Proposed Interagency Guidance on Third-Party Relationships: Risk Management


SIFMA provided comments to the Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) on the proposed interagency guidance on third-party relationships and appropriate risk management practices for their respective supervised banking organizations.


Submitted To

Federal Reserve, FDIC, OCC

Submitted By







October 4, 2021


Ann E. Misback
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue NW
Washington, DC 20551

James P. Sheesley, Assistant Executive Secretary
Attention: Comments-RIN 3064-ZA26, Legal ESS
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington D.C. 20429

Chief Counsel’s Office
Attention: Comment Processing
Office of the Comptroller of the Currency
400 7th Street SW, Suite 3E-218
Washington, DC 20219

Re: SIFMA Comment on Proposed Interagency Guidance on Third-Party Relationships: Risk Management (Docket No. OP-1752; FDIC RIN 3064-ZA26; Docket ID OCC-2021-0011)

Dear Sirs and Madams:

The Securities Industry and Financial Markets Association (“SIFMA”)1 appreciates the opportunity to submit this letter to the Board of Governors of the Federal Reserve System (the “Board”), the Federal Deposit Insurance Corporation (“FDIC”) and the Office of the Comptroller of the Currency (the “OCC” and, collectively with the Board and FDIC, the “Agencies”) on the proposed interagency guidance (the “Proposed Guidance”) on third-party relationships and appropriate risk management practices for their respective supervised banking organizations.2

SIFMA welcomes the Agencies’ efforts to increase transparency and consistency regarding expectations for third-party relationship risk management practices. Consistent with SIFMA’s membership and organizational focus, our comments focus on issues most relevant for broker-dealers, the securities industry and the capital markets businesses and activities of our members, including our bank-affiliated members.

Executive Summary

Four principles motivate our comments. First, the scope of relationships covered by the Proposed Guidance is unnecessarily broad. Many third-party relationships merit the type of risk management envisioned by the Proposed Guidance, but not all relationships do. Therefore, there are instances in which the scope of the Proposed Guidance may be more circumscribed without undermining the core policy objectives at issue, which fundamentally are to encourage and facilitate sound risk management. Second, various relationships within the scope of the Proposed Guidance should be subject to a more tailored approach. In some cases, banking organizations simply are restricted in their ability to conduct diligence and negotiate contracts. In other cases, we believe the Agencies can and should play a role in addressing risks that third parties present. Third, although boards of directors have an important role to play in overseeing all risk management at banking organizations, including third-party risk management, the final guidance should not place unduly prescriptive expectations on boards. Fourth, we support the Agencies’ endorsement of a risk-based approach as this allows firms to take into account the level of risk, complexity and the nature of the third-party relationship. Accordingly, consistent with these principles and as explained below, SIFMA respectfully requests that the Agencies:

  • narrow the definition of “business arrangement”, align the definition of “critical activity” and clarify the role of the board of directors;
  • acknowledge that banking organizations may tailor risk management procedures for third parties that are subject to supervision and regulation;
  • clarify that the Proposed Guidance would not apply to relationships with data aggregators established pursuant to any final rule implementing section 1033 of the Dodd-Frank Act and clarify how the Proposed Guidance would apply to other data aggregation and screen-scraping circumstances;
  • update how the Proposed Guidance treats relationships with information communication technology vendors, including cloud computing service providers, given the unique nature of such relationships; and
  • more generally, revise the expectations regarding relationships with third parties where banking organizations have limited ability to acquire information, negotiate with and oversee the party.

In addition, we ask the Agencies to ensure that the final guidance and any FAQs that are incorporated into the final guidance are consistent with the Agencies’ respective approach on supervisory guidance. 3

1 SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s nearly one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association.

2 86 Fed. Reg. 38182 (July 19, 2021)

3 12 CFR Part 4, Subpart F; id. at 262.7; id. at Part 302. Certain aspects of the Proposed Guidance appear inconsistent with recently adopted regulations clarifying that supervisory guidance does not form a basis for enforcement actions. For example, Section D (Supervisory Reviews of Third-Party Relationships) states, “actions [based on deficiencies in supervisory findings] may include issuing Matters Requiring Attention, Matters Requiring Board Attention, and recommending formal enforcement actions”. This statement should be clarified and, more generally, the final guidance, including any FAQ incorporated into the final guidance, should be drafted to avoid suggesting it establishes requirements on banking organizations.