Final Guidance on Third-Party Risk Management

This document is a guide detailing the Final Guidance issued by federal banking agencies regarding third-party risk management for U.S. banking organizations. It outlines the principles and standards that banking institutions are expected to follow when managing risks associated with third-party relationships. The Final Guidance, effective June 6, 2023, replaces prior individual guidance and includes more prescriptive details in areas such as due diligence and contract negotiation. It emphasizes a risk-based and tailored approach to risk management, requiring banking organizations to assess risks based on their unique circumstances. The guide also discusses governance roles within organizations, the importance of independent reviews, and the anticipated supervisory focus on third-party relationships. Additionally, it addresses the applicability of the guidance to bank-fintech partnerships and data aggregators, indicating a need for banking organizations to prepare for increased scrutiny in their third-party risk management practices.