced services, use of independent consultants, 
referral arrangements, merchant payment processing services, services 
provided by affiliates and subsidiaries, and joint ventures. Some 
banking organizations may form third-party relationships with new or 
novel structures and features--such as those observed in relationships 
with some financial technology (fintech) companies. The respective 
roles and responsibilities of a banking organization and a third party 
may differ, based on the specific circumstances of the relationship. 
Where the third-party relationship involves the provision of products 
or services to, or other interaction with, customers, the banking 
organization and the third party may have varying degrees of 
interaction with those customers.
---------------------------------------------------------------------------

    \6\ The term ``business arrangement'' is meant to be interpreted 
broadly and is synonymous with the term ``third-party 
relationship.''
---------------------------------------------------------------------------

    The use of third parties can offer banking organizations 
significant benefits, such as access to new technologies, human 
capital, delivery channels, products, services, and markets. However, 
the use of third parties can reduce a banking organization's direct 
control over activities and may introduce new risks or increase 
existing risks, such as operational, compliance, and strategic risks. 
Increased risk often arises from greater operational or technological 
complexity, newer or different types of relationships, or potential 
inferior performance by the third party. A banking organization can be 
exposed to adverse impacts, including substantial financial loss and 
operational disruption, if it fails to appropriately manage the risks 
associated with third-party relationships. Therefore, it is important 
for a banking organization to identify, assess, monitor, and control 
risks related to third-party relationships.
    The principles set forth in this guidance can support effective 
third-party risk management for all types of third-party relationships, 
regardless of how they may be structured. It is important for a banking 
organization to understand how the arrangement with a particular third 
party is structured so that the banking organization may assess the 
types and levels of risks posed and determine how to manage the third-
party relationship accordingly.

B. Risk Management

    Not all relationships present the same level of risk, and therefore 
not all relationships require the same level or type of oversight or 
risk management. As part of sound risk management, a banking 
organization analyzes the risks associated with each third-party 
relationship and tailors risk management practices, commensurate with 
the banking organization's size, complexity, and risk profile and with 
the nature of the third-party relationship. Maintaining a complete 
inventory of its third-party relationships and periodically conducting 
risk assessments for each third-party relationship supports a banking 
organization's determination of whether risks have changed over time 
and to update risk management practices accordingly.
    As part of sound risk management, banking organizations engage in 
more comprehensive and rigorous oversight and management of third-party 
relationships that support higher-risk activities, including critical 
activities. Characteristics of critical activities may include those 
activities that could:
     Cause a banking organization to face significant risk if 
the third party fails to meet expectations;
     Have significant customer impacts; or
     Have a significant impact on a banking organization's 
financial condition or operations.
    It is up to each banking organization to identify its critical 
activities and third-party relationships that support these critical 
activities. Notably, an activity that is critical for one banking 
organization may not be critical for another. Some banking 
organizations may assign a criticality or risk level to each third-
party relationship, whereas others identify critical activities and 
those third parties that support such activities. Regardless of a 
banking organization's approach, a key element

[[Page 37928]]

of effective risk management is applying a sound methodology to 
designate which activities and third-party relationships receive more 
comprehensive oversight.

C. Third-Party Relationship Life Cycle

    Effective third-party risk management generally follows a 
continuous life cycle for third-party relationships. The stages of the 
risk management life cycle of third-party relationships are shown in 
Figure 1 and detailed below. The degree to which the examples of 
considerations discussed in this guidance are relevant to each banking 
organization is based on specific facts and circumstances and these 
examples may not apply to all of a banking organization's third-party 
relationships.
    It is important to involve staff with the requisite knowledge and 
skills in each stage of the risk management life cycle. A banking 
organization may involve experts across disciplines, such as 
compliance, risk, or technology, as well as legal counsel, and may 
engage external support when helpful to supplement the qualifications 
and technical expertise of in-house staff.\7\
---------------------------------------------------------------------------

    \7\ When a banking organization uses a third-party assessment 
service or utility, it has a business arrangement with that entity. 
Therefore, the arrangement should be incorporated into the banking 
organization's third-party risk management processes.
[GRAPHIC] [TIFF OMITTED] TN09JN23.002

1. Planning
    As part of sound risk management, effective planning allows a 
banking organization to evaluate and consider how to manage risks 
before entering into a third-party relationship. Certain third parties, 
such as those that support a banking organization's higher-risk 
activities, including critical activities, typically warrant a greater 
degree of planning and consideration. For example, when critical 
activities are involved, plans may be presented to and approved by a 
banking organization's board of directors (or a designated board 
committee).
    Depending on the degree of risk and complexity of the third-party 
relationship, a banking organization typically considers the following 
factors, among others, in planning:
     Understanding the strategic purpose of the business 
arrangement and how the arrangement aligns with a banking 
organization's overall strategic goals, objectives, risk appetite, risk 
profile, and broader corporate policies;
     Identifying and assessing the benefits and the risks 
associated with the business arrangement and determining how to 
appropriately manage the identified risks;
     Considering the nature of the business arrangement, such 
as volume of activity, use of subcontractor(s), technology needed, 
interaction with customers, and use of foreign-based third parties; \8\
---------------------------------------------------------------------------

    \8\ The term ``foreign-based third-party'' refers to third 
parties whose servicing operations are located in a foreign country 
and subject to the law and jurisdiction of that country. 
Accordingly, this term does not include a U.S.-based subsidiary of a 
foreign firm because its servicing operations are subject to U.S. 
laws. This term does include U.S. third parties to the extent that 
their actual servicing operations are located in or subcontracted to 
entities domiciled in a foreign country and subject to the law and 
jurisdiction of that country.
---------------------------------------------------------------------------

     Evaluating the estimated costs, including estimated direct 
contractual costs and indirect costs expended to augment or alter 
banking organization staffing, systems, processes, and technology;
     Evaluating how the third-party relationship could affect 
banking organization employees, including dual

[[Page 37929]]

employees,\9\ and what transition steps are needed for the banking 
organization to manage the impacts when activities currently conducted 
internally are outsourced;
---------------------------------------------------------------------------

    \9\ Dual employees are employed by both the banking organization 
and the third party.
---------------------------------------------------------------------------

