Third-party risk management

The Federal Reserve, FDIC, and OCC released joint guidance on 6 June 2023 establishing a common framework for third-party risk management. Banks must manage third-party lifecycle stages—planning, due diligence, contracting, oversight, and termination—under a risk-based approach. This interagency guidance represents the most full federal banking regulatory framework for third-party risk management, replacing earlier agency-specific guidance and establishing consistent expectations across federally-supervised banking organizations. The guidance arrives amid increasing bank reliance on technology service providers, fintech partnerships, and cloud infrastructure that introduces new operational and compliance risks requiring strong vendor management frameworks.

Regulatory Context and Scope

Banking organizations have now relied on third parties to perform core functions including payment processing, loan servicing, compliance monitoring, cybersecurity, and customer-facing digital services. This dependency creates operational risks when third parties fail to perform, compliance risks when vendors violate applicable laws, reputational risks when vendor conduct damages bank standing, and strategic risks when vendor relationships limit bank flexibility.

Previous agency guidance addressed third-party risk through separate bulletins and examination procedures, creating compliance complexity for banks supervised by multiple agencies. The joint guidance harmonizes expectations while providing flexibility for banks to implement risk-based programs proportionate to their size, complexity, and third-party portfolios.

Third-Party Lifecycle Framework

The guidance organizes third-party risk management across five lifecycle stages that banks should address through documented policies, procedures, and controls. Planning involves strategic analysis of third-party needs, alternatives assessment, and preliminary risk evaluation before initiating vendor relationships. Due diligence includes full evaluation of prospective third parties' capabilities, financial condition, compliance posture, and security practices.

Contracting establishes legal terms addressing performance expectations, audit rights, compliance obligations, and termination procedures. Ongoing monitoring ensures continued vendor performance, identifies emerging risks, and verifies compliance throughout relationship duration. Termination addresses orderly transition of services, data disposition, and relationship closeout when engagements end.

Risk-Based Oversight Approach

Tailor controls to the criticality and risk profile of third-party relationships, including fintech partnerships and cloud providers supporting critical operations. Not all third-party relationships warrant identical oversight intensity.

Banks should assess relationships based on criticality to bank operations, volume and sensitivity of customer data involved, regulatory implications of vendor activities, and potential for vendor failure to cause material harm. Higher-risk relationships including core processors, payment network providers, and cloud infrastructure require more intensive due diligence, detailed contracting, and frequent monitoring. Lower-risk relationships may receive simplified oversight proportionate to their potential impact.

Contract Requirements and Standards

Ensure agreements include performance measures, audit rights, cybersecurity expectations, and termination provisions supporting effective vendor governance. Contracts should specify service level agreements with measurable performance standards and remedies for non-performance. Audit rights enable banks and their regulators to examine vendor operations, controls, and records relevant to contracted services. Cybersecurity provisions should address security controls, incident notification requirements, and cooperation obligations.

Data protection terms should address confidentiality, permitted uses, and disposition upon termination. Subcontracting provisions should require bank approval and flow down material contractual protections. Business continuity requirements should address vendor resilience and recovery capabilities. Termination provisions should enable orderly service transition without excessive dependency on any single provider.

Ongoing Monitoring Programs

Establish periodic reviews covering financial condition, subcontracting activity, incident response, and regulatory compliance status. Monitoring frequency and depth should align with relationship risk levels and any changes in vendor circumstances. Financial monitoring tracks vendor viability and ability to sustain operations over relationship duration. Compliance monitoring verifies continued adherence to applicable laws, regulations, and contract terms.

Performance monitoring assesses service delivery against agreed standards. Security monitoring evaluates vendor cybersecurity posture and incident history. Subcontractor monitoring ensures fourth-party risks receive appropriate attention. Monitoring results should inform relationship continuation decisions and prompt corrective action when deficiencies emerge.

Governance and Reporting

Align board reporting, policies, and management committees with the interagency framework to ensure appropriate oversight visibility. Board and senior management should establish risk appetite for third-party arrangements and receive regular reporting on program status, significant risks, and material incidents.

