Banking Agencies Issue Joint Third-Party Risk Management Guidance

On June 9, 2023, the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the “Agencies”) published final joint guidance on managing risks associated with third-party relationships (“Interagency Guidance”). In an associated press release, the Agencies said the Interagency Guidance describes principles and considerations to help banks align their risk management practices with the nature and risk profile of their third-party relationships, which includes their relationships with fintechs.

In conjunction with the Interagency Guidance, the Federal Reserve Board released a memo that provides an overview of the text and states the intended purpose of the Interagency Guidance. Specifically, the Agencies indicate that the Interagency Guidance is meant to promote consistency and streamline Agency guidance on mitigating risks when banking organizations work with third parties.

The Interagency Guidance, which is final as of June 6, 2023, replaces each Agency’s existing third-party risk management guidance. The Interagency Guidance is largely consistent with the July 2021 proposed guidance, which was built on the foundation laid out in the OCC’s 2013 guidance regarding Third-Party Relationships (see rescinded OCC Bulletin 2013-29). The Interagency Guidance includes sections on the third-party relationship life cycle, governance, and supervisory reviews.

Below we provide a brief overview of the Interagency Guidance, and note key implications it will have for banking organizations and the fintechs or other  third parties with which they partner.

Life Cycle Risk Management Practices

The Interagency Guidance addresses risk-based risk management practices for each stage in the life cycle of third-party relationships, including:

• Planning. Effective planning allows a bank to evaluate and consider how to manage risks before entering into a third-party relationship.
• Due Diligence and Third-Party Selection. Due diligence includes assessment of the third party’s ability to perform the activity as expected, adhere to a bank’s policies related to the activity, comply with applicable laws and regulations, and conduct the activity in a safe and sound manner. The Agencies highlight the importance of conducting due diligence before entering into a relationship with each third party, based on the level of risk and complexity of the relationship.
• Contract Negotiation. A bank may tailor the level of detail and comprehensiveness of contract provisions based on the risk and complexity posed by each third-party relationship. The Interagency Guidance provides a list of factors for banks to consider based on the complexity and risk of a relationship (e.g., establishing clear rights and obligations of each party, specifying audit rights, and assigning responsibility for compliance with applicable laws and regulations).
• Ongoing Monitoring. Effective third-party risk management includes ongoing monitoring throughout the third-party relationship, commensurate with the level of risk and complexity of the relationship and the activity performed by the third party.
• Termination. It is important for relationships to be terminated in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued.

Governance and Supervision

The Interagency Guidance describes three categories of practices typically considered through all five stages of the life cycle:

• Oversight and Accountability. A bank’s board of directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable.
• Independent Reviews. The Agencies emphasize the importance of a bank conducting periodic independent reviews to assess the adequacy of its third-party risk management processes.
• Documentation and Reporting. The Agencies also underscore the importance of a bank properly documenting and reporting on its third-party risk management process and on third-party relationships throughout their life cycle.

With respect to supervision, the Interagency Guidance indicates that each Agency will review its supervised banking organizations’ risk management of third-party relationships as part of the standard supervisory process. The scope of such review will depend on the risk and the complexity associated with the banking organization’s activities and third-party relationships.

Differences Between the Proposed Rule and the Final Interagency Guidance

While the final text of the Interagency Guidance is mostly consistent with the July 2021 proposed rule, there are noteworthy revisions:

• Increased Scope Includes Fintech Partnerships. The Agencies state explicitly that third-party relationships falling within the scope of the Interagency Guidance include third-party agreements for new and novel structures and features, such as fintech relationships that result in direct interaction with customers.
• Tailoring. The Interagency Guidance indicates that Agencies will tailor the scope of their supervisory review based on the level of risk associated with the banking organization’s activities and third-party relationships. In other words, oversight will not take a one-size-fits-all approach and will be tailored to the characteristics of the relationship.
• Critical Activities. The Interagency Guidance provides that banking organizations should apply a more rigorous oversight and management of third-party relationships that support critical activities. The final Interagency Guidance revises the definition of “critical activities” to cover activities that could: (i) cause a bank to face significant risk if the third party fails to meet expectations; (ii) have significant customer impacts; or (iii) have a significant impact on a bank’s financial condition or operations. The Agencies emphasize that an activity that is critical for one bank may not be critical for another and banking organizations’ approaches to determining criticality may vary. According to the Agencies, effective risk management involves applying a sound methodology to designate which activities and third-party relationships receive more comprehensive oversight.
• Support for Community Banks. The Interagency Guidance makes mention of resources that may reduce the due diligence burden for small banks, such as resorting to collaborative industry efforts (such as pooling resources) and relying on independent third-party certifications in due diligence and monitoring of third-party relationships. As discussed further below, Governor Michelle Bowman dissented from the Federal Reserve Board’s vote, stating that this mere language was an insufficient effort to support such smaller banks with their burden of meeting the enhanced standards.
• Inventory of All Third-party Relationships. The Agencies expect banking organizations to complete and maintain an inventory of all third-party relationships, and periodic risk assessments for each such third-party relationship would be supportive of a banking organization’s sound risk management over time. Banking organizations will need to consider implementing or enhancing their existing inventory of all third-party relationships.
• Inclusion of FAQs Concepts. The Interagency Guidance builds on concepts from the OCC’s rescinded 2020 FAQs on Third-Party Relationships, including (i) acknowledging that a bank may have limited negotiating power in contract negotiation with certain third parties; (ii) underscoring the need for a strong framework to identify which activities and third-party relationships should receive more comprehensive oversight than others; and (iii) clarifying expectations for relying on subcontractors.
• Effect of Law. The Interagency Guidance explicitly indicates that it “does not have the force and effect of law and does not impose any new requirements on banking organizations.” However, the Agencies will utilize and look to the standards outlined in the Interagency Guidance in their supervision of banking organizations’ third-party risk management programs.

