The Federal Deposit Insurance Corporation (FDIC) has stated that “An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, including lending relationships, and for identifying and controlling the risks arising from such relationships as if the activity were handled within the institution.”1

On July 29, 2016, the FDIC released proposed guidance that institutions should adhere to in lending arrangements through third-parties.  The guidance applies to all FDIC supervised institutions that engage in third-party lending. The FDIC has opened the forum for public commentary through September 12, 2016.2


In 2008, the FDIC released initial guidance and potential risks around third-party relationships, and outlined principles for managing and mitigating those risks. The initial guidance outlined the four basic elements of an effective third-party risk management program, centered around:3

  • Risk assessment
  • Due diligence in selecting a third party
  • Contract structuring and review
  • Oversight

As the prevalence of Third-Party Lending has grown over time, the FDIC provided this additional guidance that builds upon these established principles. The additional guidance seeks to provide expectations for effective risk management and compliance for FDIC-supervised institutions, when lending through a business relationship with a third party.

The Proposed Guidance defines third-party lending as “… a lending arrangement that relies on a third party to perform a significant aspect of the lending process…”4 Third-party lending arrangements can provide institutions the ability to strategically lower costs on delivering credit products which help support profitability goals.  However, these arrangements can also present a number of associated risks, and management should take into account the type of lending activity, complexity, volume, and number of third-party lending relationships when evaluating risk.5

Types of Third-Party Lending Arrangements

Institutions have been contracting with third parties to perform various processes, which would preclude a third-party lending arrangement, including: “marketing, borrower solicitation, credit underwriting, loan pricing, loan origination, retail installment sales contract issuance, customer service, consumer disclosures, regulatory compliance, loan servicing, debt collection, and data collection, aggregation, or reporting.”6 Additionally, arrangements may come in the form of FDIC-insured institutions originating loans: for third parties, through third-party lenders (or jointly with third-party lenders), or using platforms developed by third parties.7

Risks from Third-Party Lending Relationships

The FDIC guidance illustrates that institutions should be aware of the following risks as a baseline for third-party lending programs.

Risk Type Description
Strategic Risk Arrangements with third parties may increase strategic risk for institutions. As lending is a core banking function, the use of third parties to perform certain functions exposes the institution to strategic risk if strategic business objectives and goals are not aligned and the third-party activity is not monitored to achieve these goals.
Operational Risk Exercising third-party relationships to execute operational functions can increase operational risk, as internal bank processes should be integrated with the third-party, thereby potentially increasing the overall operational complexity.  Key lending functions may be conducted away from the bank, resulting in less direct oversight and additional risk.
Transaction Risk Significant amounts of growth in customers, transactions, and documents exposes insured institutions to heightened levels of concern regarding adequate safety and soundness, control gaps, and additional failures.
Pipeline and Liquidity Risk Pipeline and liquidity risks may arise due to transactions failing to complete, or funding not available as expected.  These risks may be realized if third parties fail in their responsibility for processes involved in the origination, funding, or sale/purchasing of loans.
Model Risk Model risk may be heightened should institutions depend on models developed by (or used by) the third party.  Models that are not adequately understood by the insured institution’s management, or do not factor in all instrumental regulatory, compliance, economic and other relevant drivers may result in additional model risk.
Credit Risk          Third-party arrangements may expose the FDIC institution to additional credit risk, as the ability to manage credit risk can be more challenging through an outside vendor.  Underwriting controls, due diligence of borrowers, and the approval checks and balances of loans may be compromised without proper oversight should certain processes and responsibilities be passed on to a third party.
Compliance Risk Compliance risk can manifest itself in various forms, including consumer and Bank Secrecy Act/ Anti-Money Laundering (BSA/AML) risk.  Consumer compliance risk may arise in numerous areas related to lending activities, including fair lending, debt collection, credit reporting, privacy, and unfair and deceptive acts or practices, among others. Additionally, institutions that rely on a third party to conduct any aspect of BSA/AML (i.e. customer information collection, due diligence, and suspicious activity monitoring and reporting) may be exposed to increased compliance risk, and should third parties lack specialized BSA/AML knowledge and tools to meet compliance.

Source: “Examination Guidance for Third-Party Lending, Federal Deposit Insurance Corporation, July 29, 2016. Access at:

Additional risk factors that the FDIC noted includes:  significant increases in origination volumes and/or number of third-party arrangements, third-party arrangements being a material portion of the institution’s operations and strategy, material weaknesses are identified in the management of third-party relationships, or a significant risk management, financial, or operational weakness noted in the third party itself.8

Third-Party Lending Risk Management Program

The key to the effective use of a third party in any capacity, including third-party lending relationships, is for the financial institution’s management to appropriately assess, measure, monitor, and control the risks associated with the relationship.  A Third Party Lending Risk Management Program should serve to address the components of an effective third-party risk management program described above, and institutions should establish and institute the program prior to entering into any significant third-party lending relationships. The FDIC outlined that key elements of a program should include what follows.9

Third-Party Lending Risk Management Program
Key Initiative and Consideration Program Element Detailed Guidance/Requirement




Developing a Third-Party Lending Risk Management Program

Strategic Planning Institutions should evaluate the third-party lending activity and establish clear risk tolerance limits around the size of the program based on appropriate objectives, projections, and assumptions.  Considerations for the management of third-party lending arrangements include required staffing, specialist, management, and tools.  Back-up plans in the event of failure by the third party should also be created.
Third-Party Lending Policies – Third-party lending program policies should be developed by management and approved by the board. Policies should establish and define:

  • Limits
  • Roles and responsibilities
  • Minimum performance standards for third parties
  • Requirements for independent reviews
  • Program management oversight of each third-party arrangement
  • Monitoring, both for individual third parties and as part of the institution’s overall lending activity
  • Reporting processes
  • Require access to data and other program information.
  • Define permissible loan types
  • Credit underwriting, administration and quality standards
  • Adequate consumer complaint process
  • Address capital and liquidity support and allowance for loan and lease loss considerations
  • Compliance officer to have the necessary authority, accountability and resources
  • Training program




Evaluating and Monitoring Third-Party Relationships              

Risk Assessment The risk assessment should confirm that the proposed third-party lending relationship fits within the institution’s strategic plan and business model and that management has the requisite knowledge to analyze and oversee the appropriateness of a particular third-party lending relationship. The arrangement/relationship and risk associated should be reviewed over time.
Due Diligence and Oversight – Management should conduct due diligence on each third-party lending relationship to identify the suitability of the relationship, including whether management will be able to appropriately oversee the relationship going forward. Due diligence should include a review of the third party’s:

  • Policy and procedures
  • Credit quality of loans solicited or underwritten by the third party
  • Internal controls and internal/external audit
  • Knowledge and experience of management and staff
  • Repurchase activity and volume
  • Management information systems
  • Compliance management systems
  • Monitoring of its third-party data
  • Consumer complaints received
  • Information security program
  • Litigation or enforcement actions
  • Earnings strength and adequacy of capital
  • Stability of funding sources and back-up sources of liquidity


Model Risk Management – institutions should understand models used by third parties in lending arrangements, including:

  • Developing an understanding of the model’s design and methodologies
  • Assessing data and model quality
  • Conceptual soundness
  • Determining that the model reflects the institution’s underwriting standards or pricing policies
  • Having models consider fluctuations in the economic cycles and unexpected events
  • Having models developed in compliance with applicable regulations


Vendors used by third parties should be reviewed, including:

  • Assessing the adequacy of the third party’s vendor management or third-party risk management process
  • For material vendor relationships, the institution should review the third party’s due diligence, risk assessment and oversight
Contract Structuring and Review – relationships and loan sale/purchase agreements should be governed by written contractual agreements that clearly establish the rights and responsibilities of each party to the contract.
  • Lending arrangements should review:
  • Indemnification, representations, warranties, and recourse terms should limit the institution’s exposure and should not expose the institution to substantial risk
  • Legal counsel review should include an analysis of the program and agreements to identify legal risk and an opinion concerning any potential recourse to the institution
  • Agreements should not limit the institution’s ability to sell loans to another entity if the third party is unable to purchase loans under the agreement
  • Termination rights should be sought for excessive risk exposure, material deterioration in the institution’s or third party’s financial condition, or if required by the state regulators or the FDIC
  • Contracts should provide the institution full discretion and authority to require the third party to implement policies and procedures for any function or activity it outsources to the third party or that are integral to joint activities with the third party
  • Contracts should allow the institution to have full access to any information or data necessary to perform its risk and compliance management responsibilities, including access to loan performance data, internal and external audits, and funding information
  • Establish protections for the institution due to a third party or subcontractor’s negligence, such as insurance
Supervisory Considerations for Third-Party Lending Relationships Supervisory considerations should also be taken into consideration when managing for Third-Party Lending Risks.
  • Review and considerations include:
  • Credit Underwriting and Administration (including loss recognition and subprime programs)
  • Capital Adequacy
  • Liquidity
  • Profitability
  • Accounting and Allowance for Loan and Lease Losses
  • Consumer Compliance
  • Safeguarding Customer Information
  • Information Technology – Federal Financial Institutions Examination Council (FFIEC) Information Technology Handbook, “Outsourcing Technology Services.”

