On May 3, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency (collectively, the agencies) released a guidebook aimed at assisting community banks in managing risks associated with third-party relationships (the TPRM Guide). The TPRM Guide builds upon the principles introduced in the third-party risk management guidance for banking organizations issued by the agencies in June 2023 (the June 2023 Guidance, discussed here) as well as the agencies’ community bank guide for conducting due diligence on fintech companies from October 2023 (discussed here) but does not displace or substitute that prior guidance.

As the TPRM Guide explains, third-party relationships can provide community banks with access to new technologies, risk-management tools, human capital, delivery channels, products, services, and markets. However, these relationships also introduce new risks or amplify existing ones, including operational, compliance, financial, and strategic risks. To that end, the TPRM Guide is consistent with the June 2023 Guidance — i.e., community banks must identify, assess, monitor, and control these risks to ensure their activities are performed safely, soundly, and in compliance with applicable laws and regulations (including fair lending and BSA/AML compliance).

Furthermore, and in keeping with the June 2023 guidance, the TPRM Guide recognizes several key points: (1) not all third-party relationships present the same level of risk, and therefore not all relationships require the same level of oversight; (2) more rigorous risk-management practices should be applied to third parties that support higher-risk activities, including activities that are critical to bank operations; and (3) effective third-party risk management should follow a continuous life cycle for third-party relationships (i.e., a five stage life cycle inclusive of planning, due diligence/third-party selection, contract negotiation, ongoing monitoring, and termination).

Community banks have some unique pain points with TPRM largely related to their large (and growing) regulatory burden, which they increasingly manage with fewer resources. Smaller banks typically lack in-house subject matter expertise, and have a growing technology gap when compared to much larger banks and tech companies. Although the TPRM Guide is directed at community banks, all banks can gain additional perspective by reviewing the TPRM Guide, including its case studies and relevant considerations across the TPRM life cycle. It is clear that the agencies have put serious thought into these considerations (and likely solicited input directly from their third-party risk management exam teams).

However, it is worth remembering last year’s statement by Federal Reserve Governor Bowman (available here). Governor Bowman did not support the June 2023 Guidance and, in fact, called for more clarity and focus on regulatory burdens faced by community banks. To that end, the TPRM Guide does provide additional clarity regarding implementation of third-party risk management. But it fails to tackle a common concern of community bankers: how to meet requisite due diligence and on-going monitoring demands, especially with larger vendors? Likely, that problem is not something to be solved by agency guidance and, for that reason, the market will continue searching for ways to help community banks mitigate regulatory burdens using thoughtful and comprehensive risk management solutions.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Gregory Parisi Gregory Parisi

Greg leverages his broad experience and pragmatic approach, bringing a wealth of knowledge, business insight and practical problem-solving skills to efficiently manage transactions and advise clients in an evolving legal landscape. He combines his corporate and transactional experience with a robust knowledge of…

Greg leverages his broad experience and pragmatic approach, bringing a wealth of knowledge, business insight and practical problem-solving skills to efficiently manage transactions and advise clients in an evolving legal landscape. He combines his corporate and transactional experience with a robust knowledge of bank regulatory issues to provide valued legal solutions for financial institutions, financial technology companies and other businesses. Greg often works closely with clients to design and implement internal policies and procedures and contractual safeguards in commercial arrangements in connection with corporate and regulatory requirements and risk management best practices.

Photo of Alexandra Barrage Alexandra Barrage

Alex draws on her experience as a former FDIC executive and comprehensive knowledge of bank regulations to advise a wide array of banks and technology companies. She is a sought-after advisor on complex supervisory, regulatory, payments, and transactional issues.

Photo of Matthew Bornfreund Matthew Bornfreund

Matthew provides comprehensive guidance to clients on a wide range of regulatory, transactional, and compliance matters, helping them to advance their operational goals and launch new products and services. His clients include domestic and international traditional and nontraditional banks, as well as fintechs…

Matthew provides comprehensive guidance to clients on a wide range of regulatory, transactional, and compliance matters, helping them to advance their operational goals and launch new products and services. His clients include domestic and international traditional and nontraditional banks, as well as fintechs, private equity funds, and payment services firms.