     Assessing a potential third party's impact on customers, 
including access to or use of those customers' information, third-party 
interaction with customers, potential for consumer harm, and handling 
of customer complaints and inquiries;
     Understanding potential information security implications, 
including access to the banking organization's systems and to its 
confidential information;
     Understanding potential physical security implications, 
including access to the banking organization's facilities;
     Determining how the banking organization will select, 
assess, and oversee the third party, including monitoring the third 
party's compliance with applicable laws, regulations, and contractual 
provisions, and requiring remediation of compliance issues that may 
arise;
     Determining the banking organization's ability to provide 
adequate oversight and management of the proposed third-party 
relationship on an ongoing basis (including whether staffing levels and 
expertise, risk management and compliance management systems, 
organizational structure, policies and procedures, or internal control 
systems need to be adapted over time for the banking organization to 
effectively address the business arrangement); and
     Outlining the banking organization's contingency plans in 
the event the banking organization needs to transition the activity to 
another third party or bring it in-house.
2. Due Diligence and Third-Party Selection
    Conducting due diligence on third parties before selecting and 
entering into third-party relationships is an important part of sound 
risk management. It provides management with the information needed 
about potential third parties to determine if a relationship would help 
achieve a banking organization's strategic and financial goals. The due 
diligence process also provides the banking organization with the 
information needed to evaluate whether it can appropriately identify, 
monitor, and control risks associated with the particular third-party 
relationship. Due diligence includes assessing the third party's 
ability to: perform the activity as expected, adhere to a banking 
organization's policies related to the activity, comply with all 
applicable laws and regulations, and conduct the activity in a safe and 
sound manner. Relying solely on experience with or prior knowledge of a 
third party is not an adequate proxy for performing appropriate due 
diligence, as due diligence should be tailored to the specific activity 
to be performed by the third party.
    The scope and degree of due diligence should be commensurate with 
the level of risk and complexity of the third-party relationship. More 
comprehensive due diligence is particularly important when a third 
party supports higher-risk activities, including critical activities. 
If a banking organization uncovers information that warrants additional 
scrutiny, the banking organization should consider broadening the scope 
or assessment methods of the due diligence.
    In some instances, a banking organization may not be able to obtain 
the desired due diligence information from a third party. For example, 
the third party may not have a long operational history, may not allow 
on-site visits, or may not share (or be permitted to share) information 
that a banking organization requests. While the methods and scope of 
due diligence may differ, it is important for the banking organization 
to identify and document any limitations of its due diligence, 
understand the risks from such limitations, and consider alternatives 
as to how to mitigate the risks. In such situations, a banking 
organization may, for example, obtain alternative information to assess 
the third party, implement additional controls on or monitoring of the 
third party to address the information limitation, or consider using a 
different third party.
    A banking organization may use the services of industry utilities 
or consortiums, consult with other organizations,\10\ or engage in 
joint efforts to supplement its due diligence. As the activity to be 
performed by the third party may present a different level of risk to 
each banking organization, it is important to evaluate the conclusions 
from such supplemental efforts based on the banking organization's own 
specific circumstances and performance criteria for the activity. 
Effective risk management processes include evaluating the capabilities 
of any external party conducting the supplemental efforts, 
understanding how such supplemental efforts relate to the banking 
organization's planned use of the third party, and assessing the risks 
of relying on the supplemental efforts. Use of such external parties to 
conduct supplemental due diligence does not abrogate the responsibility 
of the banking organization to manage third-party relationships in a 
safe and sound manner and consistent with applicable laws and 
regulations.
---------------------------------------------------------------------------

    \10\ Any collaborative activities among banks must comply with 
antitrust laws. Refer to the Federal Trade Commission and U.S. 
Department of Justice's ``Antitrust Guidelines for Collaborations 
Among Competitors'' (April 2000), available at https://www.ftc.gov/sites/default/files/documents/public_events/joint-venture-hearings-antitrust-guidelines-collaboration-among-competitors/ftcdojguidelines-2.pdf.
---------------------------------------------------------------------------

    Depending on the degree of risk and complexity of the third-party 
relationship, a banking organization typically considers the following 
factors, among others, as part of due diligence:
a. Strategies and Goals
    A review of the third party's overall business strategy and goals 
helps the banking organization to understand: (1) how the third party's 
current and proposed strategic business arrangements (such as mergers, 
acquisitions, and partnerships) may affect the activity; and (2) the 
third party's service philosophies, quality initiatives, and employment 
policies and practices (including its diversity policies and 
practices). Such information may assist a banking organization to 
determine whether the third party can perform the activity in a manner 
that is consistent with the banking organization's broader corporate 
policies and practices.
b. Legal and Regulatory Compliance
    A review of any legal and regulatory compliance considerations 
associated with engaging a third party allows a banking organization to 
evaluate whether it can appropriately mitigate risks associated with 
the third-party relationship. This may include (1) evaluating the third 
party's ownership structure (including identifying any beneficial 
ownership, whether public or private, foreign, or domestic ownership) 
and whether the third party has the necessary legal authority to 
perform the activity, such as any necessary licenses or corporate 
powers; (2) determining whether the third party itself or any owners 
are subject to sanctions by the Office of Foreign Assets Control; (3) 
determining whether the third party has the expertise, processes, and 
controls to enable the banking organization to remain in compliance 
with applicable domestic and international laws and

[[Page 37930]]

