The FDIC recently issued an 11-page “Guidance for Managing Third-Party Risk” that (i) describes potential risks arising from third-party relationships, (ii) provides information on identifying and managing those risks and (iii) provides a general framework for implementation of an effective third-party risk management process. The Guidance applies to any of a financial institution’s third-party arrangements and is intended for use by directors and senior managers in oversight and risk management of “significant” third party relationships. A third-party relationship would be considered “significant” if, for example, the third party markets the institution’s products or services. While the FDIC acknowledged that third parties can assist financial institutions in a variety of ways, the FDIC emphasized that the use of third parties does not diminish the responsibility of the board of directors and management to ensure that the third-party activities are conducted in a safe and sound manner and in compliance with applicable law. The Guidance is not intended to supersede any earlier FDIC guidance on managing third-party risks.

    The Guidance identifies and describes the following list of risks (not all-inclusive) that may arise from a financial institution’s use of third parties: (i) strategic, (ii) reputation, (iii) operational, (iv) transaction, (v) credit, (vi) compliance and (vii) other (e.g., liquidity, interest rate, price, foreign currency translation and country).

    The Guidance states that the key to effectively using third parties is to appropriately assess, measure, monitor and control the risks associated with the relationship. The Guidance presents the framework for an effective risk management process categorized into the following four main elements:

    • Risk Assessment
    • Due Diligence in Selecting a Third Party
    • Contract Structuring and Review
    • Oversight

    Use of the process will depend upon the nature of the third-party relationships, the scope and magnitude of the activity, and the risks identified.

    The Guidance also directs institutions to maintain documents and records on all aspects of the third-party relationship, including valid contracts, business plans, risk analyses, due diligence, oversight activities and documents relating to any dispute resolution.

    In light of the FDIC’s Guidance, financial institutions should review existing FDIC guidance on this topic and their third-party risk management plans.

    • Judy Scheiderer and Margaret Stolar