API Marketplace

Solutions

Resources

Our Company

Book a Demo

← Back to Glossary

Interagency Third-Party Risk Guidance

United States2023Cybersecurity

Overview

The Interagency Guidance on Third-Party Relationships: Risk Management, finalized in June 2023, is a unified supervisory framework issued by the Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC). It replaces prior agency-specific guidance and outlines risk management expectations for financial institutions when working with third parties.

The guidance establishes a lifecycle approach covering planning, due diligence, contract negotiation, ongoing monitoring, and termination. It applies to national banks, federally insured state banks, U.S. bank holding companies, savings associations, and their third-party service providers, including fintechs, cloud providers, and core banking vendors.

Key Obligations

Develop a risk-based third-party risk management framework
Conduct comprehensive due diligence on critical third parties
Define clear roles, responsibilities, and performance expectations in contracts
Monitor third-party activities, cybersecurity, compliance, and financial condition

Maintain records of all third-party relationships and risk classifications
Ensure board and senior management oversight for critical relationships
Report significant third-party disruptions or breaches to regulators

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

Business Verification

Verify businesses with reliable documents OCR, EIN checks, UBO data, sanctions screening, global registry checks, and more.

Criminal Screening

Perform thorough background checks and verify criminal records to maintain compliance and strengthen onboarding security.

Related Regulations

GLBA Safeguards Rule Compliance

NIST CSF 2.0 Cyber Framework

Model Risk Management SR 11-7

FAQ

Does the guidance apply to all banks?

Yes. It applies to all banking organizations supervised by the Federal Reserve, FDIC, and OCC.

Are fintechs and cloud service providers included?

Yes. Institutions must manage risk from all third parties, including technology vendors and fintech partners.

Is compliance with the guidance mandatory?

While technically supervisory guidance, regulators expect institutions to align with its principles during exams.

What if a third party subcontracts its services?

Banks are still responsible for managing risks from subcontractors and must account for them in contracts and oversight processes.