regulations; (4) considering the third party's responsiveness to any 
compliance issues (including violations of law or regulatory actions) 
with applicable supervisory agencies and self-regulatory organizations, 
as appropriate; and (5) considering whether the third party has 
identified, and articulated a process to mitigate, areas of potential 
consumer harm.
c. Financial Condition
    An assessment of a third party's financial condition through review 
of available financial information, including audited financial 
statements, annual reports, and filings with the U.S. Securities and 
Exchange Commission (SEC), among others, helps a banking organization 
evaluate whether the third party has the financial capability and 
stability to perform the activity. Where relevant and available, a 
banking organization may consider other types of information such as 
access to funds, expected growth, earnings, pending litigation, 
unfunded liabilities, reports from debt rating agencies, and other 
factors that may affect the third party's overall financial condition.
d. Business Experience
    An evaluation of a third party's: (1) depth of resources (including 
staffing); (2) previous experience in performing the activity; and (3) 
history of addressing customer complaints or litigation and subsequent 
outcomes, helps to inform a banking organization's assessment of the 
third party's ability to perform the activity effectively. Another 
consideration may include whether there have been significant changes 
in the activities offered or in its business model. Likewise, a review 
of the third party's websites, marketing materials, and other 
information related to banking products or services may help determine 
if statements and assertions accurately represent the activities and 
capabilities of the third party.
e. Qualifications and Backgrounds of Key Personnel and Other Human 
Resources Considerations
    An evaluation of the qualifications and experience of a third 
party's principals and other key personnel related to the activity to 
be performed provides insight into the capabilities of the third party 
to successfully perform the activities. An important consideration is 
whether the third party and the banking organization, as appropriate, 
periodically conduct background checks on the third party's key 
personnel and contractors who may have access to information technology 
systems or confidential information. Another important consideration is 
whether there are procedures in place for identifying and removing the 
third party's employees who do not meet minimum suitability 
requirements or are otherwise barred from working in the financial 
services sector. Another consideration is whether the third party has 
training to ensure that its employees understand their duties and 
responsibilities and are knowledgeable about applicable laws and 
regulations as well as other factors that could affect performance or 
pose risk to the banking organization. Finally, an evaluation of the 
third party's succession and redundancy planning for key personnel, and 
of the third party's processes for holding employees accountable for 
compliance with policies and procedures, provides valuable information 
to the banking organization.
f. Risk Management
    Appropriate due diligence includes an evaluation of the 
effectiveness of a third party's overall risk management, including 
policies, processes, and internal controls, and alignment with 
applicable policies and expectations of the banking organization 
surrounding the activity. This would include an assessment of the third 
party's governance processes, such as the establishment of clear roles, 
responsibilities, and segregation of duties pertaining to the activity. 
It is also important to consider whether the third party's controls and 
operations are subject to effective audit assessments, including 
independent testing and objective reporting of results and findings. 
Banking organizations also gain important insight by evaluating 
processes for escalating, remediating, and holding management 
accountable for concerns identified during audits, internal compliance 
reviews, or other independent tests, if available. When relevant and 
available, a banking organization may consider reviewing System and 
Organization Control (SOC) reports and any conformity assessment or 
certification by independent third parties related to relevant domestic 
or international standards.\11\ In such cases, the banking organization 
may also consider whether the scope and the results of the SOC reports, 
certifications, or assessments are relevant to the activity to be 
performed or suggest that additional scrutiny of the third party or any 
of its contractors may be appropriate.
---------------------------------------------------------------------------

    \11\ For example, those of the National Institute of Standards 
and Technology, Accredited Standards Committee X9, and the 
International Standards Organization.
---------------------------------------------------------------------------

g. Information Security
    Understanding potential information security implications, 
including access to a banking organization's systems and information, 
can help a banking organization decide whether or not to engage with a 
third party. Due diligence in this area typically involves assessing 
the third party's information security program, including its 
consistency with the banking organization's information security 
program, such as its approach to protecting the confidentiality, 
integrity, and availability of the banking organization's data. It may 
also involve determining whether there are any gaps that present risk 
to the banking organization or its customers and considering the extent 
to which the third party applies controls to limit access to the 
banking organization's data and transactions, such as multifactor 
authentication, end-to-end encryption, and secure source code 
management. It also aids a banking organization when determining 
whether the third party keeps informed of, and has sufficient 
experience in identifying, assessing, and mitigating, known and 
emerging threats and vulnerabilities. As applicable, assessing the 
third party's data, infrastructure, and application security programs, 
including the software development life cycle and results of 
vulnerability and penetration tests, can provide valuable information 
regarding information technology system vulnerabilities. Finally, due 
diligence can help a banking organization evaluate the third party's 
implementation of effective and sustainable corrective actions to 
address any deficiencies discovered during testing.
h. Management of Information Systems
    It is important to review and understand the third party's business 
processes and information systems that will be used to support the 
activity. When technology is a major component of the third-party 
relationship, an effective practice is to review both the banking 
organization's and the third party's information systems to identify 
gaps in service-level expectations, business process and management, 
and interoperability issues. It is also important to review the third 
party's processes for maintaining timely and accurate inventories of 
its technology and its contractor(s). A banking organization also 
benefits from understanding the third party's measures for assessing 
the performance of its information systems.

[[Page 37931]]

i. Operational Resilience
    An assessment of a third party's operational resilience practices 
supports a banking organization's evaluation of a third party's ability 
to effectively operate through and recover from any disruption or 
incidents, both internal and external.\12\ Such an assessment is 
particularly important where the impact of such disruption could have 
an adverse effect on the banking organization or its customers, 
including when the third party interacts with customers. It is 
important to assess options to employ if the third party's ability to 
perform the activity is impaired and to determine whether the third 
party maintains appropriate operational resilience and cybersecurity 
practices, including disaster recovery and business continuity plans 
that specify the time frame to resume activities and recover data. To 
gain additional insight into a third party's resilience capabilities, a 
banking organization may review (1) the results of operational 
resilience and business continuity testing and performance during 
actual disruptions; (2) the third party's telecommunications redundancy 
and resilience plans; and (3) preparations for known and emerging 
threats and vulnerabilities, such as wide-scale natural disasters, 
pandemics, distributed denial of service attacks, or other intentional 
or unintentional events. Other considerations related to operational 
resilience include (1) dependency on a single provider for multiple 
activities; and (2) interoperability or potential end of life issues 
with the software programming language, computer platform, or data 
storage technologies used by the third party.
---------------------------------------------------------------------------

    \12\ Disruptive events could include technology-based failures, 
human error, cyber incidents, pandemic outbreaks, and natural 
disasters.
---------------------------------------------------------------------------

j. Incident Reporting and Management Processes
    Review and consideration of a third party's incident reporting and 
management processes is helpful to determine whether there are clearly 
documented processes, timelines, and accountability for identifying, 
reporting, investigating, and escalating incidents. Such review assists 
in confirming that the third party's escalation and notification 
processes meet the banking organization's expectations and regulatory 
requirements.\13\
---------------------------------------------------------------------------

