Complying with the Interagency Guidance on Third-Party Relationships Through External Risk Monitoring
On June 6, 2023, the Federal Reserve Board (the Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued final interagency guidance on managing third-party relationships. The guidance establishes a single, consistent framework and reinforces a core principle: banks remain fully responsible for third-party activities.
The guidance applies to all banking organizations, regardless of size or complexity, and covers any business arrangement that provides products or services, whether contractual or not. As banks increasingly rely on third parties, including fintechs and other specialized providers, expectations for third-party risk management (TPRM) have expanded significantly.
This whitepaper explains how external risk monitoring helps banks meet these expectations by strengthening risk-based oversight, due diligence, ongoing monitoring, and documentation.
Apply risk management based on risk level
The guidance makes clear that not all third-party relationships require the same level of oversight. Banks are expected to maintain an inventory of all third parties, regularly assess risk, and apply enhanced controls to higher-risk and critical relationships.
Critical activities are those that could:
- Expose the bank to significant operational or financial risk
- Significantly impact customers
- Affect the bank’s overall operations or financial condition
How external risk monitoring helps
External risk monitoring supports risk-based oversight by providing continuous visibility into third-party risk. Monitoring external signals such as adverse media, sanctions exposure, regulatory actions, and consumer complaints allows banks to:
- Maintain a current, risk-ranked third-party inventory
- Identify which relationships warrant enhanced oversight
- Detect emerging risks earlier
- Adjust monitoring intensity as risk levels change
This enables banks to focus resources where they matter most, without overburdening low-risk relationships.
Strengthen risk-based due diligence
According to the guidance, due diligence must be completed before onboarding and be proportionate to the risk and complexity of the relationship. The guidance also recognizes that banks may not always be able to obtain all desired information directly from a third party. When information is limited, banks must document the gaps, understand the risks, and apply alternative methods or controls.
How external risk monitoring helps
When traditional documentation is incomplete, external risk monitoring can provide independent, alternative data that enhances due diligence. Moreover, it can help banks:
- Validate third-party-provided information
- Identify legal, regulatory, financial, and reputational risks earlier
- Help decide to expand due diligence when red flags emerge
- Document limitations and justify compensating controls
Using external data supports a well-documented, defensible due diligence process aligned with regulatory expectations.
Common types of alternative data used in third-party risk monitoring
Adverse media
Adverse media, also known as negative news, involves analyzing public and unofficial sources to identify potential risks associated with a company or a third party. It can reveal operational, financial, regulatory, or reputational issues well before they appear in official records, helping banks proactively identify red flags, protect their organizations, and remain compliant.
Consumer reviews
Consumer reviews can provide an early warning signal of potential risks by revealing operational, reputational, or compliance issues before they appear in financial records or news reports. Tracking trends in customer feedback, such as complaints about products, delivery, or services, can help organizations detect emerging risks at third parties, enabling proactive risk management and more informed decisions throughout the business relationship.
State Owned Enterprises (SOEs)
SOEs are companies in which the government holds a full, majority, or significant minority ownership stake. Operating across industries from finance to infrastructure, they serve public policy objectives while engaging in commercial activities. Monitoring SOEs is essential to identify compliance, regulatory, and reputational risks associated with government affiliations.
Sanctions lists, watchlists, and blacklists
These are databases maintained by governments, regulators, and financial institutions to identify individuals, companies, or entities that pose elevated risks. Sanctions lists flag entities subject to government or international restrictions, such as those from OFAC, UN, or EU, helping organizations ensure compliance and avoid financial or legal exposure. Watchlists highlight individuals or organizations involved in financial crime, corruption, or terrorism financing, enabling early detection of potential risks. Blacklists include parties associated with illegal, unethical, or high-risk activities, such as disqualified directors, debarred suppliers, or sanctioned entities.
Politically Exposed Persons (PEPs)
PEPs are individuals in prominent public roles who may pose higher risks of bribery, corruption, or financial crime. Screening and continuous monitoring of PEPs help organizations meet AML and KYC obligations, reduce exposure to financial and reputational risks, and maintain global regulatory compliance.
Enable ongoing monitoring across the relationship lifecycle
The guidance emphasizes that TPRM does not end at onboarding. Banks must perform ongoing monitoring throughout the life of the relationship, with more frequent and comprehensive monitoring for higher-risk and critical third parties.
How external risk monitoring helps
By integrating external risk monitoring into (automated) monitoring efforts, banks gain an “outside-in” perspective, allowing them to detect emerging risks in real time rather than relying solely on periodic reviews. This approach enables banks to:
- Identify changes in financial condition or regulatory standing
- Detect cyber incidents, litigation, or enforcement actions
- Monitor sanctions and PEP exposure
- Track customer complaints and reputational risks
- Escalate issues promptly and adjust oversight accordingly
External monitoring also complements traditional monitoring, triggering deeper investigations when needed and supporting independent validation of risk assessments.
Figure 1. How external risk monitoring supports ongoing TPRM under interagency guidance
Improve documentation and reporting
The guidance expects banks to document and report on third-party risk management throughout the lifecycle. Documentation supports internal oversight, independent reviews, and regulatory examinations.
How external risk monitoring helps
External risk monitoring can provide banks with a time-stamped, auditable record of third-party risk, strengthening documentation and reporting. It helps banks document:
- A current inventory of third parties and risk tiers
- Risk assessments supported by external indicators
- Due diligence findings and documented information gaps
- Monitoring results and changes in risk profiles
- Escalation decisions and remediation actions
It also supports clearer reporting to senior management and the board by providing objective, trend-based insights into third-party risk exposure.
Putting it all together
The interagency guidance sets higher expectations for managing third-party risk across the entire lifecycle. Static, point-in-time approaches are no longer enough. By embedding external risk monitoring into their third-party risk frameworks, banks can gain greater visibility, make more informed risk-based decisions, and demonstrate robust compliance through enhanced monitoring, documentation, and reporting, all while maintaining full accountability for third-party risk.
Ensure compliance with the interagency guidance
Stay ahead of third-party risk and confidently meet regulatory expectations. With Owlin’s AI-powered external risk monitoring, your bank can gain real-time insights, strengthen due diligence, and simplify documentation, all while maintaining full accountability. Schedule a demo today to see how Owlin helps you focus on managing risk effectively.
