Framework for Managing Third Party Risk

Financial Institution Letter 44-2008 holds a bank’s Board of Directors and senior management ultimately responsible for managing activities conducted through third-party relationships.

A third party is defined as an entity that has “entered into a business relationship with a financial institution, whether the third party is a bank or nonbank, affiliated or not affiliated, regulated or non-regulated, or domestic or foreign.”

The Guidance provides a framework for assessing and managing third party risk which includes:

  • Risk categorization (strategic, reputation, operation, transaction, credit, compliance, other)
  • Contractual control areas (scope, compensation, performance standards, reports, audit, confidentiality, customer complaints, contingency plans, default and termination, dispute resolution, ownership and license, indemnification, and limits on liability)
  • The third party risk management process (Risk Assessment > Due Diligence > Selecting a Third Party > Contract Structuring and Review > Oversight).


The FDIC evaluates activities conducted through third parties as though the activities were performed by the institution itself.

Compliance Made Easy

Hiperos 3PM helps financial institutions simplify and streamline third party risk management by automating the identification, investigation, reporting and monitoring of third party risks so they are managed in accordance with FDIC guidelines. Learn more