Troutman Pepper Partners Chris Willis and Glen Trudel discuss the Final Interagency Guidance put out by the Federal Reserve, the FDIC, and the OCC regarding third-party relationships.
In this episode of The Consumer Finance Podcast, Troutman Pepper Partner Chris Willis and fellow Partner Glen Trudel discuss the Final Interagency Guidance put out by the Federal Reserve, the FDIC, and the OCC regarding third-party relationships. Topics include the agencies' goals in putting out this joint guidance, notable points raised in the guidance, and potential impacts on the industry from the advent of this guidance.
The Consumer Finance Podcast: Federal Banking Interagency Final Guidance on Third-Party Relationships
Host: Chris Willis
Guest: Glen Trudel
Date Aired: September 28, 2023
Chris Willis:
Welcome to The Consumer Finance Podcast. I'm Chris Willis, the co-leader of Troutman Pepper's Consumer Financial Services Regulatory Practice, and I'd like to thank you for joining us for today's episode where we're going to be talking about the federal banking agency's final guidance on third-party relationships.
But before we dive into that important topic, let me remind you to visit and subscribe to our two blogs. We have consumerfinancialserviceslawmonitor.com where we cover everything that happens in the world of consumer finance, and our new blog, troutmanpepperfinancialservices.com where we cover the wider world of everything that's relevant to financial services institutions.
And don't forget about our other podcasts. We have lots of them. We have the FCRA Focus all about credit reporting. We have The Crypto Exchange, which is about everything relating to crypto. We have our privacy and data security podcast, Unauthorized Access, and our newest podcast Payments Pros, which is all about the payments industry. Those are all available on all popular podcast platforms.
Speaking of those platforms, if you like this podcast, let us know. Leave us a review on your podcast platform of choice and let us know how we're doing.
As I said, today we're going to be talking about the final interagency guidance put out by the Federal Reserve, the FDIC and the OCC on third-party relationships, which is an incredibly important piece of guidance because of the prevalence of those relationships in banking and consumer financial products and services. And I'm joined today to talk about this with my longtime partner, Glen Trudel.
Glen is a member of our firm that does lots of bank regulatory and bank transactional work, and he's in the middle of a lot of the kind of relationships that are impacted by this guidance. So, we're lucky to have him with us today. And Glen, thanks for being on the podcast.
Glen Trudel:
Oh, sure. Glad to be here, Chris.
Chris Willis:
It's not like this is the first time the federal banking agencies have said anything about third-party relationships. It's been a topic that they've made statements and given guidance on before. What do you think the agency's goals were in putting out this new joint interagency guidance?
Glen Trudel:
Chris, as you know, back in July of 2021, the agencies you just mentioned published their proposed interagency guidance and included as an appendix to it, the FAQs that originally the OCC had put out in 2020 in the supplement of their 2013 third-party risk management guidance. The interagency proposed guidance set up a framework based on certain sound risk management principles for banking organizations to consider in establishing the risk management practices for all stages in the lifecycle of third-party relationships. So after almost two years, this final guidance is out.
It's really intended to provide a consistent approach among the Fed, the FDIC and the OCC respectively, and to add clarity on the matter of establishing and operating appropriate third-party risk management practices. To that end, and more specifically, the first thing that the final guidance does is rescind a lot of the existing regulatory guidance on these topics that you mentioned, such as the Fed's SR letter 13-19, the FDIC'S Financial Institution letter 44-2008, the venerable OCC Bulletin 2013-29, and those FAQs that I mentioned found in OCC Bulletin 2020-10, which are the frequently asked questions to supplement their 2013 bulletin.
However, I should note that while the OCC's FAQs were not accepted in total in this final guidance, elements of certain specifically identified FAQs were incorporated into the final guidance itself. So, some of the FAQs have been, if you will, resurrected.
I should also note that the OCC has a foreign based third-party guidance out there. It's OCC Bulletin 2002-16, which has not been rescinded, but instead is going to live on as a supplement to the final guidance.
