Interagency Third-Party Risk Guidance
United States
2023
Cybersecurity
Overview
The Interagency Guidance on Third-Party Relationships: Risk Management, finalized in June 2023, is a unified supervisory framework issued by the Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC). It replaces prior agency-specific guidance and outlines risk management expectations for financial institutions when working with third parties.The guidance establishes a lifecycle approach covering planning, due diligence, contract negotiation, ongoing monitoring, and termination. It applies to national banks, federally insured state banks, U.S. bank holding companies, savings associations, and their third-party service providers, including fintechs, cloud providers, and core banking vendors.
Key Obligations
- Develop a risk-based third-party risk management framework
- Conduct comprehensive due diligence on critical third parties
- Define clear roles, responsibilities, and performance expectations in contracts
- Monitor third-party activities, cybersecurity, compliance, and financial condition
- Maintain records of all third-party relationships and risk classifications
- Ensure board and senior management oversight for critical relationships
- Report significant third-party disruptions or breaches to regulators
Stay ahead of risk with Signzy
Explore tools that help you onboard, monitor, and verify with confidence
Related Regulations
FAQ
Does the guidance apply to all banks?
Yes. It applies to all banking organizations supervised by the Federal Reserve, FDIC, and OCC.
Are fintechs and cloud service providers included?
Yes. Institutions must manage risk from all third parties, including technology vendors and fintech partners.
Is compliance with the guidance mandatory?
While technically supervisory guidance, regulators expect institutions to align with its principles during exams.
What if a third party subcontracts its services?
Banks are still responsible for managing risks from subcontractors and must account for them in contracts and oversight processes.