SR 24-2 / CA 24-1:
Third-Party Risk Management: A Guide for Community Banks
OF THE FEDERAL RESERVE SYSTEM
WASHINGTON, D.C. 20551
DIVISION OF
SUPERVISION AND REGULATION
DIVISION OF CONSUMER
AND COMMUNITY AFFAIRS
May 7, 2024
TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK
Third-Party Risk Management: A Guide for Community Banks
Applicability: This letter applies to all banking organizations with $10 billion or less in consolidated assets supervised by the Federal Reserve.
The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, the agencies) are releasing a guide intended to assist community banks when developing and implementing their third-party risk management practices. While this guide is written for a community bank audience, banking organizations of all sizes and risk profiles may find it useful. This guide is intended as a voluntary resource for community banks to view in tandem with the June 2023 Interagency Guidance on Third-Party Relationships: Risk Management.1
This guide offers potential considerations, resources, and examples through each stage of the third-party risk management life cycle. It does not prescribe specific risk management practices nor establish any safe harbors for compliance with laws or regulations. In addition, this guide does not have the force and effect of law and does not impose any new requirements on banking organizations.
Reserve Banks are asked to distribute this letter to the supervised banking organizations in their districts and to appropriate supervisory staff. We encourage banking organizations to provide feedback on this guide, including regarding the clarity and transparency of supervisory expectations for community banks in their management of third-party risk. Banking organizations may provide any feedback or send questions via the Board’s public website.2
signed by
Michael S. Gibson
Director
Division of
Supervision and Regulation
signed by
Eric S. Belsky
Director
Division of Consumer
and Community Affairs
-
SR letter 23-4, “Interagency Guidance on Third-Party Relationships: Risk Management”
-
SR letter 22-4/CA letter 22-3, “Contact Information in Relation to Computer-Security Incident Notification Requirements”
-
SR letter 21-15/CA letter 21-11, “Guide for Community Banking Organizations Conducting Due Diligence on Financial Technology Companies”