Understanding FDIC third-party risk management guidance and how Halbarad helps

FDIC-supervised institutions use the interagency third-party risk guidance to manage risks from outside relationships across planning, due diligence, contracting, monitoring, and termination.

FDIC-supervised institutions use the interagency third-party risk guidance to manage risks from outside relationships across planning, due diligence, contracting, monitoring, and termination. The guidance is not limited to vendors labeled as outsourcing providers.

FDIC-supervised institutions should match oversight to risk. A low-risk office supplier and a core banking technology provider should not go through identical review.

2 official sources used
Book a demoRead the page

FDIC-supervised institutions use the interagency third-party risk guidance to manage risks from outside relationships across planning, due diligence, contracting, monitoring, and termination. The guidance is not limited to vendors labeled as outsourcing providers. It covers business arrangements that create risk for the institution.

Official sources

The FDIC describes the guidance as principles supporting a risk-based approach to third-party relationship risk management at each stage of the relationship life cycle.

What the guidance expects

FDIC-supervised institutions should match oversight to risk. A low-risk office supplier and a core banking technology provider should not go through identical review. The institution should identify the relationships that affect operations, customers, compliance, technology, data, or resilience and keep evidence showing how those relationships are managed.

What to operationalize

  • third-party inventory and risk tiering;
  • pre-contract planning and due diligence;
  • contracts with performance, reporting, confidentiality, security, audit, subcontracting,

continuity, and termination protections;

  • monitoring for performance, incidents, complaints, issues, and changes;
  • termination and transition planning;
  • governance, management reporting, and independent review.

Evidence to maintain

  • Third-party risk policy and lifecycle procedures.
  • Provider inventory and risk assessments.
  • Due diligence and approval records.
  • Contract review evidence.
  • Monitoring, issue, incident, and remediation evidence.
  • Exit and contingency planning evidence.
  • Management and board reporting.

Common gaps

  • Third-party records are kept for onboarding but not maintained during the relationship.
  • Provider issues are resolved locally without program-level reporting.
  • Subcontractor changes and provider outages are not treated as reassessment triggers.
  • Exit plans are not realistic for important relationships.

How Halbarad helps

Halbarad helps FDIC-supervised institutions maintain the evidence trail behind third-party risk decisions. It supports provider records, diligence, Nth-Party Discovery, continuous monitoring, issues, remediation, approval history, and reporting.

Halbarad helps run and evidence the program. It does not replace FDIC guidance or supervisory expectations.

Disclaimer

This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.

More regulations

US Interagency TPRMOCC TPRMFederal Reserve TPRMFFIEC Outsourcing & TSPsGLBA Safeguards RulePayments Canada TPRM