Third-party risk management

The Federal Reserve, FDIC, and OCC released joint guidance on 6 June 2023 establishing a common framework for third-party risk management. Banks must manage third-party lifecycle stages—planning, due diligence, contracting, oversight, and termination—under a risk-based approach. This interagency guidance represents the most full federal banking regulatory framework for third-party risk management, replacing earlier agency-specific guidance and establishing consistent expectations across federally-supervised banking organizations. The guidance arrives amid increasing bank reliance on technology service providers, fintech partnerships, and cloud infrastructure that introduces new operational and compliance risks requiring strong vendor management frameworks.

Regulatory Context and Scope

Banking organizations have now relied on third parties to perform core functions including payment processing, loan servicing, compliance monitoring, cybersecurity, and customer-facing digital services. This dependency creates operational risks when third parties fail to perform, compliance risks when vendors violate applicable laws, reputational risks when vendor conduct damages bank standing, and strategic risks when vendor relationships limit bank flexibility.

Previous agency guidance addressed third-party risk through separate bulletins and examination procedures, creating compliance complexity for banks supervised by multiple agencies. The joint guidance harmonizes expectations while providing flexibility for banks to implement risk-based programs proportionate to their size, complexity, and third-party portfolios.

Third-Party Lifecycle Framework

The guidance organizes third-party risk management across five lifecycle stages that banks should address through documented policies, procedures, and controls. Planning involves strategic analysis of third-party needs, alternatives assessment, and preliminary risk evaluation before initiating vendor relationships. Due diligence includes full evaluation of prospective third parties' capabilities, financial condition, compliance posture, and security practices.

Contracting establishes legal terms addressing performance expectations, audit rights, compliance obligations, and termination procedures. Ongoing monitoring ensures continued vendor performance, identifies emerging risks, and verifies compliance throughout relationship duration. Termination addresses orderly transition of services, data disposition, and relationship closeout when engagements end.

Risk-Based Oversight Approach

Tailor controls to the criticality and risk profile of third-party relationships, including fintech partnerships and cloud providers supporting critical operations. Not all third-party relationships warrant identical oversight intensity.

Banks should assess relationships based on criticality to bank operations, volume and sensitivity of customer data involved, regulatory implications of vendor activities, and potential for vendor failure to cause material harm. Higher-risk relationships including core processors, payment network providers, and cloud infrastructure require more intensive due diligence, detailed contracting, and frequent monitoring. Lower-risk relationships may receive simplified oversight proportionate to their potential impact.

Contract Requirements and Standards

Ensure agreements include performance measures, audit rights, cybersecurity expectations, and termination provisions supporting effective vendor governance. Contracts should specify service level agreements with measurable performance standards and remedies for non-performance. Audit rights enable banks and their regulators to examine vendor operations, controls, and records relevant to contracted services. Cybersecurity provisions should address security controls, incident notification requirements, and cooperation obligations.

Data protection terms should address confidentiality, permitted uses, and disposition upon termination. Subcontracting provisions should require bank approval and flow down material contractual protections. Business continuity requirements should address vendor resilience and recovery capabilities. Termination provisions should enable orderly service transition without excessive dependency on any single provider.

Ongoing Monitoring Programs

Establish periodic reviews covering financial condition, subcontracting activity, incident response, and regulatory compliance status. Monitoring frequency and depth should align with relationship risk levels and any changes in vendor circumstances. Financial monitoring tracks vendor viability and ability to sustain operations over relationship duration. Compliance monitoring verifies continued adherence to applicable laws, regulations, and contract terms.

Performance monitoring assesses service delivery against agreed standards. Security monitoring evaluates vendor cybersecurity posture and incident history. Subcontractor monitoring ensures fourth-party risks receive appropriate attention. Monitoring results should inform relationship continuation decisions and prompt corrective action when deficiencies emerge.

Governance and Reporting

Align board reporting, policies, and management committees with the interagency framework to ensure appropriate oversight visibility. Board and senior management should establish risk appetite for third-party arrangements and receive regular reporting on program status, significant risks, and material incidents.

Policies should document program scope, roles and responsibilities, risk assessment methodologies, and escalation procedures. Management committees should provide operational oversight of third-party activities and coordinate across business lines relying on shared vendors. Independent risk functions should challenge first-line vendor management activities and validate program effectiveness.

Implementation and Coordination

Implement vendor risk platforms capturing due diligence artifacts, monitoring results, and remediation actions to support full program management. Integrate third-party oversight with operational resilience, cybersecurity, and BSA/AML programs addressing overlapping risk domains. Conduct tabletop exercises evaluating response to provider outages and regulatory inquiries to test readiness. Maintain full registers of third parties, services provided, risk assessments, and oversight activities supporting examination readiness and continuous improvement.