And lastly, because the final guidance is intended to address all types of third-party relationships, including lending relationships and co-lending relationships, the FDIC withdrew the 2016 proposed guidance on third-party lending, which was issued for comment back in July of 2016 and was never finalized.
Having done all that, the guidance is meant to reinforce and is in fact built upon two core tenants. That one, the use by a banking organization of third parties does not diminish or remove its responsibility to perform all activities in a safe and sound manner and in compliance with applicable law. And secondly, that sound third-party risk management must take into account and be tailored to the level of risk, complexity, size of the financial institution and the nature of the specific third-party relationship. This latter concept is actually repeated several times throughout the guidance.
So, while they rescinded a lot of the old, they really took a lot of it and have built on that, but they're trying to do it in a way that at least these three regulators have all signed on to.
Chris Willis:
And it certainly sounds, Glen, like a reinforcement of the concepts that we've seen in the past, not a removal of them. Is that right?
Glen Trudel:
Yeah, I would say so, but there's a bit of a change in emphasis in a lot of respects. The guidance is intended to assist the banking organizations in implementing third-party risk management. That actually hasn't changed. And now they are providing typical considerations for each stage of the risk management lifecycle that's illustrated in the guidance. And those are the planning, the due diligence, third-party selection, the contract negotiation aspects, the ongoing monitoring and the termination phases of managing third-party relationships.
So, as part of this guidance, they have typical considerations. And again, heavily borrowed from things before, but a lot of tweaking and taking a less prescriptive approach. But some of the lists that are provided under each of these sections, for example, contract negotiation or selection, can be quite comprehensive. They cover a lot of different areas.
Now, one of the things that comes out of this guidance is that it now expressly includes third-party relationships with FinTech companies that had been a question. And part of the comment letters that they got and considered over the almost two years they took to come out with the final was does it apply to FinTech, to what extent, et cetera? Well, at least they got the does it apply. And because now it expressly includes FinTech companies within the scope of this. It really applies to all business relationships.
In addition, the concept of critical activities, which again was something out of the OCC guidance from 2013 and before, has been further refined and discussed. The agencies revised their concept of critical activity somewhat, and it's ostensibly to improve clarity and emphasize flexibility.
For instance, the revised guidance reads less like a hard and fast definition and more like a description of typical characteristics of a critical activity. And it eliminates imprecise concepts like significant investment and significant bank function. And it focuses more on an illustrative risk-based characteristics, such as activities that could cause a significant risk to the banking organization if a third party fails to meet expectations or that have significant impacts on customers or the banking organization's financial condition or operation.
I should say relatedly, the agencies have incorporated aspects from a couple of the OCC FAQs I alluded to earlier, 7, 8 and 9, specifically. And expressly recognized that an activity that's critical for one banking organization may not be critical for another. And again, that's sort of a carry through. We've seen that before. We saw it in the proposal. But it's something that they've highlighted.
A couple of examples of approaches to making critical activity judgements are given. But I think the key here is that regardless of the approach the bank adopts, it has to be a sound methodology to designate which activities and third-party relationships are to get more comprehensive oversight. And that's critical for effective risk management of these activities in the eyes of the regulators. The changes they've made seem geared to reflect the concept that the determination of what is a critical activity is up to the banking organization to determine, as opposed to trying to look at an activity and fit it within a hard definition that the regulator provided. That's one notable aspect of the final guidance.
Another is they streamlined the discussion of what is within a board's sphere of influence and what is in senior management's sphere of influence, areas where the board should be more at the forefront than senior management, respectively. However, the changes seem to soften the prescriptive nature of the considerations that have been seen in prior guidance. And I'm not entirely sure that's a good thing. I think a lot of the commenters were looking for better specificity of how much does a board need to be involved, in what aspects, that sort of thing. I think it's more prescriptive now. And so, I think in that respect, those folks are probably going to be disappointed.
