Federal regulators have issued fresh guidelines for how community banks should manage
The Federal Reserve, Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency issued a 30-page guidebook on Friday explaining how small banks should approach all phases of their
“Third-party relationships present varied risks that community banks are expected to appropriately identify, assess, monitor, and control to ensure that their activities are performed in a safe and sound manner and in compliance with applicable laws and regulations,” the agency said in a joint statement. “These laws and regulations include, but are not limited to, those designed to protect consumers and those addressing financial crimes.”
The publication elaborates on the
The report notes that failing to properly manage third parties could expose banks to financial losses or other risks, and could result in harm to customers.
The fresh guidance is the latest step by the Washington agencies to remind banks that they are on the hook for things non-bank partners and service providers do on their behalf.
“Reliance by banks on third-party service providers has grown considerably in recent years, and with that reliance comes the potential for greater cyber risk,” said Fed Vice Chair for Supervision Michael Barr
Friday’s report notes that the advice is not applicable solely to community banks and could be a point of reference for larger institutions, too.
Traditionally, smaller banks have been more apt to partner with outside groups — such as financial technology firms — to bolster their businesses that their larger counterparts.
The guidance is not exclusive to BaaS arrangements, though. It also notes key considerations for
In March, Acting Comptroller of the Currency Michael Hsu said the agencies were considering a formal rule that would incorporate third-party risk management into a new
He noted that the expansion of bank partnerships has created more openings for risk to creep into the banking system.
“The provision of banking services increasingly resembles global manufacturing supply chains, with their efficiencies, complexities and vulnerabilities,” Hsu said. “The threat surface for disruptions expands, and as authorities in other jurisdictions begin implementing their rules to ensure operational resilience, we are assessing and working with our interagency peers to develop the right approach here in the U.S.”