Senior US officials criticise new third-party risk guidance

The US Federal Reserve, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency released final guidance on third-party risks on June 6.

The Final Interagency Guidance on Third-Party Relationships said though third parties could introduce new technology to the banking industry, they can also cause “operational, compliance and strategic risks”. Banking organisations, the guidance argued, can be subject to “substantial financial loss and operational disruption” if third-party risks are not properly mitigated.

“A banking organisation’s use of third parties does not diminish its responsibility to meet [regulatory] requirements to the same extent as if its activities were performed by the banking organisation in-house,” said the guidance.

It also stated sound risk management tailors banking practices to the size of the bank and the third-party provider, and explicitly included fintech-bank relationships.

The guidance also illustrated how collective bargaining power by banks can be used to reduce risk from third parties. It intends to give smaller banks the appropriate guidance to collectively bargain for risk management procedures.

The three agencies said they would tailor their supervisory approach similarly. “The scope of supervisory reviews of a banking organisation’s third-party risk management will similarly be tailored based on the degree of risk and the complexity,” said the memo to the Fed’s Board of Governors.

The agencies sought to dissuade banks from contracting out critical activities. “As part of its oversight responsibilities, the board of directors should be aware of and, as appropriate, may approve or delegate approval of contracts involving higher-risk activities. Legal counsel review may also be warranted prior to finalisation,” they said.

High-level criticism

Senior officials from the Fed and the FDIC spoke out against what they said was ambiguity in the guidance.

Fed governor Michelle Bowman criticised the guidance, calling it part of a pattern deviating from “the risk-based, tailored approach to supervising and regulating banks”.

“I cannot support this interagency guidance”, she said, and added the Fed’s past guidance, which was replaced by the latest version, was supplemented by tools and aids no longer present.

Bowman said the final guidance “does not provide the necessary clarity or supplemental tools to facilitate small bank implementation”. The agencies said they plan to engage with and develop related resources for community banks “in the near future”.

But she lamented the agencies did not provide a timeline for this. “This leaves one to wonder why the rush to publish without appropriate tools available for small banks,” she said. Community bank guidance, she argued, should have been developed concurrently.

The final guidance, she warned, “leaves uncertainty about whether community banks can rely on the previous guidance, tools, and feedback provided by examiners on third-party risk management in the past”.

She criticised the guidance as a one-size-fits-all approach. “My expectation is that community banks will find the new guidance challenging to implement,” she said. “I am disappointed that the agencies failed to make the upfront investment to reduce unnecessary confusion and burden on community banks.”

Jonathan McKernan, a member of the FDIC board of directors, also took issue with the final guidance. He said the original proposal in July 2021 excluded bank customer relationships from the scope of third-party regulation and supervision.

“Today’s final joint guidance has removed the proposal’s exclusion of customer relationships. According to the agencies, this change ‘is intended to reduce ambiguity’. In my view, the exclusion’s removal itself creates ambiguity,” said McKernan. “The final guidance is now unclear as to whether or when it applies to arrangements involving depositors, borrowers, or other customers of traditional banking services.”

The FDIC released a letter to financial institutions which sought to clarify the confusion.

“Relationships that are only between banks and their direct customers of traditional bank products and services (such as deposit accounts or retail or commercial loans) would not be addressed in a third-party risk management framework,” it said. These were “covered by the various risk management processes and rules that apply to traditional lending and deposit relationships”.

But McKernan took issue with the overall message. “I am pleased the FDIC has taken this step, and would look forward to hearing views as to whether this clarification adequately addresses the issue,” he said. He echoed Bowman by arguing that separate resources for community banks should be developed “as soon as practicable.”

Officials warn over third parties

The chief operating officer of the Bank of Canada and an executive board member of the Deutsche Bundesbank recently told Central Banking third parties foster concentration risks.

The officials said concentrated, large, third-party banking service providers are a target for bad actors. Large, unmapped third-party ecosystems also create risks of chain reactions from shocks like cyber attacks or tech failures, they said.