Wipfli logo

Bank on Wipfli - Blog and Podcast


Policy breakdown: Latest FFIEC guidance on third-party relationships

Oct 09, 2023
By: Pedro J. Pinto

On June 6, 2023, the Federal Financial Institutions Examination Council’s (FFIEC’s) latest guidance on third-party relationships went into effect.

The guidance was co-issued by the Federal Deposit Insurance Corporation, the Federal Reserve Bank and the Office of the Comptroller of the Currency. While also a member of the FFIEC, the National Credit Union Association did not participate in the combined draft and maintained its own guidance instead.

What changed in the final FFIEC guidance?

The vendor review process did not significantly change in the final guidance. However, it defined a single set of standards that all three agencies will follow and that financial institutions are required to follow. Perhaps most importantly, the guidance responded to several questions that financial institutions submitted during the comment period. For example:

What is a critical vendor?

Regulators clarified that a vendor’s risk is dependent on the risk of the services or products they provide. In other words, a critical vendor is one that supports a critical activity for the institution.

What are critical activities?

Regulators defined critical activities as those that:

  • Cause a banking organization to face significant risk if the third party fails to meet expectations.
  • Has significant customer impacts.
  • Has a significant impact on a banking organization’s financial condition or operations.

Moving the focus from the vendor to the activity aims to provide a more accurate assessment of risk. Two institutions could share a vendor but rate their criticality differently based on the services they provide.

Comments from financial institutions

Regulators also addressed comments that the guidance was not fair to smaller institutions which have the same requirements as those with billions in assets. Regulators stated requirements are the same, but the size and complexity of an institution will be taken into consideration when reviewing vendor management programs.

Moreover, they did not prescribe a specific method, template or tool for assessing vendor risk. It’s up to each institution to adopt a methodology that fits their environment, staff size and expertise, budget, etc.

How Wipfli can help

Our quarterly IT Leadership Roundtable hosted a comprehensive discussion about the guidance in August. Watch the webinar on demand.

If you need help determining how the FFIEC guidance will affect your organization, reach out to the specialists at Wipfli. Our experienced team is up to speed on the latest guidance and can offer best practices and insight to help you stay compliant. Contact us today to learn more.

Sign up to receive additional financial institutions content and information in your inbox or continue reading on:


Pedro J. Pinto, CISA
View Profile
Bank on Wipfli blog
Subscribe to Bank on Wipfli - Blog and Podcast