Banking Agencies Issue Joint Third-Party Risk Management Guidance
Banking Agencies Issue Joint Third-Party Risk Management Guidance
On June 9, 2023, the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the “Agencies”) published final joint guidance on managing risks associated with third-party relationships (“Interagency Guidance”). In an associated press release, the Agencies said the Interagency Guidance describes principles and considerations to help banks align their risk management practices with the nature and risk profile of their third-party relationships, which includes their relationships with fintechs.
In conjunction with the Interagency Guidance, the Federal Reserve Board released a memo that provides an overview of the text and states the intended purpose of the Interagency Guidance. Specifically, the Agencies indicate that the Interagency Guidance is meant to promote consistency and streamline Agency guidance on mitigating risks when banking organizations work with third parties.
The Interagency Guidance, which is final as of June 6, 2023, replaces each Agency’s existing third-party risk management guidance. The Interagency Guidance is largely consistent with the July 2021 proposed guidance, which was built on the foundation laid out in the OCC’s 2013 guidance regarding Third-Party Relationships (see rescinded OCC Bulletin 2013-29). The Interagency Guidance includes sections on the third-party relationship life cycle, governance, and supervisory reviews.
Below we provide a brief overview of the Interagency Guidance, and note key implications it will have for banking organizations and the fintechs or other third parties with which they partner.
The Interagency Guidance addresses risk-based risk management practices for each stage in the life cycle of third-party relationships, including:
The Interagency Guidance describes three categories of practices typically considered through all five stages of the life cycle:
With respect to supervision, the Interagency Guidance indicates that each Agency will review its supervised banking organizations’ risk management of third-party relationships as part of the standard supervisory process. The scope of such review will depend on the risk and the complexity associated with the banking organization’s activities and third-party relationships.
While the final text of the Interagency Guidance is mostly consistent with the July 2021 proposed rule, there are noteworthy revisions:
The Interagency Guidance highlights the Agencies’ increased focus on third-party risk management in general, and fintech partnerships in particular, and underscores that the Agencies will closely scrutinize risk associated with fintech relationships, including Banking-as-a-Service models. Notably, the Interagency Guidance emphasizes that “the use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.”
While the Interagency Guidance is largely consistent with the OCC’s previous guidance, its issuance should prompt all banking organizations to review their current risk management framework in anticipation of heightened examination focus on third-party relationships. All banks are encouraged to identify any potential gaps and make appropriate updates, including as they relate to the scope of oversight, impact, coverage, testing, documentation, and governance of third-party relationships.
Moreover, because the Interagency Guidance is based on the OCC’s prior guidance—which is more detailed than the previous framework of the Federal Reserve and FDIC—it is particularly important that state-chartered banks review the Interagency Guidance closely as it may require more significant tweaks to their third-party risk management frameworks. As Fed Governor Michelle Bowman stated, community banks may be among those most heavily affected by the Interagency Guidance. The increased compliance lift to meet these heightened standards will be more “challenging to implement” for small community banks.
One such example will be for the many state-chartered banks that sponsor fintech programs or offer Banking-as-a-Service (BaaS). In particular, BaaS models can pose particularly complex problems for banks with regard to their Bank Secrecy Act (BSA)/anti-money laundering (AML) compliance requirements, especially where only a bank’s fintech partner is customer-facing and not the bank itself. While a bank can outsource certain BSA/AML-related tasks, it cannot outsource its liability. In order to ensure compliance with the BSA, including customer identification and verification, risk-based customer due diligence, and transaction monitoring and reporting, and to avoid potential regulatory or criminal criticism or enforcement actions, banks should strictly adhere to the principles provided by the Interagency Guidance when engaging in a BaaS model with a fintech partner.
Fintechs that have bank partners or plan to partner with a bank should understand the framework this Interagency Guidance creates and how the framework will affect their bank relationships. For example, fintechs should be aware of and understand the complex regulatory regime that is applicable to their bank sponsors or partners, in particular with regard to a bank’s strict BSA/AML requirements. We expect that the Interagency Guidance will prompt banks to expand due diligence requests, take firmer positions in contract negotiation, and engage in additional ongoing monitoring and oversight.
Although the Interagency Guidance calls for a tailored approach, taking into account the risk profile and complexity of a bank’s third-party relationship, Fintechs and other third parties should expect that new or novel products, structures, and arrangements, including those as part of BaaS models, may be subject to heightened scrutiny by their banking partners. As discussed above, these effects may be more pronounced for fintechs that partner with state banks.
Because the Interagency Guidance may result in increased complexity of a bank’s onboarding process for third-parties, there are a few important takeaways fintechs should keep in mind following the release of this Interagency Guidance:
In a recent statement related to community banks and third-party partnerships, FDIC Vice Chairman Travis Hill briefly discussed an initiative to create a public/private standards setting organization (SSO) that “would enable banks to on-board fintechs and technologies that had received a ‘seal of approval’ reducing the need for each bank to conduct costly, time-consuming due diligence of its own.” However, the FDIC began collecting comments for the SSO project in July of 2020 and there has since been little formal communication from the FDIC on its progress. In the meantime, fintechs should assume that banks will implement the framework set out in the Interagency Guidance on an individual basis.
If you have questions regarding the Interagency Guidance, or any of the topics addressed in the Interagency Guidance, please feel free to reach out to any of the authors of this alert.