The U.S. interagency guidance from the Federal Reserve, FDIC, and OCC is the main federal banking reference for managing third-party relationships. It is broader than outsourcing and broader than vendor management. It applies to business arrangements with outside parties, and it asks banking organizations to manage risk across the full relationship life cycle.
Official sources
- Federal Reserve: Interagency Guidance on Third-Party Relationships
- FDIC FIL-29-2023: Interagency Guidance on Third-Party Relationships
- Federal Register: Interagency Guidance on Third-Party Relationships: Risk Management
The FDIC describes the guidance as sound principles supporting a risk-based approach for all stages in the life cycle of third-party relationships. The Federal Reserve explains that banking organizations should identify, assess, monitor, and control risks related to third-party relationships, regardless of how those relationships are structured.
What the guidance is trying to do
The agencies want banking organizations to remain accountable for the risks created by third-party relationships. A bank can use outside parties for technology, operations, lending support, marketing, payments, customer service, cloud hosting, compliance tools, or other activities. But the relationship cannot become a blind spot.
The guidance does not say every vendor needs the same review. It emphasizes a risk-based approach. Higher-risk or more critical relationships need deeper planning, due diligence, contract controls, monitoring, and exit planning. Lower-risk relationships still need appropriate oversight, but the work should be proportionate.
What the guidance covers
The guidance follows the relationship life cycle:
- Planning: decide why the relationship is needed, what risks it creates, and how the bank will
manage those risks.
- Due diligence and selection: review the third party's capability, financial condition, compliance,
information security, resilience, subcontractors, and other risk factors.
- Contract negotiation: document responsibilities, performance standards, audit and access rights,
confidentiality, information security, reporting, subcontracting, business continuity, and termination rights.
- Ongoing monitoring: track performance, controls, incidents, complaints, financial condition,
compliance, changes, and issues after onboarding.
- Termination: plan for transition, data return or destruction, customer impact, continuity, and
replacement options.
It also covers governance, board and management oversight, independent reviews, documentation, and supervisory examination readiness.
What banks need to operationalize
A banking organization should be able to answer:
- Which third-party relationships support important activities, critical operations, regulated
products, customer data, or sensitive systems?
- Who owns the relationship and who owns the risk?
- What diligence was performed before approval?
- What risks were accepted, escalated, or remediated?
- Which contracts contain the rights the bank needs?
- How is the relationship monitored after approval?
- What incidents, complaints, outages, provider changes, or subcontractor changes have occurred?
- What happens if the bank needs to terminate or move the service?
The evidence matters because examiners do not only ask whether a bank has a policy. They ask how the policy works in real relationships.
Evidence teams should maintain
- Third-party risk management policy and governance framework.
- Inventory of third-party relationships with risk tier, owner, service, contract, data, systems,
and criticality fields.
- Planning and risk assessment records.
- Due diligence and third-party selection evidence.
- Contract review records and executed agreements.
- Ongoing monitoring results, issues, incidents, complaints, and remediation.
- Subcontractor and concentration-risk analysis where relevant.
- Termination, transition, business continuity, and exit evidence.
- Board, committee, management, and independent review reporting.
Common gaps
- The inventory lists vendors but does not show which relationships are critical, customer-facing,
data-sensitive, or operationally important.
- Due diligence is strong at onboarding but weak after renewal, incident, acquisition, or service
change.
- Contracts are reviewed by legal, but contract obligations do not become monitoring tasks.
- The bank cannot easily connect a provider incident to affected products, systems, customers,
contracts, and remediation.
- Exit planning is not tested for relationships the bank would struggle to replace.
How Halbarad helps
Halbarad helps banks convert the interagency guidance into a working life-cycle record. It can connect the third-party inventory to due diligence, contracts, evidence, approvals, monitoring, issues, and termination planning.
Halbarad can help teams:
- maintain a third-party register with risk tier, owner, service, criticality, data, contract,
evidence, monitoring, and exit fields;
- use Spark Assessment to start diligence from public evidence, trust centers, attestations,
incident history, and framework mappings;
- use Nth-Party Discovery to identify subcontractors, fourth parties, fifth parties, and
concentration exposure;
- use Continuous Monitoring to watch provider incidents, outages, advisories, status-page changes,
trust-center updates, and material changes;
- route approvals, residual risk decisions, findings, remediation, reporting, and audit trail
through Governance workflows.
Halbarad helps teams operationalize, document, monitor, and evidence third-party risk management. It does not ensure compliance or replace supervisory judgment.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.