Source: “Examination Guidance for Third-Party Lending, Federal Deposit Insurance Corporation, July 29, 2016. Access at:

Examination Procedures for Third-Party Lending Relationships

The FDIC provided the following guidance on examination procedures:

Review Cycle
  • For institutions with significant third-party lending programs relationships, the examination cycle will be at least every 12 months, and include concurrent risk management and consumer protection examinations
  • More frequent examination activities, such as visitations or ongoing examinations should be performed if significant risk is identified. Additional ongoing off-site monitoring should also be performed, including periodic reports on volumes, third-party relationship changes, consumer complaint trends, and credit performance
Parties Reviewed
  • Examiners will conduct targeted examinations of significant third-party lending arrangements and may also conduct targeted examinations of other third parties where authorized
Areas of Review
  • Review of corporate governance
  • Financial strength
  • Compliance management system
  • Credit underwriting and administration
  • Model risk management
  • Vendor management
  • Internal controls
  • Audit program
  • Safeguarding of customer information
  • Information technology
  • Consumer complaints and litigation
  • In certain cases, examination activities will include targeted reviews of compliance with fair lending laws (such as when lending through a dispersed network of third parties poses a heightened fair lending risk or when an institution is employing a model with untested or unproven inputs)
What examiners are looking for
  • Assess the level of risk posed to the institution by the third-party arrangement
  • Whether the risk is appropriately managed by the institution
  • Whether the third party is appropriately implementing agreed-upon policies and procedures and is in compliance with guidance, regulations, and laws applicable to the activities it performs on the institution’s behalf
  • Transaction testing of individual loans to assess compliance with consumer compliance regulations, underwriting and loan administration guidelines, credit quality, appropriate treatment of loans under delinquency, and re-aging and cure programs. The sample size of individual credit testing should be meaningful, and underlying documents and data inputs (including automated system inputs) should be reviewed
Report of Examination
  • Findings and deficiencies will be included in the report.
  • Weaknesses to be reflected in applicable component ratings, the management rating, and the composite rating (in accordance with the Uniform Financial Institutions Rating System).
  • Corrective action may include formal or informal enforcement action.  Enforcement actions may instruct institutions to discontinue third-party lending.

Source: “Examination Guidance for Third-Party Lending, Federal Deposit Insurance Corporation, July 29, 2016. Access at:


  1. “Examination Guidance for Third-Party Lending, Federal Deposit Insurance Corporation, July 29, 2016. Access at:
  2. “Financial Institution Letters, FDIC Seeking Comment on Proposed Guidance for Third-Party Lending,” Federal Deposit Insurance Corporation, (FIL-50-2016) July 29, 2016. Available at:
  3. “Financial Institution Letters, Third-Party Risk Guidance for Managing Third-Party Risk,” Federal Deposit Insurance Corporation, FIL-44-2008, June 6, 2008. Access at:
  4. “Examination Guidance for Third-Party Lending, Federal Deposit Insurance Corporation, July 29, 2016. Access at:
  5. Ibid
  6. Ibid
  7. Ibid
  8. Ibid
  9. Ibid

Newsletter Author: Samantha Regan, Jae Ko, Michael Kim, Dayton Riddle

Newsletter Contact Person: Nghi Pham

Visit for latest insights on regulatory remediation and compliance transformation.


This blog is intended for general informational purposes only, does not take into account the reader’s specific circumstances, may not reflect the most current developments, and is not intended to provide advice on specific circumstances. Accenture disclaims, to the fullest extent permitted by applicable law, all liability for the accuracy and completeness of the information in this blog and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professional.

About Accenture:

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 373,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Its home page is

Copyright © 2016 Accenture. All rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture. This document is produced by Accenture as general information on the subject. It is not intended to provide advice on your specific circumstances.

If you require advice or further details on any matters referred to, please contact your Accenture representative.

Submit a Comment

Your email address will not be published. Required fields are marked *