SR 23-4:
Interagency Guidance on Third-Party Relationships: Risk Management
OF THE FEDERAL RESERVE SYSTEM
WASHINGTON, D.C. 20551
DIVISION OF
SUPERVISION AND REGULATION
June 7, 2023
TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK AND INSTITUTIONS SUPERVISED BY THE FEDERAL RESERVE
Interagency Guidance on Third-Party Relationships: Risk Management
Applicability: This letter applies to all banking organizations supervised by the Federal Reserve.
The Board of Governors of the Federal Reserve (Board), the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, the agencies) issued joint interagency guidance to all banking organizations supervised by the agencies on managing risks associated with third-party relationships. The agencies issued the guidance to promote consistency in supervisory approaches; it replaces each agency’s existing general guidance on this topic.
The guidance offers the agencies’ views on sound risk management principles for banking organizations to consider when developing and implementing risk management practices for all stages in the life cycle of third-party relationships. The concepts discussed in the guidance are relevant for all third-party relationships and are provided to banking organizations to assist in the tailoring and implementation of risk management practices commensurate with each banking organization’s size, complexity, risk profile, and the nature of its third-party relationships. The agencies plan to develop additional resources to assist smaller, non-complex community banking organizations in managing relevant third-party risks.
The guidance is intended to assist banking organizations in identifying and managing risks associated with third-party relationships and in complying with applicable laws and regulations. The guidance does not impose any new requirements on banking organizations. The principles set forth in the guidance can support effective third-party risk management for all types of third-party relationships, regardless of how they may be structured. Some banking organizations may form third-party relationships with new or novel structures and features – such as those observed in relationships with some financial technology (fintech) companies. Such relationships may involve the fintech company providing products or services with varying degrees of interaction with the banking organization’s customers. It is important for a banking organization to understand how the arrangement with a particular third party is structured so that the banking organization may assess the types and levels of risks posed and determine how to manage the third-party relationship accordingly.
Reserve Banks are asked to distribute this letter to the supervised banking organizations in their districts and to appropriate supervisory staff. In addition, questions regarding this letter may be sent via the Board’s public website.1
signed by
Michael S. Gibson
Director
Division of
Supervision and Regulation
-
SR letter 13-19 / CA letter 13-21, “Guidance on Managing Outsourcing Risk”
-
SR letter 20-24, “Interagency Paper on Sound Practices to Strengthen Operational Resilience”