The Federal Reserve and other U.S. banking agencies are working to develop joint guidance to clarify regulatory expectations around third-party risk management (TPRM), according to Fed Governor Michelle Bowman.
Bowman made the remark in a speech at an Independent Community Bankers of America conference Tuesday. She said the potential guidance would “be an important step in supporting innovation built on third-party partnerships.”
“Third-party partnerships designed to bring innovation into a bank can also create risk management and due diligence challenges, particularly with respect to identifying the risks that a third-party partner may pose and to managing these risks,” she said.
Bowman specifically focused on the advantages clearer TPRM guidance could provide small banks, most notably in engagements with financial technology partners. She noted small banks often face difficulties in conducting due diligence on fintechs, negotiating contracts with third-party partners, and might “encounter friction with nonbank partners who fail to understand the bank’s ongoing responsibilities to ensure that even outsourced activities are conducted in a safe and sound manner.”
“All banks should understand regulatory expectations with respect to due diligence, risk management, and ongoing compliance when engaging in third-party relationships. Banking regulators can support this approach by providing clear expectations and the tools smaller banks may need to help them meet these expectations.”
Fed Governor Michelle Bowman
“[C]learer guidance and regulatory expectations will not fully address these challenges,” she said. “Guidance alone cannot address the challenges that a small bank faces in conducting due diligence on third parties and the difficulty in negotiating a contract with larger nonbank service providers and partners.”
Bowman did not provide a timeline for publishing of the potential guidance.
In the interim, banking regulators, including the Treasury Department’s Office of the Comptroller of the Currency, have taken recent actions to increase supervision of bank-fintech relationships. The Federal Reserve in 2021 began providing state member banks with supervisory reports on their third-party partners subject to supervision under the Bank Service Company Act, Bowman noted.
“All banks should understand regulatory expectations with respect to due diligence, risk management, and ongoing compliance when engaging in third-party relationships,” she said. “Banking regulators can support this approach by providing clear expectations and the tools smaller banks may need to help them meet these expectations.”
In her speech, Bowman also touched on bank service company oversight and whether the bank or third-party service provider is best positioned to address risks. She said “it is worth considering” whether the heavier burden that typically falls on banks is worth reassessing.
“If third parties provide products and services to bank customers, it also may be appropriate for these providers to bear greater responsibility for their own products and services, including to ensure that they are provided in a safe and sound manner and in compliance with financial and consumer laws and regulations,” she said.
Bowman also discussed cybersecurity, climate risk management and regulation, and more.