FI Authorities & Requirements
References
Relevant Regulators and Authorities Include:
-
Office of the Comptroller of the Currency (OCC)
-
Board of Governors of the Federal Reserve System (Federal Reserve)
-
Federal Deposit Insurance Corporation (FDIC)
-
National Credit Union Administration (NCUA)
-
Securities and Exchange Commission (SEC)
-
Financial Industry Regulatory Authority (FINRA)
-
Federal Financial Institutions Examination Council (FFIEC)
State bank supervisors (e.g., New York Department of Financial Institutions NYDFS; Washington State Department of Financial Institutions; Texas Department of Banking
Relevant Regulations and Guidance are:
The bank regulatory agencies generally have the authority to examine and regulate banking-related functions or operations performed by third parties for a banking organization to the same extent as if the banking organization itself performed them. See 12 U.S.C. §§ 1464(d)(7)(D) and 1867(c)(1).
The agencies coordinate interagency programs to supervise third-party service providers through the FFIEC.
There are several requirements and guidelines that financial institutions should be aware of:
-
Bank Service Company Act (12 U.S.C. § 1861)
-
Home Owners’ Loan Act (12 U.S.C. § 1461)
-
Federal Deposit Insurance Act (12 U.S.C. § 1811)
-
Federal Reserve Act (12 U.S.C. § 221)
-
Federal Reserve Guidance on Third-Party Risk Management
-
SR 13-19 / CA 13-21, “Guidance on Managing Outsourcing Risk”
-
-
FDIC Guidance on Third-Party Risk Management•
-
FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6, 2008)
-
FDiTech Guide for Fintechs and Third Parties, Conducting Business with Banks (February 2020)
-
-
OCC Guidance on Third-Party Risk Management
-
OCC Bulletin 2002-16, “Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance”
-
OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management”
-
OCC Bulletin 2017-43, “New, Modified, or Expanded Bank Products and Services: Risk Management Principles”
-
OCC Bulletin 2020-10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29” (“OCC 2020 FAQs”)
-
-
OCC Governance Handbook, “Corporate and Risk Governance"
-
Consumer Financial Protection Bureau
-
CFPB Bulletin 2012-03, Service Providers (April 13, 2012)
-
-
NCUA Supervisory Letter No. 07-01, “Evaluating Third-Party Relationships” (October 2007)
-
FINRA Notice to Members 05-48, “Members’ Responsibilities When Outsourcing Activities to Third-Party Service Providers”
-
FFIEC Statement on Risk Management for Cloud Computing Services (April 30, 2020)
-
FFIEC Guidance on Authentication and Access to Financial Services and Systems (August 11, 2021)
-
FFIEC Information Technology Examination Handbook, including (but not limited to) the following booklets:
-
Business Continuity Management (November 2019)
-
Information Security (September 2016)
-
Architecture, Infrastructure, and Operations (June 2021)
-
Outsourcing Technology Services (June 2004)
-