References

• Office of the Comptroller of the Currency (OCC)

• Board of Governors of the Federal Reserve System (Federal Reserve)

• Federal Deposit Insurance Corporation (FDIC)

• National Credit Union Administration (NCUA)

• Securities and Exchange Commission (SEC)

• Financial Industry Regulatory Authority (FINRA)

• Federal Financial Institutions Examination Council (FFIEC)

State bank supervisors (e.g., New York Department of Financial Institutions NYDFS; Washington State Department of Financial Institutions; Texas Department of Banking

The bank regulatory agencies generally have the authority to examine and regulate banking-related functions or operations performed by third parties for a banking organization to the same extent as if the banking organization itself performed them. See 12 U.S.C. §§ 1464(d)(7)(D) and 1867(c)(1).

 

The agencies coordinate interagency programs to supervise third-party service providers through the FFIEC.

There are several requirements and guidelines that financial institutions should be aware of:

 

• Bank Service Company Act (12 U.S.C. § 1861)

• Home Owners’ Loan Act (12 U.S.C. § 1461)

• Federal Deposit Insurance Act (12 U.S.C. § 1811)

• Federal Reserve Act (12 U.S.C. § 221)

• Federal Reserve Guidance on Third-Party Risk Management

  • SR 13-19 / CA 13-21, “Guidance on Managing Outsourcing Risk”    

• FDIC Guidance on Third-Party Risk Management•    

  • FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6, 2008)

  • FDiTech Guide for Fintechs and Third Parties, Conducting Business with Banks (February 2020)

• OCC Guidance on Third-Party Risk Management

  • OCC Bulletin 2002-16, “Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance”

  • OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management”

  • OCC Bulletin 2017-43, “New, Modified, or Expanded Bank Products and Services: Risk Management Principles”

  • OCC Bulletin 2020-10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29” (“OCC 2020 FAQs”)

• OCC Governance Handbook, “Corporate and Risk Governance"

• Consumer Financial Protection Bureau

  • CFPB Bulletin 2012-03, Service Providers (April 13, 2012)

• NCUA Supervisory Letter No. 07-01, “Evaluating Third-Party Relationships” (October 2007)

• FINRA Notice to Members 05-48, “Members’ Responsibilities When Outsourcing Activities to Third-Party Service Providers”

• FFIEC Statement on Risk Management for Cloud Computing Services (April 30, 2020)

• FFIEC Guidance on Authentication and Access to Financial Services and Systems (August 11, 2021)

• FFIEC Information Technology Examination Handbook, including (but not limited to) the following booklets:

  • Business Continuity Management (November 2019)

  • Information Security (September 2016)

  • Architecture, Infrastructure, and Operations (June 2021)

  • Outsourcing Technology Services (June 2004)

• Joint Guidance on Conducting Due Diligence on Financial Technology Companies - A Guide for Community Banks (August 27, 2021)