FDIC Announces Lineage Bank Consent Order Containing Third-Party Risk Management Program and Fintech Partnership Orders

Sarah Hanna, Caitlin Oh, Ethan Ostroff, Samer Roshdy, James Stevens, Glen Trudel
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

[co-author: Matthew Bornfreund]

The Federal Deposit Insurance Corporation (FDIC) recently announced a consent order with Tennessee-based Lineage Bank containing orders relating to the bank’s third-party risk management program and its financial technology (fintech) partners.

Under the terms of the consent order, the FDIC has ordered, among other things, that:

  • The bank’s board of directors (the board) increase its participation in the bank’s affairs by assuming full responsibility for the approval of the bank’s policies and for the supervision of the bank’s management.
  • Within 30 days, the bank shall undertake a review and assessment to determine the adequacy of existing reserve account balances to cover all liabilities related to any fintech relationships.
  • Within 60 days, the board shall submit a general contingency plan to the FDIC’s Regional Director detailing how it will administer an effective and orderly termination with significant fintech partners.
  • Within 90 days, the board shall implement a plan to enhance the internal audit functions to include evaluation of risk controls for high-risk areas of the bank, including on boarding deposits obtained through third parties, processing payments obtained through third parties, and sweeping deposits.
  • Within 90 days, the bank shall engage a qualified independent firm to complete an assessment and report of existing relationships with fintech partners.
    • Within 30 days of receipt of the report, the board shall develop a written plan to correct any deficiencies or recommendations identified in the report and shall monitor progress in addressing recommendations at least monthly. The board’s monthly monitoring shall be documented and submitted to the FDIC’s Regional Director.
  • Within 90 days, the board shall formalize the process for accepting new fintech partners in the form of a written “formal onboarding process.”
  • Within 120 days, the board shall adopt a written program to assess and manage the risks posed by relationships with fintech companies. Such plan will be provided to the FDIC’s Regional Director for review and comment.
    • Thereafter, the board shall engage a qualified third-party to assess the adequacy and effectiveness of the risk management program at least annually and amend the program to maintain effectiveness as needed or directed by the FDIC.

The formal onboarding process required under the terms of the consent order, which tracks prior interagency guidance and should serve as a roadmap for other banks in the space, must include provisions requiring the completion of due diligence for each proposed fintech partner relating to, at a minimum, a written assessment of:

  • The financial condition of the potential fintech partner;
  • Proposed contracts between the bank and the fintech partner;
  • Type and volume of anticipated activity under the program;
  • Bank management’s experience associated with the activity proposed by the fintech partner;
  • Readiness of the bank’s system for processing transactions related to the fintech partner;
  • Registration or licensing requirements;
  • Expected additional parties or companies involved in the program;
  • Marketing and consumer and deposit insurance disclosures of the fintech partner;
  • Compliance with applicable laws and regulations by the fintech partner;
  • Quantified analysis of how the fintech partner is expected to impact the bank’s financial measures including asset totals, capital ratios, earnings, liquidity, and sensitivity to market risk; and
  • Approval authority for the fintech partner, including the role of the board.

Our Take:

This consent order is the latest in a series of regulatory enforcement actions dealing with third-party risk management programs and fintech partner issues — clearly evidencing the regulators’ increased focus on this area. This should not be a surprise since, as discussed here, in June 2023, the FDIC, along with the Board of Governors of the Federal Reserve System (FRB) and Office of the Comptroller of the Currency (OCC), issued guidance to banking organizations on managing the risks associated with third-party relationships. The June 2023 interagency guidance provided: (i) principles for a banking organization to consider through each stage of its third-party relationship “life cycle” from planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination; and (ii) considerations that banking organizations use as part of sound risk management planning (i.e., specific consideration of whether a fintech may have access to or use consumers’ information or otherwise interact with consumers)

While the FDIC does not provide specific allegations as to what led to this consent order, through the series of regulatory actions on this topic, we are seeing an increased emphasis on ongoing monitoring of third parties and the risks posed by the bank’s various fintech partners, including:

  1. Fintechs with whom the bank has a direct relationship (Direct Fintechs) or an indirect relationship through a banking-as-a-service (BaaS) intermediary (Intermediaries); and
  2. Fintechs with whom the bank’s Direct Fintechs or Intermediaries have a business relationship (Third-Party Fintechs) through which any funds or transactions are processed by the bank.

Notably, per this order, the FDIC ordered the bank to:

  • “not enter into any new line of business or expand a current business line that would result in annual 10 percent growth in total assets or total liabilities without the prior written consent of FDIC Dallas Regional Director;” and
  • “refrain from onboarding any new fintech partners or ACH end-customers via FinTech Partners until the Formal Onboarding Process has been submitted to the Regional Director for review and comment, approved by the Board, and thereafter implemented.”

We’ve seen similar stoppage requirements over multiple consent orders by the federal banking regulators.

In light of the series of regulatory actions, banks will need to consider whether their third-party risk management programs are up to date and sufficiently rigorous, particularly as they assess their BaaS programs and the types of fintech involvement contained within those programs.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide