Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Bank Regulatory Agencies Release New Joint Guidance
Risks stemming from financial institutions' relationships with third-party service providers have been a continuous topic at the Risk Forum during my 10-plus-years' tenure. As a quick refresher, third parties are entities that provide products or services to financial institutions (FIs) or on behalf of FIs, and often will have access to an FI's privileged systems. Given the significant growth in the fintech sector and subsequent growing relationships with FIs, understanding the also-growing risks associated with third parties has become critical for many FIs. Traditionally, the three federal bank regulatory agencies—the Federal Deposit Insurance Corp, or FDIC; the Office of the Comptroller of the Currency, or the OCC; and the Federal Reserve separately issued guidance related to managing third-party risks.
Early in July, these agencies broke from tradition and released joint guidance related to managing third-party risks. This guidance will be open for public comments for 60 days once it is published in the Federal Register.
While the joint agency guidance is not very different, FIs and their third-party providers should welcome it as it is likely to remove any nuances and differences they faced from the separate guidance. After my first extremely fast pass of the lengthy document, it doesn't appear to include major changes but is truly an amalgamation of the previous guidance from these agencies. What is new is the guidance encourages FIs to collaborate with one another to share information when they can and also share their risk management responsibilities related to regulatory compliance. What is not new is that FIs remain accountable for any risks arising from their third-party agreements.
Managing third-party risks can be a significant burden for FIs depending on the number of such relationships they have and on the depth and breadth of their regulatory and compliance department. No matter the burden, and with the growth in third-party relationships, risk management of third parties is a constant necessity to protect the integrity of the financial system. I encourage any FI or other entity that will be affected by this joint guidance to review it and let their voices be heard during the public comment period.