“Banking models heavily rely on partnerships,” says Lance Noggle, senior vice president, operations and senior regulatory counsel for ICBA. Now, new regulatory guidance helps banks improve the management of such vendor relationships and avoid regulatory risk. 

According to Noggle, community banks are sometimes wary of third-party relationships, especially when dealing with complex and novel products and services, because it was unclear how regulators would evaluate them. Now, consistent “rules of the road” pave the way for banks to manage these relationships more confidently. 

Final guidance from the Fed, FDIC and OCC

In June 2023, the Federal Reserve, Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) released final guidance on third-party risk management for banks. 

The guidance covers everything financial institutions should consider while working with vendors, from planning, due diligence and third‑party selection to contract negotiation, ongoing monitoring and termination. The guidance states the importance of providing bank staff with the right knowledge and skills at each stage of the risk management life cycle.

The joint guidance from the agencies replaces the third-party risk guidance issued in 2021, with emphasis from regulators on relationships between banks and fintechs. According to the agencies, the guidance “promotes consistency in the agencies’ supervisory approaches toward third-party risk management.”

Increasing vendor partnerships

Third-party relationships can help community banks offer new products and services that would be a challenge to offer with only in-house resources, Noggle says. In the past decade, there has been a dramatic increase in nonbank fintech firms offering innovative products in partnership with regulated financial institutions.

According to Finastra’s global survey of financial institutions in 2023, 56% of respondents said they planned to enter fintech relationships in the coming 12 to 18 months, citing reduced operational costs as a key motivator. 

With banks under increasing pressure to serve rapidly evolving customer service needs, Finastra says its research “demonstrates the recognition from banks that they cannot navigate these waters alone.”

While the interagency guidelines apply to financial institutions only, fintechs are also paying close attention. Noggle says that smart fintechs will incorporate the new guidelines into their product offerings, asking, “How can we satisfy regulatory requirements, so banks are comfortable doing business with us?”

“[The new guidance] … makes it easier, simpler and cheaper for the third parties to know they are dealing with similar sets of rules from all the different banks.”
—Lance Noggle, ICBA

Bankers should expect fintechs to use the guidance as the basis for due diligence requests, contract negotiation positions and the need for ongoing monitoring procedures. For example, fintechs need to demonstrate they are protecting bank customers’ information as rigorously as the bank itself. 

“It also makes it easier, simpler and cheaper for the third parties to know they are dealing with similar sets of rules from all the different banks,” Noggle says. 

Third-party risk management final guidance: next steps

Fed governor Michelle W. Bowman voted against the final guidance, saying that while she supports making expectations clearer, the guidance failed to “mitigate regulatory burden on smaller institutions.” 

Bowman called the guidance a “helpful step to promote sound third-party risk management” yet wanted to ensure the guidance was not burdensome to community banks and was tailored to their needs.

In announcing the guidelines, the agencies stated they planned to “engage with community banks immediately and develop additional resources.” However, there has been limited feedback on how the guidelines are working in practice, according to Noggle.

“Time will tell if this is really meeting the needs of community banks,” he says, “but on initial read, it looks positive.”

What is included in the federal agencies’ final guidance?

  • Third-party risk-management lifecycle guidance

  • Planning

  • Due diligence and third-party selection

  • Contract negotiation

  • Ongoing monitoring

  • Termination

  • Governance guidance

  • Oversight and accountability

  • Independent reviews

  • Documentation and reporting

  • Guidance for supervisory reviews of third-party relationships

Read the final guidance in full »

More from ICBA

To find fintechs that keep community banks’ needs top of mind, get involved with ICBA’s ThinkTECH Accelerator. Learn more »