On September 28, FHFA released Advisory Bulletin AB 2018-08, which provides guidance to Fannie Mae and Freddie Mac, the Federal Home Loan Banks, and the Office of Finance (regulated entities) on the evaluation and management of risks associated with third-party provider relationships. (FHFA defines a third-party provider relationship as a “business arrangement between a regulated entity and another entity that provides a product or service.”)
The bulletin sets forth the structure and describes the features of the third-party provider risk management programs that FHFA expects regulated entities to establish. With respect to governance, the bulletin recommends such programs address: (i) the responsibilities of the board and senior management; (ii) policies, procedures, and internal standards; and (iii) the implementation of a reporting system to ensure management and the board are adequately informed. The bulletin also specifies that an effective program include policies and procedures that cover each of the following phases of a third-party provider relationship life cycle: (i) Risk Assessment; (ii) Due Diligence in Third-Party Provider Selection; (iii) Contract Negotiation; (iv) Ongoing Monitoring; and (v) Termination. The bulletin suggests that regulated entities should ensure that their third-party risk management corresponds with the level of risk and complexity of their third-party relationships and notes that not every aspect of the bulletin may apply to every relationship.