The FDIC issued a Financial Institution Letter (FIL-44-2008, the “Letter”) in which it provided guidance to financial institutions (“FIs” and each an “FI”) concerning managing third-party risk. In the Letter, the FDIC stressed that an FI’s Board of Directors and senior management are responsible for identifying and controlling risks arising from third-party relationships to the same extent as if the activity were handled directly by the FI itself. The Letter states that FIs should make certain that appropriate procedures are in place to monitor and control the risks, and that these procedures should take into account the complexity, magnitude and risk potential of the third-party relationship. In addition, the Letter states that the FI should not rely exclusively on indemnification agreements with the third party to protect the FI.
Third-party arrangements, including outsourcing agreements, can lower costs for and increase the expertise available to the FI, but can potentially pose a broad panoply of risks. The Letter discusses strategic risks, reputational risks, operational risks, transaction risks, credit risks, compliance risks and other risks that can be created by FIs’ third-party relationships.
The FDIC then provides guidance concerning various aspects of the risk management process, including: (1) risk assessment; (2) due diligence in selecting a third party; (3) contract structuring and review; and (4) oversight of the third-party relationship and adequate quality control over products and services provided by the FI through third-party vendors.The Letter states that in supervising and examining an FI’s handling of third-party relationships, the FDIC will focus upon the FI management’s “record and process of assessing, measuring, monitoring and controlling risks associated with” an FI’s significant third-party relationships. The FDIC also reminds FIs that under Section 7 of The Bank Services Company Act, an FI must notify its primary federal banking regulator in writing when it enters into an agreement with a third party pursuant to which the third party will provide certain types of services to the FI, including “check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions.” Furthermore, the FDIC alerts banks that future compliance examinations may focus on the failure of banks to manage third-party relationship risks, and that corrective actions, including enforcement actions, may be pursued for deficiencies related to third-party relationships that pose a safety and soundness or compliance management concern or result in violations of applicable laws or regulations.