Key Takeaways for Banking Organizations

The Interagency Guidance highlights the Agencies’ increased focus on third-party risk management in general, and fintech partnerships in particular, and underscores that the Agencies will closely scrutinize risk associated with fintech relationships, including Banking-as-a-Service models. Notably, the Interagency Guidance emphasizes that “the use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.”

While the Interagency Guidance is largely consistent with the OCC’s previous guidance, its issuance should prompt all banking organizations to review their current risk management framework in anticipation of heightened examination focus on third-party relationships. All banks are encouraged to identify any potential gaps and make appropriate updates, including as they relate to the scope of oversight, impact, coverage, testing, documentation, and governance of third-party relationships.

Moreover, because the Interagency Guidance is based on the OCC’s prior guidance—which is more detailed than the previous framework of the Federal Reserve and FDIC—it is particularly important that state-chartered banks review the Interagency Guidance closely as it may require more significant tweaks to their third-party risk management frameworks. As Fed Governor Michelle Bowman stated, community banks may be among those most heavily affected by the Interagency Guidance. The increased compliance lift to meet these heightened standards will be more “challenging to implement” for small community banks.

One such example will be for the many state-chartered banks that sponsor fintech programs or offer Banking-as-a-Service (BaaS). In particular, BaaS models can pose particularly complex problems for banks with regard to their Bank Secrecy Act (BSA)/anti-money laundering (AML) compliance requirements, especially where only a bank’s fintech partner is customer-facing and not the bank itself. While a bank can outsource certain BSA/AML-related tasks, it cannot outsource its liability. In order to ensure compliance with the BSA, including customer identification and verification, risk-based customer due diligence, and transaction monitoring and reporting, and to avoid potential regulatory or criminal criticism or enforcement actions, banks should strictly adhere to the principles provided by the Interagency Guidance when engaging in a BaaS model with a fintech partner.

Key Takeaways for Fintechs and Other Third-Party Partners

Fintechs that have bank partners or plan to partner with a bank should understand the framework this Interagency Guidance creates and how the framework will affect their bank relationships. For example, fintechs should be aware of and understand the complex regulatory regime that is applicable to their bank sponsors or partners, in particular with regard to a bank’s strict BSA/AML requirements. We expect that the Interagency Guidance will prompt banks to expand due diligence requests, take firmer positions in contract negotiation, and engage in additional ongoing monitoring and oversight.

Although the Interagency Guidance calls for a tailored approach, taking into account the risk profile and complexity of a bank’s third-party relationship, Fintechs and other third parties should expect that new or novel products, structures, and arrangements, including those as part of BaaS models, may be subject to heightened scrutiny by their banking partners. As discussed above, these effects may be more pronounced for fintechs that partner with state banks.

Because the Interagency Guidance may result in increased complexity of a bank’s onboarding process for third-parties, there are a few important takeaways fintechs should keep in mind following the release of this Interagency Guidance:

• Knowledge is power. Understanding the compliance obligations required by fintechs when partnering with a bank is fundamental for speed to market and a successful launch:
• Compliance for scalability. A strong compliance backbone that recognizes the needs of a bank partner, including oversight and auditability, is critical in scaling a bank sponsored or bank utilized product. Conversely, a weak compliance program opens up the door to unwanted business disruptions.
• Due Diligence is a 2 way tool. In addition to understanding your bank partner’s compliance requirements, fintechs should conduct their own due diligence in an effort to align with a bank partner or sponsor who understands the fintechs products or services. Having an aligned understanding of ongoing compliance and oversight that is reasonably related to the products or services being offered will aid long term partnership success.   

In a recent statement related to community banks and third-party partnerships, FDIC Vice Chairman Travis Hill briefly discussed an initiative to create a public/private standards setting organization (SSO) that “would enable banks to on-board fintechs and technologies that had received a ‘seal of approval’ reducing the need for each bank to conduct costly, time-consuming due diligence of its own.” However, the FDIC began collecting comments for the SSO project in July of 2020 and there has since been little formal communication from the FDIC on its progress. In the meantime, fintechs should assume that banks will implement the framework set out in the Interagency Guidance on an individual basis.

Questions

If you have questions regarding the Interagency Guidance, or any of the topics addressed in the Interagency Guidance, please feel free to reach out to any of the authors of this alert.