SR 24-2: Third-Party Risk Management: A Guide for Community Banks

Skip to main content

An official website of the United States Government Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Sections

Search

Search Submit Button

Supervision and Regulation Letters

Share

?body=https://www.federalreserve.gov/supervisionreg/srletters/SR2402.htm&subject=SR 24-2 / CA 24-1

PDF

RSS

By topic

SR 24-2 / CA 24-1: Third-Party Risk Management: A Guide for Community Banks

BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, D.C. 20551

DIVISION OF SUPERVISION AND REGULATION

DIVISION OF CONSUMER AND COMMUNITY AFFAIRS

SR 24-2 / CA 24-1

May 7, 2024

TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK

SUBJECT:

Third-Party Risk Management: A Guide for Community Banks

Applicability: This letter applies to all banking organizations with $10 billion or less in consolidated assets supervised by the Federal Reserve.

The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, the agencies) are releasing a guide intended to assist community banks when developing and implementing their third-party risk management practices. While this guide is written for a community bank audience, banking organizations of all sizes and risk profiles may find it useful. This guide is intended as a voluntary resource for community banks to view in tandem with the June 2023 Interagency Guidance on Third-Party Relationships: Risk Management . 1

This guide offers potential considerations, resources, and examples through each stage of the third-party risk management life cycle. It does not prescribe specific risk management practices nor establish any safe harbors for compliance with laws or regulations. In addition, this guide does not have the force and effect of law and does not impose any new requirements on banking organizations.

Reserve Banks are asked to distribute this letter to the supervised banking organizations in their districts and to appropriate supervisory staff. We encourage banking organizations to provide feedback on this guide, including regarding the clarity and transparency of supervisory expectations for community banks in their management of third-party risk. Banking organizations may provide any feedback or send questions via the Board’s public website. 2

signed by Michael S. Gibson Director Division of Supervision and Regulation

signed by Eric S. Belsky Director Division of Consumer and Community Affairs

Attachments:

Third-Party Risk Management: A Guide for Community Banks

Cross References:

SR letter 23-4, “Interagency Guidance on Third-Party Relationships: Risk Management”

SR letter 22-4/CA letter 22-3, “Contact Information in Relation to Computer-Security Incident Notification Requirements”

SR letter 21-15/CA letter 21-11, “Guide for Community Banking Organizations Conducting Due Diligence on Financial Technology Companies”

Notes:

Available at https://www.federalreserve.gov/supervisionreg/srletters/SR2304.htm . Return to text.

https://www.federalreserve.gov/apps/contactus/feedback.aspx . Return to text.

Back to Top

Last Update: May 07, 2024