Ladies and Gentlemen,
The Bank Policy Institute appreciates the opportunity to comment on the proposed interagency guidance and request for comment issued by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency (each an “Agency,” and collectively, the “Agencies”) on managing the risks associated with third-party relationships, which would replace each Agency’s existing guidance on this topic with a framework based on specific risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships. BPI strongly supports the Agencies’ efforts to harmonize supervisory expectations for banking organizations’ management of third-party risk. BPI also strongly supports the extent to which the Proposed Guidance would emphasize the appropriateness of banking organizations’ adopting risk management practices that are commensurate with the level of risk and complexity of their respective third-party relationships. To that end, BPI appreciates the Agencies’ use of language in the Proposed Guidance that is, relative to existing Agency guidance on this topic, less prescriptive and that would, if adopted, better position banking organizations to apply the Proposed Guidance in a risk-based manner.
At the same time, this letter includes suggestions intended to build upon the Proposed Guidance’s goal of establishing a third-party risk management framework based on sound risk management principles. There are a number of ways in which the Proposed Guidance may be improved and strengthened, in particular by clarifying the scope and application of the guidance. A major theme that runs throughout our comments is that, to ensure that banking organizations can apply the Proposed Guidance in a risk-based manner, key definitions and concepts should be revised to clarify that banking organizations have the flexibility to apply the Proposed Guidance as appropriate to the nature of the risk presented by a given third party. We also recommend that certain of the OCC’s 2020 FAQs on Third-Party Relationships (“2020 FAQs”)4 be incorporated and revised, as appropriate, to reinforce this concept.
Part I of this letter provides an executive summary of our recommendations. Part II provides our overarching comments on the Proposed Guidance, and Part III provides a range of other comments on more discrete or technical matters. In addition, for convenience, Appendix A to this letter summarizes our recommendations with respect to each of the 2020 FAQs.
- Executive Summary
Overarching comments on the Proposed Guidance:
- We support the Agencies’ use of less prescriptive language throughout the Proposed Guidance;
- The Agencies should clarify the scope and application of the Proposed Guidance by revising key definitions and governing concepts:
- The proposed definition of “business arrangement” is overly broad and inconsistent with the stated goals of the Proposed Guidance;
- The proposed definition of “critical activities” should be revised to allow banking organizations the flexibility to determine which activities are, in fact, critical and align with existing definitions;
- The Proposed Guidance’s reference to risk management practices that are “typical” is an important improvement over prior, more prescriptive terminology, and should be construed and applied flexibly in practice;
- The Agencies should update and incorporate the 2020 FAQs, as appropriate; and
- Given the different and unique risks that they pose, the Proposed Guidance should take an alternative approach to managing the third-party risks of data aggregators, including by removing certain data aggregator relationships from the scope of the Proposed Guidance.
Other comments on the Proposed Guidance:
- The Proposed Guidance should permit senior management to establish policies governing third- party relationships;
- The Proposed Guidance should provide banking organizations with greater flexibility in the negotiations and approval of vendor contracts;
- The Agencies should use their existing regulatory tools and authorities, including the Bank Service Company Act, to directly obtain information from, and exercise oversight of, third-party vendors that serve a large number of banking organizations or over which banking organizations have little negotiating power;
- The Proposed Guidance should clarify that banking organizations are not expected to perform due diligence and oversight of subcontractors, and instead may assess the third party’s third- party risk management program;
- Upon adopting final guidance on third-party risk management, the Agencies should review and revise the FFIEC’s Information Technology Examination Handbook to ensure alignment; and
- Final guidance should outline the Agencies’ views on services covered by the Bank Service Company Act and better define the Agencies’ expectations for filings under the Act.
To read the full comment letter, please click here.