Compliance Briefing — June 6, 2023
U.S. banking regulators issued final interagency guidance on third-party risk management on 6 June 2023, aligning expectations across the Federal Reserve, FDIC, and OCC.
Executive briefing: The Federal Reserve, FDIC, and OCC released joint guidance on 6 June 2023 establishing a common framework for third-party risk management. Banks must manage third-party lifecycle stages—planning, due diligence, contracting, oversight, and termination—under a risk-based approach.
Key compliance checkpoints
- Risk-based oversight. Tailor controls to the criticality and risk profile of third-party relationships, including fintech and cloud providers.
- Contract requirements. Ensure agreements include performance measures, audit rights, cybersecurity expectations, and termination provisions.
- Ongoing monitoring. Establish periodic reviews covering financial condition, subcontracting, incident response, and regulatory compliance.
Operational priorities
- Governance updates. Align board reporting, policies, and management committees with the interagency framework.
- Inventory management. Maintain comprehensive registers of third parties, services provided, and risk assessments.
- Incident coordination. Define escalation paths for disruptions or compliance breaches involving service providers.
Enablement moves
- Implement vendor risk platforms capturing due diligence artifacts, monitoring results, and remediation actions.
- Integrate third-party oversight with operational resilience, cybersecurity, and BSA/AML programmes.
- Conduct tabletop exercises evaluating response to provider outages and regulatory inquiries.
Sources
- Federal Reserve SR 23-4: Interagency Guidance on Third-Party Relationships
- OCC Bulletin 2023-17 on Third-Party Risk Management Guidance
Zeph Tech harmonises bank third-party oversight with interagency guidance, covering vendor inventory, contract remediation, and monitoring analytics.