Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.
Financial Institution Letter

Third-Party Risk Guidance for Managing Third-Party Risk

June 6, 2008
Notes
 
Summary: The attached FDIC guidance describes potential risks arising from third-party relationships and outlines risk management principles that may be tailored to suit the complexity and risk potential of a financial institution's significant third-party relationships.

Highlights:
Financial institutions often rely upon third parties to perform a wide variety of services and other activities. An institution's board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.

Management should tailor the principles contained in this guidance to each significant third-party arrangement, taking into consideration such factors as the complexity, magnitude, and nature of the arrangement and associated risks. This guidance outlines the potential risks that may arise from the use of third parties and addresses the following four basic elements of an effective third-party risk management program:

  • Risk assessment
  • Due diligence in selecting a third party
  • Contract structuring and review
  • Oversight
This guidance is based on and supplements the principles contained in policy guidance that has previously addressed third-party risk in the context of specific functions, such as information technology. This guidance is intended to assist in the effective management of third-party relationships, and should not be considered as a set of required procedures.

Distribution:
FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:
Chief Executive Officer
Chief Financial Officer
Chief Compliance Officer
Chief Risk Officer

Note:
FDIC financial institution letters (FILs) may be accessed from the FDIC's Web site at http://www.fdic.gov/news/financial-institution-letters/ .

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html .

Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200).



Additional Related Topics:

  • Risk Management
  • Third-Party Contracts
  • Outsourcing Arrangements
  • FFIEC IT Handbook on Outsourcing Technology Services (June 2004)
  • Required Notification for Compliance with the Bank Service Company Act
FIL-44-2008
Attachment(s)
Guidance for Managing Third-Party Risk

Last Updated: June 6, 2008