Federal Reserve Adds to Agency Guidance on Third Party Relationships
On Dec. 5, 2013, the Federal Reserve joined the list of regulatory agencies that have issued guidance on third party relationships. The Fed guidance supplements the FFIEC Outsourcing Technology Services Booklet (June 2004) and broadens the scope of Fed-supervised institutions’ third party guidance to all service providers, which the December 5th guidance defines broadly to include all entities that contract with financial institutions to provide business functions or activities.
The Fed’s third party guidance includes the majority of the aspects covered in the OCC’s recent third party guidance. The OCC’s risk management lifecycle was not included in the Fed guidance, although the Fed did include business continuity and contingency as important aspects in managing third party risks. For state member banks, bank and savings and loan holding companies, and U.S. operations of foreign banking organizations subject to the Federal Reserve’s supervision, this guidance should come as no surprise, as financial regulators across all sectors of the industry aim to tackle third-party risk amidst rapid innovation in the delivery of financial services. Below is a chart of the contents of regulatory guidance on third party relationships across supervisory agencies. Full text of the Fed third party guidance can be found here.
CONTENTS OF REGULATORY GUIDANCE ON THIRD PARTY RELATIONSHIPS (2001 – 2013)
|
Fed Dec. 2013 Guidance |
OCC Oct. 2013 Guidance |
FDIC June 2008 Guidance |
OCC Nov. 2001 Guidance |
|
| Third Party Risk Factors |
✓ |
✓ |
✓ |
✓ |
| Planning/Assessment |
✓ |
✓ |
✓ |
✓ |
| Due Diligence/Structuring |
✓ |
✓ |
✓ |
✓ |
| Contract Issues |
✓ |
✓ |
✓ |
✓ |
| Monitoring |
✓ |
✓ |
✓ |
✓ |
| Oversight Accountability |
✓ |
✓ |
— |
— |
| Business Continuity/Contingency |
✓ |
✓ |
— |
— |
| Incentive Comp. Review |
✓ |
— |
— |
— |
| Documentation/Reporting |
— |
✓ |
✓ |
✓ |
| Termination |
— |
✓ |
— |
— |
| Independent Reviews |
— |
✓ |
— |
— |
We have discussed other agency guidance on third party relationships in previous PLA posts, including the following:
OCC Releases New Third Party Guidance (Nov 2013)
FDIC Clarifies its Supervisory Approach to Payment Processor Relationships (Oct 2013)
FTC Order Against Fraudulent Payment Processor Joins Growing List of Regulatory Actions Involving Third Party Service Providers (Mar 2013)
Regulatory Action Against First Bank of Delaware Reinforces BSA and AML Concerns with Third-Party Relationships (Dec 2012)
FFIEC Releases New Booklet for the Supervision of Technology Service Providers (Nov 2012)
CFPB’s First Enforcement Action Warns Financial Institutions About Liability for Third Party Activities on their Behalf; Related Compliance Bulletin Offers Guidance (July 2012)
OCC Issues Guidance on the Mechanics of Third-Party Service Agreements for Prepaid Access Programs (Sept 2011)