Third-Party Risk Management (TPRM): Final Interagency Guidance
Replaces each agency’s prior third-party guidance; reiterates sound risk management

KPMG Regulatory Insight
- Replaces each agency’s prior guidance on third-party risk management; third-party “business arrangements” are defined to capture the full range of third-party relationships.
- Principles-based, allowing for a risk-based approach that can be adjusted to the unique circumstances of each third party; places the most comprehensive considerations on “higher-risk” activities, including “critical activities”; examples provided are illustrative and non-exhaustive.
- Expect continued supervisory intensity, particularly to large organizations, “new or novel structures and features” such as fintech ‘partnerships’, and services for “critical activities”.
- Reiterates the importance of sound risk management regardless of bank size and varying with the degree of risk and complexity of each third-party relationship; not expressly “tailoring”, but with acknowledgement of potential use of industry utilities, consortiums, and/or third-party certifications.
- TPRM expectations throughout life cycle (planning, due diligence and selection, contract negotiation, ongoing monitoring, and termination).
June 2023
The FRB, FDIC, and OCC (collectively, Agencies) jointly issued final third party risk management guidance. The guidance replaces each agency’s prior guidance on the topic and is applicable to all of their supervised banking organizations.
Third-Party Relationships
Banking organizations’ use of third parties to perform “business arrangements”, as defined, does not diminish their responsibility to operate in a safe and sound manner and in compliance with applicable laws and regulations; the term is intended to capture the “full range of third-party relationships that may pose a risk to banking organizations”. The guidance states that it is the responsibility of each banking organization to analyze the risks associated with each third-party relationship and to calibrate its risk management processes accordingly.
The Agencies final TPRM guidance is organized into four sections: 1) risk management, 2) third-party relationship life cycle, 3) governance, and 4) supervisory reviews.
Risk Management. As part of sound TPRM, banking organizations would:
- Analyze the risks associated with each third-party relationship and tailor risk management practices, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of the individual third-party relationship.
- Maintain “complete” inventories of third-party relationships and periodically conduct risk assessments for each third-party relationship to support changes in risk determinations over time and to update risk management practices accordingly.
- Engage in “more comprehensive and rigorous oversight and management” of third-party relationships that support “higher-risk” activities, including “critical activities”. “Critical activities” include those that could:
- Cause the banking organization to face significant risk if the third party fails to meet expectations.
- Have significant customer impacts.
- Have a significant impact on the banking organization’s financial condition or operations.
Third-Party Relationship Life Cycle. Effective TPRM follows the life cycle of third-party relationships and requires the involvement of staff with requisite knowledge and skills at each stage of risk management as well as “experts” across disciplines (e.g., compliance, risk, technology, legal). The TPRM life cycle incudes:
Life Cycle | Actions | Factors may consider: |
---|---|---|
Planning |
|
|
Due Diligence and Selection |
|
Note: The regulators state that where there are collaborative efforts to reduce the burden of due diligence, they do not abrogate the responsibility of the banking organization to manage third party relationships in a safe and sound manner. Further, where there are challenges collecting information from third parties, the guidance provides that banking organizations should consider taking steps to mitigate risks or determine is the residual risk is acceptable. With regard to subcontractors, the guidance clarifies that the focus should be on the banking organizations approach to evaluating its third party’s own processes for overseeing subcontractors and managing risk. |
Contract Negotiation |
|
|
Ongoing Monitoring |
|
|
Termination |
|
|
Governance. Regardless of how banking organizations structure their TPRM and governance processes (e.g., dispersed across business lines or centralized under compliance, information security, procurement, or risk management functions), the following governance practices should be considered through the TPRM life cycle, commensurate with risk and complexity.
Governance | Actions | Factors may consider: |
---|---|---|
Oversight and Accountability | Management:
| Board
Note: The guidance seeks to avoid the appearance of a prescriptive approach to the board’s role in the risk management life cycle while emphasizing their ultimate oversight responsibility. |
Independent Reviews |
|
|
Documentation and Reporting |
|
|
Supervisory Reviews. The scope of supervisory reviews will depend on the degree of risk and the complexity associated with the bank’s activities and third-party relationships and will be part of standard supervisory processes.
Dive into our thinking:
Third-Party Risk Management: Final Interagency Guidance
Download PDFExplore more
Meet our team



Get the latest from KPMG Regulatory Insights
KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.