On May 3, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency (collectively, the agencies) released a guidebook aimed at assisting community banks in managing risks associated with third-party relationships (the TPRM Guide). The TPRM Guide builds upon the principles introduced in the third-party risk management guidance for banking organizations issued by the agencies in June 2023 (the June 2023 Guidance, discussed here) as well as the agencies’ community bank guide for conducting due diligence on fintech companies from October 2023 (discussed here) but does not displace or substitute that prior guidance.

As the TPRM Guide explains, third-party relationships can provide community banks with access to new technologies, risk-management tools, human capital, delivery channels, products, services, and markets. However, these relationships also introduce new risks or amplify existing ones, including operational, compliance, financial, and strategic risks. To that end, the TPRM Guide is consistent with the June 2023 Guidance — i.e., community banks must identify, assess, monitor, and control these risks to ensure their activities are performed safely, soundly, and in compliance with applicable laws and regulations (including fair lending and BSA/AML compliance).

Furthermore, and in keeping with the June 2023 guidance, the TPRM Guide recognizes several key points: (1) not all third-party relationships present the same level of risk, and therefore not all relationships require the same level of oversight; (2) more rigorous risk-management practices should be applied to third parties that support higher-risk activities, including activities that are critical to bank operations; and (3) effective third-party risk management should follow a continuous life cycle for third-party relationships (i.e., a five stage life cycle inclusive of planning, due diligence/third-party selection, contract negotiation, ongoing monitoring, and termination).

Community banks have some unique pain points with TPRM largely related to their large (and growing) regulatory burden, which they increasingly manage with fewer resources. Smaller banks typically lack in-house subject matter expertise, and have a growing technology gap when compared to much larger banks and tech companies. Although the TPRM Guide is directed at community banks, all banks can gain additional perspective by reviewing the TPRM Guide, including its case studies and relevant considerations across the TPRM life cycle. It is clear that the agencies have put serious thought into these considerations (and likely solicited input directly from their third-party risk management exam teams).

However, it is worth remembering last year’s statement by Federal Reserve Governor Bowman (available here). Governor Bowman did not support the June 2023 Guidance and, in fact, called for more clarity and focus on regulatory burdens faced by community banks. To that end, the TPRM Guide does provide additional clarity regarding implementation of third-party risk management. But it fails to tackle a common concern of community bankers: how to meet requisite due diligence and on-going monitoring demands, especially with larger vendors? Likely, that problem is not something to be solved by agency guidance and, for that reason, the market will continue searching for ways to help community banks mitigate regulatory burdens using thoughtful and comprehensive risk management solutions.