Policies should document program scope, roles and responsibilities, risk assessment methodologies, and escalation procedures. Management committees should provide operational oversight of third-party activities and coordinate across business lines relying on shared vendors. Independent risk functions should challenge first-line vendor management activities and validate program effectiveness.

Implementation and Coordination

Implement vendor risk platforms capturing due diligence artifacts, monitoring results, and remediation actions to support full program management. Integrate third-party oversight with operational resilience, cybersecurity, and BSA/AML programs addressing overlapping risk domains. Conduct tabletop exercises evaluating response to provider outages and regulatory inquiries to test readiness. Maintain full registers of third parties, services provided, risk assessments, and oversight activities supporting examination readiness and continuous improvement.

Strategic factors

Strategic alignment ensures that compliance initiatives support broader organizational objectives while addressing regulatory requirements. Leadership should evaluate how this development affects competitive positioning, operational efficiency, and stakeholder relationships.

Resource planning should account for both immediate implementation needs and ongoing operational requirements. Organizations should develop realistic timelines that balance urgency with practical constraints on resource availability and organizational capacity for change.

Key metrics

Effective monitoring programs provide visibility into compliance status and control effectiveness. Key performance indicators should be established for critical control areas, with regular reporting to appropriate stakeholders.

Metrics should address both compliance outcomes and process efficiency, enabling continuous improvement of compliance operations. Trend analysis helps identify emerging issues and evaluate the impact of improvement initiatives.

Wrapping up

Organizations should prioritize assessment of their current posture against the requirements outlined above and develop actionable plans to address identified gaps. Regular progress reviews and stakeholder communications help maintain momentum and accountability throughout the implementation journey.

Continued engagement with industry peers, professional associations, and regulatory bodies provides valuable opportunities for knowledge sharing and influence on future policy developments. Organizations that address emerging requirements position themselves favorably relative to competitors and build stakeholder confidence.

Adapting over time

Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.

Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.

What to do now

• Assessment requirement: Evaluate current practices against the updated requirements outlined in this analysis.
• Documentation update: Review and update relevant policies, procedures, and technical documentation.
• Stakeholder communication: Brief affected teams on timeline implications and resource requirements.
• Compliance verification: Schedule internal review to confirm alignment with guidance.

See also

Selected articles on related subjects.

Compliance · Credibility 87/100 · May 31, 2023

EU deforestation regulation

The EU Deforestation Regulation entered into force on 29 June 2023 following publication on 9 June, imposing due diligence, geolocation, and customs reporting obligations for commodities placed on the EU market.

Compliance · Credibility 90/100 · June 26, 2023

ISSB and IFRS S1

ISSB officially issued IFRS S1 and S2 in June 2023, creating global sustainability disclosure standards. Companies preparing for adoption need to understand the requirements and timelines.

Compliance · Credibility 90/100 · May 16, 2023

EU DAC8 extends tax transparency to crypto-asset platforms

EU DAC8 directive on crypto asset reporting in May 2023 extended tax transparency to digital assets. Crypto service providers must report to tax authorities.

Compliance · Credibility 89/100 · May 16, 2023

Compliance — Crypto regulation

EU Council adopted MiCA regulation in May 2023, creating comprehensive crypto-asset regulation. Licensing, stablecoin reserves, and consumer protection requirements for crypto services in the EU.

Compliance · Credibility 87/100 · June 27, 2023

EU Data Act

EU Data Act reached political agreement in June 2023. IoT data access, cloud switching, and B2B data sharing rules finalized. Major data economy regulation heading toward adoption.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• SOX Modernization Control Playbook

  Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.

• Global Privacy Enforcement Readiness Guide

  Build privacy programs that withstand GDPR, CPRA, LGPD, and Singapore PDPA enforcement by integrating regulator expectations, data governance, and cross-border response playbooks.

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

Cited sources

1. Federal Reserve SR 23-4: Interagency Guidance on Third-Party Relationships — Board of Governors of the Federal Reserve System
2. OCC Bulletin 2023-17 on Third-Party Risk Management Guidance — Office of the Comptroller of the Currency
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization