Risks stemming from financial institutions' relationships with third-party service providers have been a continuous topic at the Risk Forum during my 10-plus-years' tenure. As a quick refresher, third parties are entities that provide products or services to financial institutions (FIs) or on behalf of FIs, and often will have access to an FI's privileged systems. Given the significant growth in the fintech sector and subsequent growing relationships with FIs, understanding the also-growing risks associated with third parties has become critical for many FIs. Traditionally, the three federal bank regulatory agencies—the Federal Deposit Insurance Corp, or FDICOff-site link; the Office of the Comptroller of the Currency, or the OCCOff-site link; and the Federal Reserve Adobe PDF file formatOff-site link separately issued guidance related to managing third-party risks.

Early in July, these agencies broke from tradition and released joint guidance Adobe PDF file formatOff-site link related to managing third-party risks. This guidance will be open for public comments for 60 days once it is published in the Federal RegisterOff-site link.

While the joint agency guidance is not very different, FIs and their third-party providers should welcome it as it is likely to remove any nuances and differences they faced from the separate guidance. After my first extremely fast pass of the lengthy document, it doesn't appear to include major changes but is truly an amalgamation of the previous guidance from these agencies. What is new is the guidance encourages FIs to collaborate with one another to share information when they can and also share their risk management responsibilities related to regulatory compliance. What is not new is that FIs remain accountable for any risks arising from their third-party agreements.

Managing third-party risks can be a significant burden for FIs depending on the number of such relationships they have and on the depth and breadth of their regulatory and compliance department. No matter the burden, and with the growth in third-party relationships, risk management of third parties is a constant necessity to protect the integrity of the financial system. I encourage any FI or other entity that will be affected by this joint guidance to review it and let their voices be heard during the public comment period.