Pontoon's perspective: Considerations for interagency guidance on third party risk management (TPRM)

Pontoon’s perspective: Considerations for interagency guidance on third party risk management (TPRM)

The Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) have collectively proposed updated guidance on managing Third-Party relationships. Previously provided by each agency individually, the new joint guidance, “Interagency Guidance on Third-Party Relationships: Risk Management (TPRM)“, was formally released on 6 June 2023.


Download our whitepaper



In Pontoon’s review of the agency update on third-party risk management, the following themes have been identified:

  • A consistent approach is needed across all banking organisations and fintech firms that outlines one supervisory process, regardless of the previous regulator alignment.
  • Assure that financial institutions are operating in a safe and sound manner by outlining regulatory requirements that match the level of risk introduced, regardless of an institution’s asset size.
  • The significant change in the number of services outsourced by these organisations calls for enhancements to the Third-Party management framework to appropriately care for the risks introduced.
  • At the same time, the industry has seen increased cybersecurity breaches, data privacy violations and other adverse events impacting financial institutions through these third-party relationships.


Based on the aforementioned themes, financial institutions need to consider the following: 

Not all third-party relationships create the same level of risk

Impacted financial institutions, and their managed service providers for Third-Party processes, need to review the services provided to determine the criticality of each relationship and identify the appropriate risk mitigation path to include due diligence, ongoing monitoring, and artifact assessment.

Be mindful of potential antitrust and privacy violations

The new guidance explicitly states that banks can collaborate to reduce the amount of effort required to complete necessary due diligence but are still accountable for operating in a safe and sound manner. Financial institutions and their partners will need to be mindful of potential antitrust and privacy violations as they look to collaborate.

An increase in critical relationships

A “critical relationship” has been redefined to include activities that may significantly impact a banking organisation’s financial condition or operations, meaning more relationships may rise to the “critical” level.

Impacts will vary

Organisations previously governed by the OCC will likely not experience a significant impact. Financial institutions that were held to the FDIC and FRB standards historically may need to review existing Third-Party Risk Management frameworks for necessary enhancements both internally and with their impacted service providers.

Understanding the role of contingent workforce partners in supporting the new interagency guidance

As the leading provider of MSP (Managed Services Provider) services to financial services clients, Pontoon embeds the regulatory obligations of our clients into our everyday operations. We continue our ongoing support of client obligations by ensuring our Third-Party Risk Management activities meet the expectations of our customer’s regulators:

  • Leveraging our proprietary platform to complete comprehensive assessments, collect due diligence questionnaires, and review supplier documentation before entering a relationship and throughout the lifecycle of our supplier partnerships.
  • Ensuring the scope and depth of due diligence on the Third-Party relationships managed on behalf of clients is commensurate with the level of risk and complexity associated with that relationship.
  • Evaluating the totality of the Third-Party relationships across all client engagements, ensuring a comprehensive review that accounts for risks across the broader customer footprint.
  • Monitoring of process risks, associated controls, and regulatory guidance; proactively driving updates to programme teams and collaborating with our client legal teams to align on potential impacts through the full lifecycle of Third-Party relationships.
  • Identifying sub-contractors working in support of client initiatives and notifying client stakeholders to ensure appropriate 4th party review is completed.
  • Performing co-employment risk exposure and risk mitigation strategy review on an annual basis, through Pontoon Instinct, our speciality advisory practice, to protect from the potential impacts of unanticipated liabilities.


The information provided herein does not, and is not intended to, constitute legal advice; all information, content, and materials available in this newsletter are for general informational purposes only. Information herein may not constitute the most up-to-date legal or other information. You should contact your attorney to obtain advice concerning any legal matter, including but not limited to the general information contained herein.​

Related Post