Finally, the guidance contemplates that the agencies are going to engage with community banks and provide additional resources in the "near but undetermined future," to assist the community banks in their efforts to manage third-party risks. The guidance doesn't provide much by way of specifics and delineating how these provisions are going to work for smaller institutions. And in fact, that failure to afford such resources as part of the publication of the final guidance was publicly criticized by the Fed Governor Michelle Brown, who published a statement declining to support the guidance and also opine that the community banks were going to find this new guidance very challenging to implement.
Chris Willis:
That's all really interesting, Glen, and let me go back to one of the things that you mentioned near the beginning there, which is the discussion that it definitely applies to FinTechs. That seemed kind of obvious from our standpoint already. We weren't laboring under a misimpression on that one. But it is a little coincidental for that affirmation that the third-party principles apply to FinTech lending relationships, and you've just had a significant consent order related to that same topic from the FDIC.
Do you feel like there's going to be more pressure on those FinTech relationships from the federal banking regulators? Are those both indicators of that kind of environment or is it just a coincidence?
Glen Trudel:
I don't know that they were intended to be put out together to provide force to each other. But I do think that it is certainly indicative that the regulators have gotten the message that we need to look at these more because we're seeing a greater proliferation in these various bank/FinTech company relationships, everything from the bank models to banking as a service to the new technologies that are being put out by these entities, which are being picked up by the banks as a way to leapfrog into the market in market technology, that sort of thing. So, I think it's fair to say the regulators are seeing that this is becoming a bigger and bigger thing, and they need to be doing more in terms of focus. And I'll be talking a little bit about part of the changes here where there's a discussion about typical examiner activities that should be ongoing in connection with this area.
One of the things that is mentioned there now that wasn't in the proposed guidance at all was this concept of transaction testing and reviewing results of transaction testing that might be indicative. And that and the other aspect being reasserting the idea that if circumstances warrant going and examining the third-party vendors themselves.
And so I think all of those things having been in this final guidance and the consent order and that sort of thing, I think it points to an environment where examiners are going to be more focused on these and looking at them a little bit harder, and particularly if they don't have a lot of confidence in the overall risk management structure of the institution that's under examination.
Chris Willis:
That's an interesting point, Glen, because one of the things that we've seen on the consumer side with the CFPB is an emphasis on conducting direct examinations of service providers for entities that the bureau has supervisory jurisdiction over. The bureau has always had jurisdiction under Dodd-Frank to do examinations of service providers. They just didn't really do it much, but now we do see them doing it as a new priority. And it sounds to me like this guidance suggests that the FDIC and the OCC might do the same thing. Is that your read of it?
Glen Trudel:
I think that's entirely possible. I mean, they're all dealing with what the banks under their supervision are dealing within. And this whole idea, the whole banner of this, is to provide a unified approach. It would make sense that the examiners are similarly going to try to take an approach that's uniform.
However, that said, given the overall tenor that some of the changes here in the final have been less prescriptive and maybe retreating from that, and I'm getting more into what I think the impacts on the industry might be here, but that retreat I think is going to lead to a situation where there's going to be less uniformity rather than more in terms of the choices banks make regarding what's critical for them and what's not critical for them and how the examiners react to that.
So, if lockstep uniformity, which I'm sure wasn't their ultimate goal, but if increasing uniformity and predictability in these exams was a goal of this, I'm not sure that that's going to play out in practice.
Chris Willis:
Yeah, and it is notable that you mentioned, Glen, that the agencies are being less prescriptive and sort of leaving these determinations up to the banks of what's a critical activity, for example, and what type of third-party relationship needs more scrutiny and more testing versus others. And it seems to me that puts banks in the situation of having to guess at the risk of potential disagreement from their regulators later about what's critical and what's not, for example. But it also does seem like it's going to create a period of certainly non-uniformity, but also uncertainty within the banking industry, it seems to me. What's your thought about that?
