Financial Institution Letter
FIL-44-2008
June 6, 2008
THIRD-PARTY RISK
Guidance for Managing Third-Party Risk
Summary: The attached FDIC guidance describes potential risks arising from third-party
relationships and outlines risk management principles that may be tailored to suit the complexity
and risk potential of a financial institution’s significant third-party relationships.
Distribution:
FDIC-Supervised Banks (Commercial and Savings)
Suggested Routing:
Chief Executive Officer
Chief Financial Officer
Chief Compliance Officer
Chief Risk Officer
Related Topics:
Risk Management
Third-Party Contracts
Outsourcing Arrangements
FFIEC IT Handbook on Outsourcing Technology
Services (June 2004)
Required Notification for Compliance with the Bank
Service Company Act
Attachment:
Guidance for Managing Third-Party Risk
Contact: Senior Examination Specialist Kenyon
T. Kilber (Risk Management) at kkilber@fdic.gov or
(202) 898-8935, or Policy Analyst Victoria Pawelski
(Compliance) at vpawelski@fdic.gov or (202) 898-
3571
Note:
FDIC financial institution letters (FILs) may be
accessed from the FDIC's Web site at
http://www.fdic.gov/news/news/financial/2008/index
.html.
To receive FILs electronically, please visit
http://www.fdic.gov/about/subscriptions/fil.html.
Paper copies of FDIC financial institution letters
may be obtained through the FDIC's Public
Information Center, 3501 Fairfax Drive, E-1002,
Arlington, VA 22226 (1-877-275-3342 or 703-562-
2200).
Highlights:
Financial institutions often rely upon third parties to
perform a wide variety of services and other
activities. An institution’s board of directors and
senior management are ultimately responsible for
managing activities conducted through third-party
relationships, and identifying and controlling the risks
arising from such relationships, to the same extent as
if the activity were handled within the institution.
Management should tailor the principles contained in
this guidance to each significant third-party
arrangement, taking into consideration such factors
as the complexity, magnitude, and nature of the
arrangement and associated risks. This guidance
outlines the potential risks that may arise from the
use of third parties and addresses the following four
basic elements of an effective third-party risk
management program:
• Risk assessment
• Due diligence in selecting a third party
• Contract structuring and review
• Oversight
This guidance is based on and supplements the
principles contained in policy guidance that has
previously addressed third-party risk in the context of
specific functions, such as information technology.
This guidance is intended to assist in the effective
management of third-party relationships, and should
not be considered as a set of required procedures.
Federal Deposit Insurance Corporation
550 17th Street NW, Washington, D.C. 20429-9990Inactive
FIL-44-2008
June 6, 2008
THIRD-PARTY RISK
Guidance for Managing Third-Party Risk
Summary: The attached FDIC guidance describes potential risks arising from third-party
relationships and outlines risk management principles that may be tailored to suit the complexity
and risk potential of a financial institution’s significant third-party relationships.
Distribution:
FDIC-Supervised Banks (Commercial and Savings)
Suggested Routing:
Chief Executive Officer
Chief Financial Officer
Chief Compliance Officer
Chief Risk Officer
Related Topics:
Risk Management
Third-Party Contracts
Outsourcing Arrangements
FFIEC IT Handbook on Outsourcing Technology
Services (June 2004)
Required Notification for Compliance with the Bank
Service Company Act
Attachment:
Guidance for Managing Third-Party Risk
Contact: Senior Examination Specialist Kenyon
T. Kilber (Risk Management) at kkilber@fdic.gov or
(202) 898-8935, or Policy Analyst Victoria Pawelski
(Compliance) at vpawelski@fdic.gov or (202) 898-
3571
Note:
FDIC financial institution letters (FILs) may be
accessed from the FDIC's Web site at
http://www.fdic.gov/news/news/financial/2008/index
.html.
To receive FILs electronically, please visit
http://www.fdic.gov/about/subscriptions/fil.html.
Paper copies of FDIC financial institution letters
may be obtained through the FDIC's Public
Information Center, 3501 Fairfax Drive, E-1002,
Arlington, VA 22226 (1-877-275-3342 or 703-562-
2200).
Highlights:
Financial institutions often rely upon third parties to
perform a wide variety of services and other
activities. An institution’s board of directors and
senior management are ultimately responsible for
managing activities conducted through third-party
relationships, and identifying and controlling the risks
arising from such relationships, to the same extent as
if the activity were handled within the institution.
Management should tailor the principles contained in
this guidance to each significant third-party
arrangement, taking into consideration such factors
as the complexity, magnitude, and nature of the
arrangement and associated risks. This guidance
outlines the potential risks that may arise from the
use of third parties and addresses the following four
basic elements of an effective third-party risk
management program:
• Risk assessment
• Due diligence in selecting a third party
• Contract structuring and review
• Oversight
This guidance is based on and supplements the
principles contained in policy guidance that has
previously addressed third-party risk in the context of
specific functions, such as information technology.
This guidance is intended to assist in the effective
management of third-party relationships, and should
not be considered as a set of required procedures.
Federal Deposit Insurance Corporation
550 17th Street NW, Washington, D.C. 20429-9990Inactive