    \13\ For example, regulatory requirements regarding incident 
notification include the FBAs' ``Computer Security Incident 
Notification Rule.'' See 12 CFR 53 (OCC); 12 CFR 225, subpart N 
(Board); 12 CFR 304, subpart C (FDIC).
---------------------------------------------------------------------------

k. Physical Security
    It is important to evaluate whether the third party has sufficient 
physical and environmental controls to protect the safety and security 
of people (such as employees and customers), its facilities, technology 
systems, and data, as applicable. This would typically include a review 
of the third party's employee on- and off-boarding procedures to ensure 
that physical access rights are managed appropriately.
l. Reliance on Subcontractors \14\
---------------------------------------------------------------------------

    \14\ Third parties may enlist the help of suppliers, service 
providers, or other organizations, which this guidance collectively 
refers to as subcontractors.
---------------------------------------------------------------------------

    An evaluation of the volume and types of subcontracted activities 
and the degree to which the third party relies on subcontractors helps 
inform whether such subcontracting arrangements pose additional or 
heightened risk to a banking organization. This typically includes an 
assessment of the third party's ability to identify, manage, and 
mitigate risks associated with subcontracting, including how the third 
party selects and oversees its subcontractors and ensures that its 
subcontractors implement effective controls. Other important 
considerations include whether additional risk is presented by the 
geographic location of a subcontractor or dependency on a single 
provider for multiple activities.
m. Insurance Coverage
    An evaluation of whether the third party has existing insurance 
coverage helps a banking organization determine the extent to which 
potential losses are mitigated, including losses posed by the third 
party to the banking organization or that might prevent the third party 
from fulfilling its obligations to the banking organization. Such 
losses may be attributable to dishonest or negligent acts; fire, 
floods, or other natural disasters; loss of data; and other matters. 
Examples of insurance coverage may include fidelity bond; liability; 
property hazard and casualty; and areas that may not be covered under a 
general commercial policy, such as cybersecurity or intellectual 
property.
n. Contractual Arrangements With Other Parties
    A third party's commitments to other parties may introduce 
potential legal, financial, or operational implications to the banking 
organization. Therefore, it is important to obtain and evaluate 
information regarding the third party's legally binding arrangements 
with subcontractors or other parties to determine whether such 
arrangements may create or transfer risks to the banking organization 
or its customers.
3. Contract Negotiation
    When evaluating whether to enter into a relationship with a third 
party, a banking organization typically determines whether a written 
contract is needed, and if the proposed contract can meet the banking 
organization's business goals and risk management needs. After such 
determination, a banking organization typically negotiates contract 
provisions that will facilitate effective risk management and oversight 
and that specify the expectations and obligations of both the banking 
organization and the third party. A banking organization may tailor the 
level of detail and comprehensiveness of such contract provisions based 
on the risk and complexity posed by the particular third-party 
relationship.
    While third parties may initially offer a standard contract, a 
banking organization may seek to request modifications, additional 
contract provisions, or addendums to satisfy its needs. In difficult 
contract negotiations, including when a banking organization has 
limited negotiating power, it is important for the banking organization 
to understand any resulting limitations and consequent risks. Possible 
actions that a banking organization might take in such circumstances 
include determining whether the contract can still meet the banking 
organization's needs, whether the contract would result in increased 
risk to the banking organization, and whether residual risks are 
acceptable. If the contract is unacceptable for the banking 
organization, it may consider other approaches, such as employing other 
third parties or conducting the activity in-house. In certain 
circumstances, banking organizations may gain an advantage by 
negotiating contracts as a group with other organizations.
    It is important that a banking organization understand the benefits 
and risks associated with engaging third parties and particularly 
before executing contracts involving higher-risk activities, including 
critical activities. As part of its oversight responsibilities, the 
board of directors should be aware of and, as appropriate, may approve 
or delegate approval of contracts involving higher-risk activities. 
Legal counsel review may also be warranted prior to finalization.
    Periodic reviews of executed contracts allow a banking organization 
to confirm that existing provisions continue to address pertinent risk 
controls and legal

[[Page 37932]]

