The federal banking regulators — the Federal Reserve, the Comptroller’s Office and the Federal Deposit Insurance Corp. — issued their final guidance on banking organizations’ management of risks associated with third-party relationships on June 6.
The highly anticipated guidance amends the proposed guidance published in July 2021 and supplants prior guidance put forth by each agency.
The document contains takeaways for banks as well as for fintechs partnering with banks. (Credit union officials also would be wise to review this guidance, as we note in the gray box below.)
Key Takeaways for Banks in Regulators’ New Guidance
“Interagency Guidance on Third-Party Relationships: Risk Management” runs nearly 70 pages. Here are essentials to have in mind:
1. The guidance takes a mostly principles-based approach and is open to interpretation.
This puts the onus on banks to assess the risks of all of their third-party relationships and conduct appropriate due diligence and oversight based on that risk assessment. As a result, banks will need to think creatively and strategically about how to build or augment their third-party risk management programs throughout each relationship’s lifecycle.
2. In a bank relationship with a third party, the regulatory compliance buck stops with the bank.
As the guidance notes: “the use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.”
This is not a new or surprising concept. But the guidance provides that it is important for contracts between banks and third parties to specify the obligations of the bank and the third party to comply with applicable laws and regulations and allow the bank to monitor and stay informed about the third party’s compliance with these obligations.
Focus on Consumer Impact:
The guidance does not identify the obligations banks should include in their contracts with third parties. However, the guidance contains many references to harm or impact on consumers. It also suggests continued regulatory focus on consumer protection requirements.
In addition, the proposed guidance provided a helpful list: the Gramm-Leach-Bliley Act, including privacy and safeguarding of customer information; the Bank Secrecy Act and Anti-Money Laundering (BSA/AML) laws; the Office of Foreign Assets Control (OFAC) regulations; and consumer protection laws and regulations, including those addressing fair lending and unfair, deceptive or abusive acts or practices.
In our practice, we regularly see issues in these areas, as well as the FDIC’s Part 328 (advertisement of FDIC membership) and the Consumer Financial Protections Bureau’s Reg E (handling of transaction dispute claims).
3. Smaller banks will not have a lesser regulatory burden under the guidance.
In this regard the guidance specifically clarifies that smaller banks cannot claim any kind of “safe harbor” or reduced regulatory burden relating to third-party risk management. (Interestingly, this was a specific point of contention at the Federal Reserve. Gov. Michelle Bowman cast a dissenting vote on the grounds that this placed too much burden on community banks and did not provide tools needed to help them comply.)
Small banks can take some consolation that the guidance notes that a bank “may use the services of industry utilities or consortiums, consult with other organizations, or engage in joint efforts to supplement its due diligence.”
However, this is followed by the “health warning” from the regulators that the “use of such external parties to conduct supplemental due diligence does not abrogate the responsibility of the banking organization to manage third-party relationships in a safe and sound manner and consistent with applicable laws and regulations.”
In keeping with our second takeaway, the buck stops with the bank.
4. Subcontractor oversight remains important.
Unlike the proposed guidance, the final guidance does not suggest that a bank should conduct similar due diligence on a third party’s critical subcontractors. Instead, the bank can focus on evaluating the third party’s third-party risk management program.
So it says. However, our experience shows that a lack of understanding of subcontractor policies and procedures for handling critical outsourced activities can expose a bank to increased regulatory scrutiny and potential enforcement actions stemming from violations of laws and regulations.
Read more: Where Are Bank-Fintech Relationships Headed?
How Banks Can Be Sure They Will Comply With the Guidance
Proposed steps for banks to ensure their existing practices are aligned with the guidance:
1. Take the considerations highlighted in the guidance and adapt them into a checklist.
Contrary to what the guidance preamble claims about not treating this document as a checklist, bankers should disregard that statement and treat the considerations as a checklist. Then they should apply the checklist across their third-party relationships as relevant to each arrangement.
2. Review any current inventories of third-party relationships.
Are they comprehensive? Confirm that they clearly identify relationships associated with higher-risk activities — especially critical activities.
3. Review existing risk assessments for each third-party relationship.
You should be able to ensure the bank has a solid basis for articulating why its program is designed as it is. The program should include a sound methodology for determining high-risk relationships and using the risk assessments to determine which third parties will be subject to more comprehensive oversight.
4. Develop a comprehensive inventory of the laws and regulations that will apply to each third-party relationship.
Understand who will be primarily responsible for day-to-day compliance with each of those laws and regulations (e.g., the bank, the third party or a third-party subcontractor). Determine what controls will be in place to facilitate compliance, and develop a monitoring plan to oversee compliance.
5. Partner banks should review the guidance alongside the existing guide for community banks working with fintech companies.
An Important Note for Credit Unions:
To date, the National Credit Union Administration has not adopted the guidance put forth by the banking regulators. As a result, credit unions should continue to refer to the NCUA’s existing guidance on third-party relationships, its related third-party questionnaire, and any other relevant guidance published by the NCUA. An example is the 2021 guidance on partnering with third parties providing digital asset-related services.
While the NCUA’s existing guidance is not that dissimilar from the final guidance issued by banking regulators, credit unions may want to review and incorporate any additional considerations from that final guidance as a matter of best practice and sound risk management.
Key Takeaways for Fintechs in Regulators’ New Guidance
Here are essentials for fintechs to have in mind:
1. Bank-fintech partnerships were a major motivator for finalizing the guidance.
Even though the word “fintech” is only mentioned six times in the entire document, it appears to have been a key driver in finalizing the guidance amid the backdrop of growing regulatory scrutiny of bank-fintech partnerships over the past year or so.
Regulators Tip Their Hands:
It is telling that several of the key regulatory contacts listed in the guidance for the Comptroller's Office and the Federal Reserve are from departments that are focused on innovation and fintech-related matters.
2. Fintechs can expect existing and prospective partner banks to set a higher bar for risk management and compliance moving forward.
Fintechs will find that bank partners focus on consumer compliance and operational/business resiliency. Similarly, fintechs seeking bank partnerships can likely expect to see higher barriers to entry with more stringent due diligence, onboarding processes, and contractual provisions.
3. Fintech activities undertaken on behalf of banks are subject to regulatory examination and oversight.
Fintechs should expect increased requests from partner banks stemming from examinations of their programs by the partner banks’ primary bank regulators.
In our experience, the regulators have already begun performing much more comprehensive reviews. In some cases these occur prior to the beginning of examinations. Factors review include fintechs’ websites and account opening flows.
In addition, we have seen the FDIC examine fintechs directly by invoking its authority to look at institution-affiliated parties. We believe that the Comptroller’s Office and the Federal Reserve may follow suit.
- ‘Yelp’ for Bankers: Inside a New Database for Vetting Tech Vendors
- Uh-Oh, Consumers’ Growing Comfort with Fintechs Is Costly for Banks
- Banks Have a Great Shot at Closing the Talent Gap Now — Here’s How
How Fintechs Can Prepare for Greater Scrutiny by Regulators and Partner Banks
Fintechs should be getting their ducks in a row as soon as possible. Here are some actions we recommend:
1. Fintechs should treat the considerations outlined in the guidance like a checklist, just as we’ve advised banks to do above.
Fintechs should revisit existing due diligence packages that they provide to bank partners to ensure they are comprehensive and consistent with the guidance.
2. Align policies and procedures with the guidance.
Fintechs should ensure that descriptions of roles and responsibilities articulate clearly who is doing what. It should also be clear what the key handoff or escalation points are between the fintech and partner bank.
3. Consider what additional monitoring or testing may be needed to proactively identify and address gaps before they are identified by a partner bank.
4. Work with partner banks to ensure comprehensive, clear and transparent responses are made to regulatory requests.
They should include acknowledgment and timely resolution of issues when they arise.
One point the guidance is very clear about: Regulators clearly intend to hold banks and fintechs accountable for any lapses that occur in the course of bank-fintech relationships. Banks and fintechs alike would be well-served by getting ahead of the guidance and taking proactive steps to identify and close any gaps in their existing risk and compliance programs. Doing so swiftly will pay dividends down the road, especially when the regulators come knocking.
About the Authors:
Andreas Westgaard is a director at Klaros Group. Christina Hunt-Fuhr is a senior director at the firm.