More third-party guidance: When should you just do it yourself?

December 2013
  • Print-friendly version

On December 5, 2013, the Federal Reserve Board (“FRB”) issued its Guidance on Managing Outsourcing Risk (“Guidance”). The Guidance applies to financial institutions supervised by the FRB, including bank and savings and loan holding companies (and their nonbank subsidiaries), state member banks, and US operations of foreign banking organizations.

The Guidance highlights potential risks arising from the use of third-party service providers and describes the elements of an appropriate program for managing those risks. The Guidance defines “service provider” broadly to include all entities that have entered into a contractual relationship with a financial institution. As such, it addresses the same types of risks that the Office of the Comptroller of the Currency (“OCC”) recently addressed in its Bulletin 2013-29.

Because they address the same types of risk, it is no surprise that both issuances communicate the common regulatory expectation that risk management processes and controls must be commensurate with the level of risks presented by the third-party relationship, and that outsourcing an activity does not relieve the board or senior management from their responsibilities to manage the associated risks.

What makes the FRB Guidance different from the OCC Bulletin, however, is that the FRB takes a less detailed and less prescriptive approach than the OCC does, which is consistent with the wider variety of organization types that the FRB supervises. This means that FRB-supervised institutions have more flexibility in how they apply the Guidance. On the flip side, FRB-regulated institutions bear a greater burden of determining how to develop and maintain a third-party risk management program that will meet the FRB’s standard of effectiveness, which will likely require dialogue with the regulator. The most successful banks will be those that exercise that flexibility to develop and maintain risk management processes that meet both the regulator’s expectations and the bank’s needs.

This Financial Services Regulatory Brief provides background information on the Guidance, describes key similarities and differences between the FRB Guidance and the OCC Bulletin (please see the Appendix for a detailed side-by-side comparison), and offers our view on how FRB-supervised institutions should respond to the flexibility the Guidance provides.

Related reading: