T2
FHFA
Medium Confidence
Guidance
Oversight of Third-Party Provider Relationships
Enhanced oversight and risk management of third-party provider relationships for FHFA-regulated entities
MODERATE
Impact Level
Top: third party risk (4)
Classification
- Regulatory Program
- FHFA Third-Party Risk Management
- Doc Type
- Guidance
- Effective Date
- 2026-09-14 (est.)
- Days to Action
- 60
- Comment Deadline
- —
- Published
- —
Urgency Basis
Advisory bulletin guidance requires implementation within 30-90 days for examination readiness
Operational Context
Flags
Examination Focus
Board Reporting Required
Systems Change Required
Legal Review Required
Affected Functions
Risk Management
Vendor Management
Compliance
Legal
Internal Audit
Board Risk Committee
Institution Applicability
Federal Home Loan Banks
Fannie Mae
Freddie Mac
Fhfa-Regulated Entities
Impact by Category
Compliance
3
Operational
3
Data Governance
2
Model Risk
1
Reporting & Disclosure
2
Capital & Liquidity
0
Consumer Protection
2
Third-Party Risk
4
Key Requirements
- Implement comprehensive third-party risk management framework
- Establish board-level oversight of third-party relationships
- Conduct due diligence and ongoing monitoring of critical vendors
- Develop incident response procedures for third-party disruptions
- Maintain inventory of all third-party relationships with risk assessments
Scoring Rationale
Advisory bulletin guidance creates moderate compliance and operational impact requiring policy development and process implementation. Primary impact on third-party risk management with secondary effects on operational controls and compliance frameworks. Limited capital/liquidity impact but examination focus creates urgency for implementation.
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory
Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or
omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment.
Effective dates, applicability determinations, impact assessments, and any recommended actions should be
independently verified against primary regulatory source documents and reviewed by qualified compliance or legal
personnel before taking compliance action. This output does not constitute legal or compliance advice.