protections. If new risks are identified, a banking organization may 
consider renegotiating a contract.
    Depending on the degree of risk and complexity of the third-party 
relationship, a banking organization typically considers the following 
factors, among others, during contract negotiations:
a. Nature and Scope of Arrangement
    In negotiating a contract, it is helpful for a banking organization 
to clearly identify the rights and responsibilities of each party. This 
typically includes specifying the nature and scope of the business 
arrangement. Additional considerations may also include, as applicable, 
a description of (1) ancillary services such as software or other 
technology support, maintenance, and customer service; (2) the 
activities the third party will perform; and (3) the terms governing 
the use of the banking organization's information, facilities, 
personnel, systems, intellectual property, and equipment, as well as 
access to and use of the banking organization's or customers' 
information. If dual employees will be used, it may also be helpful to 
specify their responsibilities and reporting lines. It is also 
important for a banking organization to understand how changes in 
business and other circumstances may give rise to the third party's 
rights to terminate or renegotiate the contract.
b. Performance Measures or Benchmarks
    For certain relationships, clearly defined performance measures can 
assist a banking organization in evaluating the performance of a third 
party. In particular, a service-level agreement between the banking 
organization and the third party can help specify the measures 
surrounding the expectations and responsibilities for both parties, 
including conformance with policies and procedures and compliance with 
applicable laws and regulations. Such measures can be used to monitor 
performance, penalize poor performance, or reward outstanding 
performance. It is important to negotiate performance measures that do 
not incentivize imprudent performance or behavior, such as encouraging 
processing volume or speed without regard for accuracy, compliance 
requirements, or adverse effects on the banking organization or 
customers.
c. Responsibilities for Providing, Receiving, and Retaining Information
    It is important to consider contract provisions that specify the 
third party's obligation for retention and provision of timely, 
accurate, and comprehensive information to allow the banking 
organization to monitor risks and performance and to comply with 
applicable laws and regulations. Such provisions typically address:
     The banking organization's ability to access its data in 
an appropriate and timely manner;
     The banking organization's access to, or use of, the 
third-party's data and any supporting documentation, in connection with 
the business arrangement;
     The banking organization's access to, or use of, its own 
or the third-party's data and how such data and supporting 
documentation may be shared with regulators in a timely manner as part 
of the supervisory process;
     Whether the third party is permitted to resell, assign, or 
permit access to customer data, or the banking organization's data, 
metadata, and systems, to other entities;
     Notification to the banking organization whenever 
compliance lapses, enforcement actions, regulatory proceedings, or 
other events pose a significant risk to the banking organization or 
customers;
     Notification to the banking organization of significant 
strategic or operational changes, such as mergers, acquisitions, 
divestitures, use of subcontractors, key personnel changes, or other 
business initiatives that could affect the activities involved; and
     Specification of the type and frequency of reports to be 
received from the third party, as appropriate. This may include 
performance reports, financial reports, security reports, and control 
assessments.
d. The Right To Audit and Require Remediation
    To help ensure that a banking organization has the ability to 
monitor the performance of a third party, a contract often establishes 
the banking organization's right to audit and provides for remediation 
when issues are identified. Generally, a contract includes provisions 
for periodic, independent audits of the third party and its relevant 
subcontractors, consistent with the risk and complexity of the third-
party relationship. Therefore, it would be appropriate to consider 
whether contract provisions describe the types and frequency of audit 
reports the banking organization is entitled to receive from the third 
party (for example, SOC reports, Payment Card Industry (PCI) compliance 
reports, or other financial and operational reviews). Such contract 
provisions may also reserve the banking organization's right to conduct 
its own audits of the third party's activities or to engage an 
independent party to perform such audits.
e. Responsibility for Compliance With Applicable Laws and Regulations
    A banking organization is responsible for conducting its activities 
in compliance with applicable laws and regulations, including those 
activities involving third parties. The use of third parties does not 
abrogate these responsibilities. Therefore, it is important for a 
contract to specify the obligations of the third party and the banking 
organization to comply with applicable laws and regulations. It is also 
important for the contract to provide the banking organization with the 
right to monitor and be informed about the third party's compliance 
with applicable laws and regulations, and to require timely remediation 
if issues arise. Contracts may also reflect considerations of relevant 
guidance and self-regulatory standards, where applicable.
f. Costs and Compensation
    Contracts that clearly describe all costs and compensation 
arrangements help reduce misunderstandings and disputes over billing 
and help ensure that all compensation arrangements are consistent with 
sound banking practices and applicable laws and regulations. Contracts 
commonly describe compensation and fees, including cost schedules, 
calculations for base services, and any fees based on volume of 
activity and for special requests. Contracts also may specify the 
conditions under which the cost structure may be changed, including 
limits on any cost increases. During negotiations, a banking 
organization should confirm that a contract does not include incentives 
that promote inappropriate risk taking by the banking organization or 
the third party. A banking organization should also consider whether 
the contract includes burdensome upfront or termination fees, or 
provisions that may require the banking organization to reimburse the 
third party. Appropriate provisions indicate which party is responsible 
for payment of legal, audit, and examination fees associated with the 
activities involved. Another consideration is outlining cost and 
responsibility for purchasing and maintaining hardware and software, 
where applicable.
g. Ownership and License
    In order to prevent disputes between the parties regarding the 
ownership and licensing of a banking organization's

[[Page 37933]]

property, it is common for a contract to state the extent to which the 
third party has the right to use the banking organization's 
information, technology, and intellectual property, such as the banking 
organization's name, logo, trademark, and copyrighted material. 
Provisions that indicate whether any data generated by the third party 
become the banking organization's property help avert 
misunderstandings. It is also important to include appropriate 
warranties on the part of the third party related to its acquisition of 
licenses or subscriptions for use of any intellectual property 
developed by other third parties. When the banking organization 
purchases software, it is important to consider a provision to 
establish escrow agreements to provide for the banking organization's 
access to source code and programs under certain conditions (for 
example, insolvency of the third party).
h. Confidentiality and Integrity
    With respect to contracts with third parties, there may be 
increased risks related to the sensitivity of non-public information or 
access to infrastructure. Effective contracts typically prohibit the 
use and disclosure of banking organization and customer information by 
a third party and its subcontractors, except as necessary to provide 
the contracted activities or comply with legal requirements. If the 
third party receives personally identifiable information, contract 
provisions are important to ensure that the third party implements and 
maintains appropriate security measures to comply with applicable laws 
and regulations.
    Another important provision is one that specifies when and how the 
third party will disclose, in a timely manner, information security 
breaches or unauthorized intrusions. Considerations may include the 
types of data stored by the third party, legal obligations for the 
banking organization to disclose the breach to its regulators or 
customers, the potential for consumer harm, or other factors. Such 
provisions typically stipulate that the data intrusion notification to 
the banking organization include estimates of the effects on the 
banking organization and its customers and specify corrective action to 
be taken by the third party. They also address the powers of each party 
to change security and risk management procedures and requirements and 
resolve any confidentiality and integrity issues arising out of shared 
use of facilities owned by the third party. Typically, such provisions 
stipulate whether and how often the banking organization and the third 
party will jointly practice incident management exercises involving 
unauthorized intrusions or other breaches of confidentiality and 
integrity.
i. Operational Resilience and Business Continuity
    Both internal and external factors or incidents (for example, 
natural disasters or cyber incidents) may affect a banking organization 
or a third party and thereby disrupt the third party's performance of 
the activity. Consequently, an effective contract provides for 
continuation of the activity in the event of problems affecting the 
third party's operations, including degradations or interruptions in 
delivery. As such, it is important for the contract to address the 
third party's responsibility for appropriate controls to support 
operational resilience of the services, such as protecting and storing 
programs, backing up datasets, addressing cybersecurity issues, and 
maintaining current and sound business resumption and business 
continuity plans.
    To help ensure maintenance of operations, contracts often require 
the third party to provide the banking organization with operating 
procedures to be carried out in the event business continuity plans are 
implemented, including specific recovery time and recovery point 
objectives. Contracts may also stipulate whether and how often the 
banking organization and the third party will jointly test business 
continuity plans. Another consideration is whether the contract 
provides for the transfer of the banking organization's accounts, data, 
or activities to another third party without penalty in the event of 
the third party's bankruptcy, business failure, or business 
interruption.
j. Indemnification and Limits on Liability
    Incorporating indemnification provisions into a contract may reduce 
the potential for a banking organization to be held liable for claims 
and be reimbursed for damages arising from a third party's misconduct, 
including negligence and violations of laws and regulations. As such, 
it is important to consider whether indemnification clauses specify the 
extent to which the banking organization will be held liable for claims 
or be reimbursed for damages based on the failure of the third party or 
its subcontractor to perform, including failure of the third party to 
obtain any necessary intellectual property licenses. Such consideration 
typically includes an assessment of whether any limits on liability are 
in proportion to the amount of loss the banking organization might 
experience as a result of third-party failures, or whether 
indemnification clauses require the banking organization to hold the 
third party harmless from liability.
k. Insurance
    One way in which a banking organization can protect itself against 
losses caused by or related to a third party and the products and 
services provided through third-party relationships is by including 
insurance requirements in a contract. These provisions typically 
require the third party to (1) maintain specified types and amounts of 
insurance (including, if appropriate, naming the banking organization 
as insured or additional insured); (2) notify the banking organization 
of material changes to coverage; and (3) provide evidence of coverage, 
as appropriate. The type and amount of insurance coverage should be 
commensurate with the risk of possible losses, including those caused 
by the third party to the banking organization or that might prevent 
the third party from fulfilling its obligations to the banking 
organization, and the activities performed.
l. Dispute Resolution
    Disputes regarding a contract can delay or otherwise have an 
adverse impact upon the activities performed by a third party, which 
may negatively affect the banking organization. Therefore, a banking 
organization may want to consider whether the contract should establish 
a dispute resolution process to resolve problems between the banking 
organization and the third party in an expeditious manner, and whether 
the third party should continue to provide activities to the banking 
organization during the dispute resolution period. It is important to 
also understand whether the contract contains provisions that may 
impact the banking organization's ability to resolve disputes in a 
satisfactory manner, such as provisions addressing arbitration or forum 
selection.
m. Customer Complaints
    Where customer interaction is an important aspect of the third-
party relationship, a banking organization may find it useful to 
include a contract provision to ensure that customer complaints and 
inquiries are handled properly. Effective contracts typically specify 
whether the banking organization or the third party is responsible for 
responding to customer complaints or inquiries. If it is the third 
party's responsibility, it is important to include provisions for the 
third party to receive and respond to customer

