Digital products and online platforms have reconfigured commercial banking in the 21st century. Market penetration for these services and products continues to rise, and it is expected that the users of digital banking will eclipse 80% of the population in the U.S. by 2025. These changes represent a massive, irreversible disruption in the way commercial banking is done, opening up new business models and placing pressure on industry incumbents.

As digital banking has proliferated, however, there has been an associated rise in the risks posed by the enabling technology. Cybercrime has supplanted — or in some cases, amplified — more traditional kinds of risk to banking operations. According to a recent survey by the Conference of State Bank Supervisors, over 70% of survey participants ranked cybersecurity as their top concern.

Both of these trends — the ramp up in digital offerings and the security measures necessitated by it — present difficult challenges for smaller banking operations that lack the economies of scale brought to bear by larger institutions, and over the past decade, many of these smaller banks have turned to third-party vendors to help even the playing field. By outsourcing non-core operations, smaller and community bankers can focus on value creation, innovation, or any area where there is a perceived benefit.

This trend toward outsourcing has covered a wide range of functions, involving information technology, human resources, product development, and even loan servicing; however, while outsourcing might reduce capital expenditures and provide access to better technology, the risks associated with outsourced functions remain with the bank, and this circumstance has gotten the attention of bank regulators. As early as 2008, the Federal Deposit Insurance Corporation (FDIC) issued guidance for managing third-party risk, and follow-on guidance was later provided by both the Federal Reserve Board (FRB) and the Office of the Comptroller of the Currency (OCC).

All three sets of guidance had the same goal and covered similar concepts but approached the issue in slightly different manners. The OCC’s 2013 guidance was much more robust and detailed and, therefore, more prescriptive than that from the FDIC and FRB. It also applied to all third-party relationships, meaning “any business arrangement between a bank and another entity, by contract or otherwise.” The FRB guidance contained less specificity and only applied to “service providers.” The result was to create a different set of standards for different banks, depending on their primary federal regulator.

Agency scrutiny of the third-party risks to banking institutions has only increased over time, as has the federal government’s vigilance regarding cybersecurity, which has been elevated to the level of a national security concern. Banking is at the heart of the matter. The industry is roughly 300 times more likely to be targeted by cybercriminals, according to information from Boston Consulting Group, and as the use of third-party vendors has increased greatly over time, the vulnerabilities are now spread out across a vast supply chain with each link presenting its own unique risk profiles.

With the goal of creating one uniform framework for managing risks associated with third-party relationships, the FRB, FDIC, and OCC released a joint “Proposed Interagency Guidance on Third Party Relationships: Risk Management” in July 2021. The Proposed Guidance closely tracks that published by the OCC in 2013 and expands it to apply to institutions supervised by all three federal banking agencies. Its stated goal is to provide a framework based on sound risk-management principles that banking organizations may use to address the risks associated with third-party relationships, emphasizing that, although use of third parties can offer more efficient access to technologies, human capital, products, and services, it does not remove the need for sound risk management.

Similar to the 2013 OCC guidance, “third-party relationships” are defined as “business arrangements between a banking organization and another entity, by contract or otherwise.” This goes beyond the FRB’s narrower application (service providers only) and would include relationships with vendors, fintech companies, affiliates, and a bank’s holding company. A third-party relationship may exist despite the lack of a contract or any payment for services.

The Proposed Guidance describes the third-party risk management lifecycle and identifies principles applicable to each stage of it, including:

1. Developing a plan that outlines the bank’s strategy, identifies the inherent risks of the activity with the third party, and details how the bank will identify, assess, select, and oversee the third party
2. Performing proper due diligence in selecting a third party
3. Negotiating written contracts that articulate the rights and responsibilities of all parties
4. Having the board of directors and management oversee the bank’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews
5. Conducting ongoing monitoring of the third party’s activities and performance
6. Developing contingency plans for terminating the relationship in an effective manner

It includes comprehensive action items and considerations for each stage of the lifecycle but also acknowledges that not all relationships present the same level of risk. The Proposed Guidance allows banks the latitude to engage in more comprehensive and rigorous oversight and management of third-party relationships that support “critical activities” and to adopt risk-management practices commensurate with the with the level of risk and complexity of the bank’s relationships and operations.

The Proposed Guidance is not yet final. Federal regulators requested comments, and various stakeholders have provided feedback. Much of the feedback is positive and expresses support for the effort to promote consistency between agencies; however, comments have also proposed modifications, including limiting the application to written contracts pursuant to which a bank receives services on an ongoing basis (excluding ad hoc arrangements with limited duration) and clarifying that the listed due-diligence factors and contractual considerations are not intended to apply to all third-party relationships and should not be viewed as a mandatory checklist (especially for low-risk relationships that do not involve critical activities). Comments have also requested that any final guidance give banks sufficient time to adapt, given that banks primarily regulated by the FDIC and FRB are currently subject to less detailed standards.

Any final guidance may differ from the proposed version, but the Proposed Guidance gives banks a good indication of the potential standard going forward.