← Back to all briefings

Governance · Credibility 88/100 · · 3 min read

Governance Briefing — October 8, 2025

The interagency third-party risk guidance now underpins 2025 examinations, so boards must demonstrate life-cycle oversight, tailored risk appetite, and evidence that community-bank scale adjustments still satisfy the Federal Reserve, OCC, and FDIC expectations.

Executive briefing: The Federal Reserve, OCC, and FDIC finalised Interagency Guidance on Third-Party Relationships: Risk Management in June 2023. The agencies are using 2025 exams to test how boards oversee planning, due diligence, contracting, ongoing monitoring, and exit of critical vendors. Directors need proof that accountability matrices, management reporting, and escalation protocols are embedded, even where institutions tailor programmes for size and complexity.

Board governance priorities

  • Clarify roles and accountability. Approve a governance framework showing board, senior management, and business-line responsibilities across the third-party life cycle, including how issues escalate.
  • Risk appetite linkage. Tie vendor concentration limits, subcontractor exposure thresholds, and performance triggers to enterprise risk appetite statements reviewed by the board.
  • Reporting cadence. Require dashboards highlighting due diligence status, monitoring results, control breaches, and termination plans so directors can evidence challenge.

Operational actions ahead of year-end reviews

  • Documentation refresh. Update inventories, risk ratings, and contractual artefacts to align with the guidance’s planning and contracting expectations, including collaborative arrangements and fintech partnerships.
  • Community bank tailoring. For smaller entities, document how simplified processes still cover the required risk considerations and when they escalate to the board.
  • Exit testing. Run playbooks for terminating or transferring critical relationships, capturing board approvals and lessons learned.

Enablement moves

  • Embed third-party risk metrics into regular board and committee packs so findings sit alongside credit, market, operational, and compliance reporting.
  • Coordinate with internal audit to include third-party governance in the 2025 plan, validating board reporting accuracy and remediation effectiveness.
  • Ensure fintech partnerships and outsourced AI services feed the same governance processes, avoiding silos that could trigger supervisory findings.

Zeph Tech strengthens third-party governance by orchestrating board reporting, concentration analytics, and exit rehearsals aligned to the interagency guidance.

  • Third-party risk
  • Regulatory examinations
  • Board reporting
Back to curated briefings