[[Page 37934]]

complaints and inquiries in a timely manner and to provide the banking 
organization with sufficient, timely, and usable information to analyze 
customer complaint and inquiry activity and associated trends. If it is 
the banking organization's responsibility, it is important to include 
provisions for the banking organization to receive prompt notification 
from the third party of any complaints or inquiries received by the 
third party.
n. Subcontracting
    Third-party relationships may involve subcontracting arrangements, 
which can result in risk due to the absence of a direct relationship 
between the banking organization and the subcontractor, further 
lessening the banking organization's direct control of activities. The 
impact on a banking organization's ability to assess and control risks 
may be especially important if the banking organization uses third 
parties for higher-risk activities, including critical activities. For 
this reason, a banking organization may want to address when and how 
the third party should notify the banking organization of its use or 
intent to use a subcontractor and whether specific subcontractors are 
prohibited by the banking organization. Another important consideration 
is whether the contract should prohibit assignment, transfer, or 
subcontracting of the third party's obligations to another entity 
without the banking organization's consent. Where subcontracting is 
integral to the activity being performed for the banking organization, 
it is important to consider more detailed contractual obligations, such 
as reporting on the subcontractor's conformance with performance 
measures, periodic audit results, and compliance with laws and 
regulations. Where appropriate, a banking organization may consider 
including a provision that states the third party's liability for 
activities or actions by its subcontractors and which party is 
responsible for the costs and resources required for any additional 
monitoring and management of the subcontractors. It may also be 
appropriate to reserve the right to terminate the contract without 
penalty if the third party's subcontracting arrangements do not comply 
with contractual obligations.
o. Foreign-Based Third Parties
    In contracts with foreign-based third parties, it is important to 
consider choice-of-law and jurisdictional provisions that provide 
dispute adjudication under the laws of a single jurisdiction, whether 
in the United States or elsewhere. When engaging with foreign-based 
third parties, or where contracts include a choice-of-law provision 
that includes a jurisdiction other than the United States, it is 
important to understand that such contracts and covenants may be 
subject to the interpretation of foreign courts relying on laws in 
those jurisdictions. It may be warranted to seek legal advice on the 
enforceability of the proposed contract with a foreign-based third 
party and other legal ramifications, including privacy laws and cross-
border flow of information.
p. Default and Termination
    Contracts can protect the ability of the banking organization to 
change third parties when appropriate without undue restrictions, 
limitations, or cost. An effective contract stipulates what constitutes 
default, identifies remedies, allows opportunities to cure defaults, 
and establishes the circumstances and responsibilities for termination. 
Therefore, it is important to consider including contractual provisions 
that:
     Provide termination and notification requirements with 
reasonable time frames to allow for the orderly transition of the 
activity, when desired or necessary, without prohibitive expense;
     Provide for the timely return or destruction of the 
banking organization's data, information, and other resources;
     Assign all costs and obligations associated with 
transition and termination; and
     Enable the banking organization to terminate the 
relationship with reasonable notice and without penalty, if formally 
directed by the banking organization's primary federal banking 
regulator.
q. Regulatory Supervision
    For relevant third-party relationships, it is important for 
contracts to stipulate that the performance of activities by third 
parties for the banking organization is subject to regulatory 
examination and oversight, including appropriate retention of, and 
access to, all relevant documentation and other materials.\15\ This can 
help ensure that a third party is aware of its role and potential 
liability in its relationship with a banking organization.
---------------------------------------------------------------------------

    \15\ See 12 U.S.C. 1464(d)(7)(D) and 1867(c)(1).
---------------------------------------------------------------------------

4. Ongoing Monitoring
    Ongoing monitoring enables a banking organization to: (1) confirm 
the quality and sustainability of a third party's controls and ability 
to meet contractual obligations; (2) escalate significant issues or 
concerns, such as material or repeat audit findings, deterioration in 
financial condition, security breaches, data loss, service 
interruptions, compliance lapses, or other indicators of increased 
risk; and (3) respond to such significant issues or concerns when 
identified.
    Effective third-party risk management includes ongoing monitoring 
throughout the duration of a third-party relationship, commensurate 
with the level of risk and complexity of the relationship and the 
activity performed by the third party. Ongoing monitoring may be 
conducted on a periodic or continuous basis, and more comprehensive or 
frequent monitoring is appropriate when a third-party relationship 
supports higher-risk activities, including critical activities. Because 
both the level and types of risks may change over the lifetime of 
third-party relationships, banking organizations may adapt their 
ongoing monitoring practices accordingly, including changes to the 
frequency or type of information used in monitoring.
    Typical monitoring activities include: (1) review of reports 
regarding the third party's performance and the effectiveness of its 
controls; (2) periodic visits and meetings with third-party 
representatives to discuss performance and operational issues; and (3) 
regular testing of the banking organization's controls that manage 
risks from its third-party relationships, particularly when supporting 
higher-risk activities, including critical activities. In certain 
circumstances, based on risk, a banking organization may also perform 
direct testing of the third party's own controls. To gain efficiencies 
or leverage specialized expertise, banking organizations may engage 
external resources, refer to conformity assessments or certifications, 
or collaborate when performing ongoing monitoring.\16\ To support 
effective monitoring, a banking organization dedicates sufficient 
staffing with the necessary expertise, authority, and accountability to 
perform a range of ongoing monitoring activities, such as those 
described above.
---------------------------------------------------------------------------

    \16\ Refer to important considerations discussed in ``Due 
Diligence and Third-Party Selection'' of this guidance when a 
banking organization chooses to engage external resources to 
supplement its third-party risk management.
---------------------------------------------------------------------------

    Depending on the degree of risk and complexity of the third-party 
relationship, a banking organization typically considers the following 
factors, among others, as part of ongoing monitoring:

[[Page 37935]]

     The overall effectiveness of the third-party relationship, 
including its consistency with the banking organization's strategic 
goals, business objectives, risk appetite, risk profile, and broader 
corporate policies;
     Changes to the third party's business strategy and its 
agreements with other entities that may pose new or increased risks or 
impact the third party's ability to meet contractual obligations;
     Changes in the third party's financial condition, 
including its financial obligations to others;
     Changes to, or lapses in, the third party's insurance 
coverage;
     Relevant audits, testing results, and other reports that 
address whether the third party remains capable of managing risks and 
meeting contractual obligations and regulatory requirements;
     The third party's ongoing compliance with applicable laws 
and regulations and its performance as measured against contractual 
obligations;
     Changes in the third party's key personnel involved in the 
activity;
     The third party's reliance on, exposure to, and use of 
subcontractors, the location of subcontractors (and any related data), 
and the third party's own risk management processes for monitoring 
subcontractors;
     Training provided to employees of the banking organization 
and the third party;
     The third party's response to changing threats, new 
vulnerabilities, and incidents impacting the activity, including any 
resulting adjustments to the third party's operations or controls;
     The third party's ability to maintain the confidentiality, 
availability, and integrity of the banking organization's systems, 
information, and data, as well as customer data, where applicable;
     The third party's response to incidents, business 
continuity and resumption plans, and testing results to evaluate the 
third party's ability to respond to and recover from service 
disruptions or degradations;
     Factors and conditions external to the third party that 
could affect its performance and financial and operational standing, 
such as changing laws, regulations, and economic conditions; and
     The volume, nature, and trends of customer inquiries and 
complaints, the adequacy of the third party's responses (if responsible 
for handling customer inquiries or complaints), and any resulting 
remediation.
5. Termination
    A banking organization may terminate a relationship for various 
reasons, such as expiration or breach of the contract, the third 
party's failure to comply with applicable laws or regulations, or a 
desire to seek an alternate third party, bring the activity in-house, 
or discontinue the activity. When this occurs, it is important for 
management to terminate relationships in an efficient manner, whether 
the activities are transitioned to another third party, brought in-
house, or discontinued. Depending on the degree of risk and complexity 
of the third-party relationship, a banking organization typically 
considers the following factors, among others, to facilitate 
termination:
     Options for an effective transition of services, such as 
potential alternate third parties to perform the activity;
     Relevant capabilities, resources, and the time frame 
required to transition the activity to another third party or bring in-
house while still managing legal, regulatory, customer, and other 
impacts that might arise;
     Costs and fees associated with termination;
     Managing risks associated with data retention and 
destruction, information system connections and access control, or 
other control concerns that require additional risk management and 
monitoring after the end of the third-party relationship;
     Handling of joint intellectual property; and
     Managing risks to the banking organization, including any 
impact on customers, if the termination happens as a result of the 
third party's inability to meet expectations.

D. Governance

    There are a variety of ways for banking organizations to structure 
their third-party risk management processes. Some banking organizations 
disperse accountability for their third-party risk management processes 
among their business lines.\17\ Other banking organizations may 
centralize the processes under their compliance, information security, 
procurement, or risk management functions. Regardless of how a banking 
organization structures its process, the following practices are 
typically considered throughout the third-party risk management life 
cycle,\18\ commensurate with risk and complexity.
---------------------------------------------------------------------------

    \17\ Each applicable business line can provide valuable input 
into the third-party risk management process, for example, by 
completing risk assessments, reviewing due diligence information, 
and evaluating the controls over the third-party relationship.
    \18\ Refer to Figure 1: Stages of the Risk Management Life 
Cycle.
---------------------------------------------------------------------------

1. Oversight and Accountability
    Proper oversight and accountability are important aspects of third-
party risk management because they help enable a banking organization 
to minimize adverse financial, operational, or other consequences. A 
banking organization's board of directors has ultimate responsibility 
for providing oversight for third-party risk management and holding 
management accountable. The board also provides clear guidance 
regarding acceptable risk appetite, approves appropriate policies, and 
ensures that appropriate procedures and practices have been 
established. A banking organization's management is responsible for 
developing and implementing third-party risk management policies, 
procedures, and practices, commensurate with the banking organization's 
risk appetite and the level of risk and complexity of its third-party 
relationships.
    In carrying out its responsibilities, the board of directors (or a 
designated board committee) typically considers the following factors, 
among others:
     Whether third-party relationships are managed in a manner 
consistent with the banking organization's strategic goals and risk 
appetite and in compliance with applicable laws and regulations;
     Whether there is appropriate periodic reporting on the 
banking organization's third-party relationships, such as the results 
of management's planning, due diligence, contract negotiation, and 
ongoing monitoring activities; and
     Whether management has taken appropriate actions to remedy 
significant deterioration in performance or address changing risks or 
material issues identified, including through ongoing monitoring and 
independent reviews.
    When carrying out its responsibilities, management typically 
performs the following activities, among others:
     Integrating third-party risk management with the banking 
organization's overall risk management processes;
     Directing planning, due diligence, and ongoing monitoring 
activities;
     Reporting periodically to the board (or designated 
committee), as appropriate, on third-party risk management activities;
     Providing that contracts with third parties are 
appropriately reviewed, approved, and executed;

