Payments Report: News from Washington, Brought to you by NEACH
VOLUME 2024-3 (MAY 24)
Overview: On May 3, the Board of Governors of the Federal Reserve System (“FRB”), Federal Deposit Insurance Corporation (“FDIC”), and Office of the Comptroller of the Currency (“OCC”) issued a guide to community banks on how to manage risks associated with relationships with fintech and other third-parties (the “Guide”). The Guide builds upon regulators’ prior supervisory guidance and enforcement actions, and indicates the regulators remain extremely focused on how banks manage risk associated with fintech relationships.
Background
In June 2023, the FRB, FDIC and OCC issued joint third-party risk management guidance (the “TPRM Guidance”) that replaced prior guidance from each individual agency and created a uniform third-party risk framework for all banks. The TPRM Guidance describes risk-management principles for banks to consider when developing and implementing third-party risk-management programs. It is particularly relevant for banks that provide banking-as-a-service (“BaaS”) platforms through which banks and fintechs offer products to the public, because regulators have significantly increased their expectations for how banks manage risk associated with such relationships.
In addition, the FDIC and OCC have issued a series of consent orders over the last 18 months to banks that provide BaaS platforms. Those consent orders place significant restrictions on the subject banks’ ability to partner with fintechs and require banks to implement enhanced governance and third-party risk management programs. Collectively, the TPRM Guidance and regulators’ consent orders set forth principles that banks and fintechs can implement to establish sound partnerships. The Guide further supplements those principles. Although it is nominally directed towards community banks, the Guide is a resource that banks of all sizes can use to assess and enhance their third-party risk management programs.
The Guide Highlights Opportunities and Risk
The Guide highlights several positive impacts of banks partnering with fintechs and third parties, including that banks may gain access to new technologies, delivery channels, products, services,
and markets. However, the Guide also notes that these expanded opportunities may come with additional risk that banks must manage, because banks may have less direct operational control over certain aspects of fintech and other third-party services.
There are two key takeaways in the Guide:
- Regulators will not look favorably upon banks that take a “one-size-fits-all” approach to third-party risk management. Because of the varied nature of fintech and other third-party relationships, it is critical that banks appropriately identify and control risk associated with the individual third-party relationship.
- Banks remain ultimately responsible for operating in a safe and sound manner and for compliance with applicable law and regulatory requirements when engaging with fintechs and other third parties, just as if the bank was performing the service or activity entirely on its own.
Sound Risk Management is Critical for Higher Risk Relationships
The Guide describes principles for how banks can implement risk management practices at each stage of a third-party relationship life cycle, including planning, diligence, contract negotiation, ongoing monitoring, and termination.
As a first step, the Guide highlights that banks should identify third-party relationships that involve higher-risk activities. Several factors may contribute to whether a relationship is higher risk, including whether it involves access to sensitive data (including customer data), transaction processing, essential technology, and business services, or could otherwise have a material impact on the bank’s customers or financial condition. If a bank identifies a relationship as involving higher risk, the bank should engage in more comprehensive and rigorous oversight and management of the relationship.
The Importance of Sound Governance Practices
Both the Guide and regulators’ recent consent orders with banks that provide BaaS platforms emphasize that sound governance practices are critical in managing higher risk relationships. This begins with enhanced oversight and involvement of the bank’s board, through which the board establishes expectations for bank management to implement. Management must implement these principles based on the level of risk and complexity of its fintech third-party relationships. This may include enhanced due diligence, ongoing monitoring, and proactively planning for an interruption to, or termination of, the relationship.
Outlook: Bank regulators remain intently focused on the unique compliance challenges in bank-fintech partnerships and other third-party relationships. Banks and fintechs should consider implementing the principles outlined in recent guidance and consent orders in response to this heightened focus.