CBA Comment Letter on Proposed Interagency Guidance on Third-Party Relationships Risk Management

Ms. Misback, Mr. Sheesley, and the Chief Counsel’s Office:

The Consumer Bankers Association (CBA) appreciates the opportunity to submit comments in response to the proposed interagency guidance and request for comment (Proposed Guidance) issued by the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the Agencies).

CBA applauds the decision by the Agencies to harmonize guidance on risk management policies and procedures for third-party relationships. CBA strongly approves of the Agencies’ efforts to afford banks flexibility in tailoring their third-party risk management programs to each unique relationship. CBA supports the Agencies’ decision to model the Proposed Guidance on the OCC’s 2013 guidance. Although Board-supervised and FDIC-supervised institutions may not be as familiar with the OCC’s 2013 guidance, that guidance provides the most useful starting point for outlining the obligations of banks with respect to their third-party relationships.

Though harmonization of and flexibility in risk management guidance are helpful and important components of the Proposed Guidance, some changes are necessary. The Agencies should adjust the scope of the final guidance so that it is applicable to third-party relationships related to critical activities, rather than applicable to all third-party relationships, and clarify that whether a third-party relationship is critical or not is a determination made by the bank itself. The Agencies should also specify that fourth-party relationships, customer relationships, and bank-to-bank relationships are not subject to the requirements of ongoing monitoring, due diligence, and contractual requirements under the final guidance. The Agencies should also clarify how existing FAQs from each agency will apply during the transition to the final interagency guidance, and expressly commit to interagency pronouncements for future FAQs. Finally, the Agencies should modernize regulatory third-party risk management guidance beyond the Proposed Guidance by ensuring the final guidance affords banks flexibility in their risk management programs specific to their relationships with data aggregators.

I. Harmonization of Standards across the Agencies is Necessary but Further Regulatory Coordination is Required

The harmonization of risk management standards across the Agencies is necessary and important because it sets uniform risk management standards regardless of regulator, thereby facilitating compliance. Currently, the inconsistencies in the guidance among the Agencies complicates the ability of banking organizations to efficiently and effectively manage risks related to their third-party relationships, particularly in situations where two agencies may have overlapping authority. For example, the Board’s 2013 guidance is limited to “service providers,” which is defined as “all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.” The OCC’s 2020 FAQs, however, applies more expansively to “third-party relationships” which are defined as “any business arrangement between the bank and another entity, by contract or otherwise,” a broader pool of entities than covered by the Board’s 2013 guidance. The FDIC’s 2008 guidance applies to “all entities that have entered into a business relationship with the financial institutions,” but does not specify whether non-contractual relationships are included. These variations in guidance may require a bank to expand its risk management efforts to more third-parties than required by the bank’s primary regulator in order to comply with the guidance of a prudential regulator with backup supervisory authority; this adds an additional burden of requiring banks to determine whether there is a discrepancy in the scope of applicable guidance from regulators and to implement risk management efforts for third-parties that the bank otherwise would not engage in such efforts for. Harmonization decreases the risk that banks’ third-party risk management efforts may be sufficient for one regulator but not for another. The net result of harmonization is that banks have an opportunity to redirect resources from meeting divergent guidelines toward promoting efficiency and benefiting consumers.

To read full comment letter, click here.