[[Page 37936]]

     Establishing appropriate organizational structures and 
staffing (level and expertise) to support the banking organization's 
third-party risk management processes;
     Implementing and maintaining an appropriate system of 
internal controls to manage risks associated with third-party 
relationships;
     Assessing whether the banking organization's compliance 
management system is appropriate to the nature, size, complexity, and 
scope of its third-party relationships;
     Determining whether the banking organization has 
appropriate access to data and information from its third parties;
     Escalating significant issues to the board and monitoring 
any resulting remediation, including actions taken by the third party; 
and
     Terminating business arrangements with third parties when 
they do not meet expectations or no longer align with the banking 
organization's strategic goals, objectives, or risk appetite.
2. Independent Reviews
    It is important for a banking organization to conduct periodic 
independent reviews to assess the adequacy of its third-party risk 
management processes. Such reviews typically consider the following 
factors, among others:
     Whether the third-party relationships align with the 
banking organization's business strategy, and with internal policies, 
procedures, and standards;
     Whether risks of third-party relationships are identified, 
measured, monitored, and controlled;
     Whether the banking organization's processes and controls 
are designed and operating adequately;
     Whether appropriate staffing and expertise are engaged to 
perform risk management activities throughout the third-party risk 
management life cycle, including involving multiple disciplines across 
the banking organization, as appropriate; and
     Whether conflicts of interest or appearances of conflicts 
of interest are avoided or eliminated when selecting or overseeing 
third parties.
    A banking organization may use the results of independent reviews 
to determine whether and how to adjust its third-party risk management 
process, including its policies, reporting, resources, expertise, and 
controls. It is important that management respond promptly and 
thoroughly to issues or concerns identified and escalate them to the 
board, as appropriate.
3. Documentation and Reporting
    It is important that a banking organization properly document and 
report on its third-party risk management process and specific third-
party relationships throughout their life cycle. Documentation and 
reporting, key elements that assist those within or outside the banking 
organization who conduct control activities, will vary among banking 
organizations depending on the risk and complexity of their third-party 
relationships. Examples of processes that support effective 
documentation and internal reporting that the agencies have observed 
include, but are not limited to:
     A current inventory of all third-party relationships (and, 
as appropriate to the risk presented, related subcontractors) that 
clearly identifies those relationships associated with higher-risk 
activities, including critical activities;
     Planning and risk assessments related to the use of third 
parties;
     Due diligence results and recommendations;
     Executed contracts;
     Remediation plans and related reports addressing the 
quality and sustainability of the third party's controls;
     Risk and performance reports required and received from 
the third party as part of ongoing monitoring;
     If applicable, reports related to customer complaint and 
inquiry monitoring, and any subsequent remediation reports;
     Reports from third parties of service disruptions, 
security breaches, or other events that pose, or may pose, a material 
risk to the banking organization;
     Results of independent reviews; and
     Periodic reporting to the board (including, as applicable, 
dependency on a single provider for multiple activities).

E. Supervisory Reviews of Third-Party Relationships

    The concepts discussed in this guidance are relevant for all third-
party relationships and are provided to banking organizations to assist 
in the tailoring and implementation of risk management practices 
commensurate to each banking organization's size, complexity, risk 
profile, and the nature of its third-party relationships. Each agency 
will review its supervised banking organizations' risk management of 
third-party relationships as part of its standard supervisory 
processes. Supervisory reviews will evaluate risks and the 
effectiveness of risk management to determine whether activities are 
conducted in a safe and sound manner and in compliance with applicable 
laws and regulations.
    In their evaluations of a banking organization's third-party risk 
management, examiners consider that banking organizations engage in a 
diverse set of third-party relationships, that not all third-party risk 
relationships present the same risks, and that banking organizations 
accordingly tailor their practices to the risks presented. Thus, the 
scope of the supervisory review depends on the degree of risk and the 
complexity associated with the banking organization's activities and 
third-party relationships. When reviewing third-party risk management 
processes, examiners typically conduct the following activities, among 
others:
     Assess the ability of the banking organization's 
management to oversee and manage the banking organization's third-party 
relationships;
     Assess the impact of third-party relationships on the 
banking organization's risk profile and key aspects of financial and 
operational performance, including compliance with applicable laws and 
regulations;
     Perform transaction testing or review results of testing 
to evaluate the activities performed by the third party and assess 
compliance with applicable laws and regulations;
     Highlight and discuss any material risks and deficiencies 
in the banking organization's risk management process with senior 
management and the board of directors as appropriate;
     Review the banking organization's plans for appropriate 
and sustainable remediation of any deficiencies, particularly those 
associated with the oversight of third parties that involve critical 
activities; and
     Consider supervisory findings when assigning the 
components of the applicable rating system and highlight any material 
risks and deficiencies in the Report of Examination.
    When circumstances warrant, an agency may use its legal authority 
to examine functions or operations that a third party performs on a 
banking organization's behalf. Such examinations may evaluate the third 
party's ability to fulfill its obligations in a safe and sound manner 
and comply with applicable laws and regulations, including those 
designed to protect customers and to provide fair access to financial 
services. The agencies may pursue corrective measures, including 
enforcement actions, when necessary to address violations of laws and 
regulations or unsafe or unsound

[[Page 37937]]

banking practices by the banking organization or its third party.

Michael J. Hsu,
Acting Comptroller of the Currency.
    By order of the Board of Governors of the Federal Reserve 
System.
Ann E. Misback,
Secretary of the Board.
Federal Deposit Insurance Corporation.

    Dated at Washington, DC, on June 1, 2023.
James P. Sheesley,
Assistant Executive Secretary.
[FR Doc. 2023-12340 Filed 6-8-23; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P