SR 23-4: Interagency Guidance on Third-Party Relationships: Risk Management

This guidance issued by the Federal Reserve in 2023 emphasizes that the scope and degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship.

“A banking organization’s use of third parties does not diminish its responsibility to meet these requirements to the same extent as if its activities were performed by the banking organization in-house.”

“For certain relationships, clearly defined performance measures can assist a banking organization in evaluating the performance of a third party. In particular, a service-level agreement between the banking organization and the third party can help specify the measures surrounding the expectations and responsibilities for both parties.”