Regulators issue third-party guidance to community banks

Federal regulators recently issued third-party risk management practices for community banks. The May 3 guidance from the FDIC and board of governors of both the Federal Reserve System and Office of the Comptroller of the Currency covered the lifecycle of third-party relationships, from preparation and due diligence through contract negotiations and ongoing management to termination of such agreements. 

Effective third-party risk management accounts for the level of complexity, risk and size of the bank, as well as details of the specific third-party relationship, regulators said. Banks should review internal guidance and risk management rules and processes for traditional deposit and lending relationships when establishing standards for third-party relationships, they stated.   

“A community bank’s use of third parties does not diminish or remove a bank’s responsibility to perform all activities in a safe and sound manner, in compliance with applicable laws and regulations, including those related to consumer protection and security of customer information,” they wrote. 

Third parties can include data aggregators, merchant payment processors, consultants and cloud computing providers. “This guidance provides sound principles that support a risk-based approach to third-party risk management that banking organizations may consider when developing and implementing risk management practices,” according to the report. 

Third-party agreements carry both benefits and risks, regulators noted. Third-party contracts allow banks to provide more access to new technology, human capital, risk management tools, delivery channels and products and services and markets, regulators noted. Reliance on third parties reduces community banks’ operational control over activities and also introduces compliance, financial, operational and strategic risks. 

The report came as community banks’ use of third parties to facilitate open banking continues to grow. According to Statista, the value of open banking transactions reached $57 billion worldwide last year, and is projected to increase rapidly in the coming years. The number of API calls, which enable secure data sharing, is expected to reach 580 billion in 2027. 

The 30-page guide was released less than a year after the Federal Reserve, OCC and FDIC published a 68-page report calling on banks to customize their risk management practices proportionally to their size, complexity, risk profile and third-party relationships. The June 2023 report, issued nearly two years after it was introduced, detailed how banks should undertake third-party risk management during contract negotiations, set clear expectations on how they assess and monitor third parties, and finalize plans if a contract is terminated.