FDIC, Fed, OCC finalize guidance for banks' third-party partnerships

federal-reserve-facade-687816-adobe.jpeg
Aaron Kohr - aaron@kohr.org/Aaron Kohr - stock.adobe.com

Three federal bank regulators finalized risk management guidance for banks to consider when developing relationships with fintechs and other third parties.

The 68-page, interagency report details how banks should evaluate risks when assessing, negotiating with and monitoring third-party relationships. The Federal Reserve, Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency finalized the guidance Tuesday, nearly two years following the initial draft's publication.

Banks must implement risk management practices that account for the risks of third party providers, such as consultants, merchant payment processors, cloud computing providers and data aggregators, regulators wrote in the guidance. This means executing appropriate due diligence, creating clear expectations for performance and responsibilities and outlining plans in the case of terminating the agreement.

"As part of sound risk management, it is the responsibility of each banking organization to analyze the risks associated with each third-party relationship and to calibrate its risk management processes, commensurate with the banking organization's size, complexity, and risk profile and with the nature of its third-party relationships," the guidance said.

The publication was signed by acting OCC Chair Michael Hsu and approved by five of the six Fed governors. The latest draft also supersedes all previous guidance on the topic from the three federal regulators, each of which have independently issued outlines on the topic over the last 15 years. The guidance took into account 82 submitted comments from interested parties, like trade associations, banks and fintechs. 

Partnerships with fintechs and other third parties can help banks streamline technology processes and offer more nimble services to customers. Many banks, especially smaller institutions that don't have the resources to develop in-house technology, use fintechs to build mobile apps or facilitate online lending, among other things. The bank manages the checking accounts and access to the Fed and FDIC insurance and can share interchange income with fintech partners.

"The use of third parties can offer banking organizations significant benefits, such as access to new technologies, human capital, delivery channels, products, services and markets," the guidance says. "However, the use of third parties can reduce a banking organization's direct control over activities and may introduce new risks or increase existing risks, such as operational, compliance and strategic risks."

The guidance notes that not all third-party relationships present the same level of risk, and that each bank should tailor its risk management practices proportionate to the bank's size, complexity, risk profile and the nature of the third-party relationship.

The agencies also said in the guidance that they will work together to "develop additional resources" for managing third-party risks to community banks and smaller institutions, which often have greater constraints regarding technology budgets and due diligence capabilities than large banks.

In a dissenting statement, Fed Governor Michelle Bowman wrote that she thinks the interagency guidance doesn't appropriately address the burden on smaller financial institutions. She added that the framework isn't clear enough about how they should tailor their risk management, and doesn't provide a timeline for the development of potential resources for community banks.

Michelle Bowman
Michelle Bowman, governor of the U.S. Federal Reserve, said the interagency guidance around third-party relationships lacks clarity.
Zach Gibson/Bloomberg

"Smaller banks are a vital part of the banking system," Bowman wrote. "Their core purpose is to serve the diverse range of communities and businesses that are not well-served by any other financial institutions. These examples of providing one-size-fits-all regulatory expectations for banks, including small banks, and failing to appropriately consider and mitigate the compliance and implementation burden imposed on these small banks, signals a concerning trend in our regulatory approach."

Rebeca Romero Rainey, president and CEO of the Independent Community Bankers of America, said in a prepared statement that the ICBA commended Bowman's recommendations for the latest guidance. ICBA wrote in a 2021 comment about the proposal that consolidated guidance was necessary, but practices should be further tailored based on the bank.

American Fintech Council CEO Phil Goldfeder said in a prepared statement that the finalized interagency guidance provides "vital clarity," and that there's still a "crisis of a significant mismatch" between fintech services and the processes to regulate them. 

"The guidance recognizes the benefits that responsible fintech companies provide for consumers in need, but more importantly helps identify the risks, roles and responsibilities to keep community banks competitive without compromising on consumer safety," Goldfeder said in the statement. 

Financial Technology Association President and CEO Penny Lee wrote in a prepared statement that she welcomed the interagency approach and "constructive framework" for mitigating risks. She added that the guidance acknowledged the benefits of fintechs.

Regulators have had a thumb on bank-fintech relationships for years, but have recently taken more action as the practice has surged. Last September, OCC's Hsu said at a banking conference that complex bank-fintech relationships, especially those that facilitate activities like mobile payments, online lending and deposit taking, could lead to "a severe problem, or even a crisis," if "left to their own devices."

In September, the OCC penalized Blue Ridge Bank for compliance concerns with the Bank Secrecy Act, which relates to money laundering. In March, the FDIC charged Cross River Bank, a major banking-as-a-service provider that makes loans through fintech lenders like Affirm and Upstart, with violating fair lending regulations during a program in early 2021.

Other companies have worked on bank-fintech partnership guidance in the past. Last October, the Alloy Labs Alliance bank technology consortium published a playbook of best practices for managing banking-as-a-service relationships. The playbook emphasizes that banks must monitor their fintech partners and remain vigilant around ensuring compliance and safety.

For reprint and licensing requests for this article, click here.
Regulation and compliance Fintech Federal Reserve OCC FDIC
MORE FROM AMERICAN BANKER