On June 6, 2023, federal banking agencies issued final Interagency Guidelines on Third-Party Relationships detailing their expectations for banks in establishing risk management practices with third-parties—including fintechs. This final guidance from the Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of Currency (OCC) replaces previously issued general guidance for each agency’s supervised banking organizations. While the guidance addresses all third-party relationships, the banking agencies have voiced specific concerns regarding the proliferation of bank-fintech partnerships.
Key Takeaways for Bank-Fintech Partnerships
- A bank’s participation in a third-party partnership does not diminish the bank’s direct responsibility for ensuring that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.
- Fintech partners of banks are likely to see banks imposing stricter conditions and oversight as their bank partners update third-party risk management processes to meet their own compliance obligations.
- Fintechs and other non-bank service providers may also be subject to supervisory examination by the banking agencies related to partnership programs.
Summary and a “Non-Checklist” Checklist
The guidance provides what the banking agencies describe as a principles-based approach—rather than a rules-based approach or set checklist—to third-party risk management. Specifically, the guidance discusses several examples to support sound risk management at each stage of the third-party relationship life cycle— (1) planning; (2) due diligence and third-party selection; (3) contract negotiation; (4) ongoing monitoring; and (5) termination. Because of the principles-based nature of the guidance, the banking agencies emphasize that it is not endorsing a “one size fits all” model, but rather the guidance should be tailored to the unique circumstances of each third-party relationship.
(1) Planning—banks should evaluate and consider how to manage risks before entering into third-party relationships. Factors may include:
o Understanding the strategic purpose of the business arrangement and how it aligns with the bank’s overall strategic goals and objectives;
o Identifying and assessing benefits and risks of the business arrangement;
o Assessing the potential third-party’s impact on customers, including access to or use of customer information;
o Determining the bank’s ability to provide adequate oversight and management of the proposed third-party relationship.
(2) Due Diligence and Third-Party Selection—banks should assess a third-party’s ability to perform the activity as expected, adhere to the banking organization’s policies, and comply with all applicable laws, regulations, and conduct. Factors may include:
o A third-party’s overall business strategy and goals;
o Legal and regulatory compliance considerations associated with engaging a third-party to appropriately mitigate risks associated with third-party relationships;
o Assessment of a third-party’s financial condition;
o Evaluation of a third-party’s business experience in performing the activity;
o Qualifications of key personnel and other human resources considerations;
o Evaluation of a third-party’s overall risk management, including governance processes;
o Assessment of a third-party’s information security program, including protecting confidentiality, integrity, and availability of a bank’s data.
(3) Contract Negotiation—banks should negotiate contract provisions that will facilitate effective risk management and oversight and specify expectations and obligations of both parties. Factors may include:
o Clearly identifying the rights and responsibilities of each party, including nature and scope of the business arrangement;
o Defined performance measures to evaluate performance of third-parties;
o A third-party’s obligation to retain and provide timely and accurate information to banking organizations to monitor risks and performance;
o Responsibility for compliance with applicable laws and regulations;
o Prohibiting disclosure of non-public information, including the process of disclosing information security breaches or unauthorized intrusions.
(4) Ongoing Monitoring—banks should conduct monitoring on a periodic or continuous basis throughout the duration of the third-party relationship, commensurate with the risk level and complexity of the relationship and the activity performed by the third-party. Monitoring activities may include:
o Review of reports regarding the third-party’s performance and the effectiveness of its controls; periodic visits and meetings with third-party representatives; regular testing of the banking organization’s controls;
o Monitoring the third-party’s business strategy, financial condition, compliance with applicable laws and regulations, and response to incidents and business continuity.
(5) Termination—banks should terminate third-party relationships in an efficient manner when the activities are transitioned to another third-party, brought in-house, or discontinued. Factors may include:
o Options for effective transition of services;
o Managing risks associated with data retention and destruction;
o Managing risks to the banking organization, including impact on customers.
The interagency guidance further identifies three categories of governance to consider throughout the third-party relationship life cycle: (1) oversight and accountability at the board of directors and management levels; (2) periodic independent reviews to assess the adequacy of the bank’s risk management governance; and (3) proper documentation and reporting on the bank’s risk management processes and third-party relationships.
What Does this Mean for Fintechs?
The interagency guidance expands the scope of the banking agencies’ earlier general guidance on third-party risk management and now extends broadly to “any business arrangement between a banking organization and another entity.” While not all third-party relationships may require the same level or type of oversight or risk management, fintech partnerships not covered by previous guidance will likely see increased attention to risk management considerations as banks review their inventories of third-party relationships.
Importantly, the banking agencies’ framework also provides broader scrutiny for fintech companies and other third-party providers that partner with banks—including potentially being the subject of supervisory examinations based on the functions and operations that it performs on behalf of the bank. And as banks evaluate their third-party risk management processes for potential gaps, banks may start to impose additional requirements on their fintech counterparts. For example, fintech partners may see more requests from banks for extensive information on their risk management processes as banks conduct due diligence, increase oversight of subcontractors during the contract negotiation process, and engage in direct testing of fintech controls as part of ongoing monitoring.
Enforcement Outlook—“Mind the Gaps”
Following recent OCC and FDIC enforcement actions against banks involving fintechs, the interagency guidance clarifies that banks are ultimately responsible for ensuring that activities conducted through a third-party are conducted in compliance with applicable laws and regulations. However, the guidance also provides that as banking agencies review banking organizations’ risk management of third-party relationships as part of their standard supervision, the banking agencies may also extend their review to third-party partners when warranted.
Notably, the coordination between banks and fintechs, or other third-parties, can create compliance gaps and expose bank-fintech partnerships to increased enforcement risk. For example, gaps in Anti-Money Laundering (AML) compliance—which is highly-regulated and requires comprehensive compliance operations, transaction monitoring, and the filing of Suspicious Activity Reports (SARs)—can lead to serious penalties and even criminal charges if there are significant deficiencies. Other risk areas include sanctions screening and the handling of customer complaints and inquiries, as regulatory enforcement activity involving Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) claims continues to increase. As bank-fintech partnerships grow, so do the risks of compliance gaps and increased enforcement activity.
[View source.]
