Three federal banking regulators combined to provide guidance on third-party risk management (TPRM) focused on the unique risks faced by community banks in their third-party relationships.

The Federal Deposit Insurance Corporation, Federal Reserve Board, and Treasury Department’s Office of the Comptroller of the Currency issued the guidance Friday.

“Third-party relationships can offer community banks access to new technologies, risk management tools, human capital, delivery channels, products, services, and markets,” the guidance stated. “A community bank’s reliance on third parties, however, reduces its direct operational control over activities and may introduce new risks or increase existing risks, including, but not limited to, operational, compliance, financial, and strategic risks.”

In the guidance, the regulators reminded community banks that engaging with a third party does not diminish or remove a bank’s responsibility to operate in a safe and sound manner and follow all applicable legal and regulatory requirements.

The guidance is meant to be complimentary and not replace the TPRM guidance for all banks issued in June 2023.

“A banking organization can be exposed to adverse impacts, including substantial financial loss and operational disruption, if it fails to appropriately manage the risks associated with third-party relationships,” the new guidance stated. “Therefore, it is important for a banking organization to identify, assess, monitor, and control risks related to third-party relationships.”

Community banks are advised to implement more rigorous oversight of third-party relationships that support higher risk activities, including critical activities, the guidance said. Some indicators of higher risk activities include whether “the third party has access to sensitive data (including customer data), processes transactions, or provides essential technology and business services.”

The guidance also provides advice on how community banks should manage risks over the life cycle of a third-party relationship and provides use case examples.

The examples cover risk management considerations when community banks are in the planning stages of onboarding a new third party, conducting due diligence on a third party, negotiating a contract with a third party, monitoring ongoing risks, or terminating a relationship with a third party.

The guidance also discusses how community banks should implement governance practices throughout the third-party relationship life cycle, including oversight and accountability, independent reviews, and documentation and reporting.