Glen Trudel:
Yeah, I agree. I think as a result of this, banks are going to have to look at all of their vendor management processes under the lens of this final guidance. The exercise being, do the decisions that the bank have made regarding these various activities still fit within what we're being told we should be looking at or what the considerations are? Does it rise to a critical activity, for example, and that sort of thing? And so, there's going to be some second guessing going on internally, and I think it's going to take some time and some examinations on an examiner to bank level, on an individual level, for that individual bank to reestablish an equilibrium as to whether what they're doing jives with the approach that the guidance wants them to take and that they're making the right decisions.
But I don't think all is lost for the financial institutions. I think as they go through this process, if they document the basis for the decisions that they're making, I think then they have the documentary basis to be able to, when the regulator comes to town and says, "Okay, why did you do this?" they'll have documentation for the why. And presuming they acted in a rational fashion, it'll be more of an adjustment as opposed to a wholesale, "You did this completely wrong and now I'm coming after you."
Chris Willis:
Yeah. I think what I'm hearing and reacting to what you're saying, Glen, is it's important for banks to go through the exercise of looking at third-party relationships, figuring out what level of risk they are, and figuring out what amount of oversight is appropriate for each one and then executing it. But even though the regulator may ultimately disagree with respect to how a particular third party could be handled, my own thinking, and I think this is what you might be saying is, if you have kind of a near miss by the bank, but they're doing something and in good faith trying to follow the guidance, the likelihood of severe repercussions is probably not that high. What do you think?
Glen Trudel:
Yeah, that's exactly what I was saying. Yeah, I think if challenged on a particular choice or a particular way that they structured their decision making, the banks, if they've got a documentary basis to show what their process was, and again, assuming that they acted in a rational way, then I think the regulators should, and I think probably would, take a more conciliatory or more of a counseling role in saying, "Okay, well, this is good, but it's not what we're looking for. Here's why," and fix that.
A financial institution who ignores all of this, I think is taking a risk because the regulators will be coming in fresh from a bunch of exams at a bunch of financial institutions that have looked at this and say, "Okay, well, where's your analysis? What did you do?" And if the answer is. "What analysis?" then I think the financial institution's got something to worry about.
Chris Willis:
I think you're right on there, Glen. The takeaway for banks is look at where you are in third-party relationships. Make sure you've analyzed them, documented your steps, and you've got a thought-out defensible position with respect to each significant third party that you're doing business with. That seems to me to be the important takeaway from the final interagency guidance.
Glen Trudel:
That's right. And having that sound basis for structure for assessing critical activity risk, but really risk at all the different levels and being able to demonstrate how they have dealt with each of those areas in the lifecycle that I was referring to earlier, that five pronged circle, using that as a basis and being able to point to it and be able to demonstrate what they've done, and then they're showing a good face compliance to your point, Chris.
Chris Willis:
Yeah. Thanks a lot, Glen. Your comments have been really helpful and really educational to me, and I'm sure to the audience as well today. So, thank you for being on the podcast. And of course, thanks for our audience for tuning in as well.
Don't forget to visit and subscribe to our blogs: consumerfinancialserviceslawmonitor.com and troutmanpepperfinancialservices.com. That latter blog, the new one, is the one where content like this lives, stuff that's not strictly consumer, but that still affects financial institutions like the bank regulatory matter that Glen and I were talking about today. So be sure to check it out.
And while you're at it, don't forget to check out our new mobile app, the Troutman Pepper Financial Services mobile app, which is a great way to get all of our thought leadership content, including all of our podcasts, both of our blogs, alerts, all of those kinds of things.
And while you're at it, why don't you come on and visit us at troutman.com and add yourself to our Consumer Financial Services email list. That way you can get copies of the alerts that we send out as well as invitations to our industry only webinars on topics of interest. And of course, stay tuned for a great new episode of this podcast every Thursday afternoon.
Thank you all for listening.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.