Fintech Compliance

All Fintech

Interagency Guidance on Third-Party Relationships (OCC)

Nov 30, 2023




5 min read

The growing prevalence of relationships between incumbent banking institutions and fintechs has resulted in new regulatory guidance to manage third-party relationships: Interagency Guidance on Third-Party Relationships (Risk Management). 

Fintech compliance experts with decades of experience created this guide, not freelance copywriters, third-party agencies, or AI-based tools.

InnReg Compliance Consulting and Outsourcing
InnReg Compliance Consulting and Outsourcing
InnReg Compliance Consulting and Outsourcing

What is the Interagency Guidance on Third-Party Relationships (Risk Management)?

On June 6, 2023, the Federal Reserve, FDIC, and OCC released final guidance on managing risks associated with third-party relationships, including relationships with fintechs (the “Interagency Guidance”). This Interagency Guidance and its associated memo replace the Agencies’ existing guidance to help banks align their third-party risk management practices with the nature and risk profile of their third-party relationships, including fintechs.

Though the Interagency Guidance is consistent with the previously released guidance on third-party relationships, it contains important updates and clarifications regarding the increasing growth of relationships between banks and third parties, especially fintechs.

While the Interagency Guidance does not have the force and effect of law nor does it impose new requirements on banking organizations, it is expected to guide the Agencies’ supervision of banking organizations’ third-party risk management systems going forward.

Interagency Guidance Third Party Risk Management

Who Falls Under the Interagency Guidance on Third-Party Relationships (Risk Management)?

The Interagency Guidance is directed to all banking organizations supervised by the Agencies and advises such organizations to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.

The Interagency Guidance broadens the scope of the agencies’ oversight and extends broadly to “any business arrangement between a banking organization and another entity.”

As a result, we expect that fintech partnerships not covered by previous guidance will see increased attention to risk management considerations as banks review their inventories of third-party relationships.

The third-party relationships in scope include outsourced services, independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures.

Who does the interagency guidance on third party risk management

What Are the Key Components of the Interagency Guidance on Third-Party Relationships (Risk Management)?

Below we provide a brief overview of the key aspects of the Interagency Guidance.

1. Risk Management Framework

  • Prescribes a principles- and risk-based framework to designate which activities and third-party relationships receive more comprehensive oversight.

  • Banks are expected to tailor risk management practices commensurate with the organization’s size, complexity, and risk profile and with the nature of the third-party relationship, avoiding a one-size-fits-all approach.

  • “Critical activities” may require more comprehensive and demanding oversight and management of third-party relationships. The definition of “critical activities” covers activities that could: (i) cause a bank to face significant risk if the third party fails to meet expectations; (ii) have significant customer impacts; or (iii) have a significant impact on a bank’s financial condition or operations.

2. Relationships with Third Parties

  • Relationships with third parties should be evaluated based on the specific risk posed by the relationship.

  • The Interagency Guidance expressly mentions third-party relationships formed with novel structures such as fintech companies, suggesting maintaining a complete inventory of all third-party relationships and completing periodic risk assessments for each.

3. Governance

  • Oversight and Accountability: responsibility for providing oversight for third-party risk management and holding management accountable lies with the Board of Directors.

  • Independent Reviews: periodic, independent reviews to assess the adequacy of governance processes.

  • Documentation and Reporting: proper documentation and reporting of all relevant processes.

Key components of the interagency guidance on third party risk management

What Are the Key Implications of the Interagency Guidance on Third-Party Relationships (Risk Management) for Fintechs and Bank-Fintech Relationships?

Although the Interagency Guidance applies directly only to banks, fintechs that have bank partners or plan to partner with a bank should understand the framework this Interagency Guidance creates and how the framework will affect their bank relationships.

Fintechs should know and understand the complex regulatory governance applicable to their bank sponsors or partners, particularly BSA/AML requirements.

We expect the Interagency Guidance will prompt banks to expand due diligence requests, take firmer positions in contract negotiation, and engage in additional ongoing monitoring and oversight.

We outline the following key implications for fintechs and bank-fintech relationships:

1. Risk-Based Supervisory Focus on Key Compliance Activities

BSA/AML and OFAC compliance presents an ongoing challenge given that the bank is on the regulatory hook for compliance. However, the bank has no true “customer-facing” role and depends on its fintech partner for customer identification (CIP/KYC), due diligence procedures, and even monitoring transactions for OFAC screening or other suspicious activities.

InnReg Compliance Consulting and Outsourcing
InnReg Compliance Consulting and Outsourcing
InnReg Compliance Consulting and Outsourcing

2. Higher Supervisory Bar

Fintech partnerships will be under greater supervisory scrutiny, and we expect that fintechs will face a higher bar to enter into and maintain relationships with banking organizations. This will be evident across several compliance requirements, including third-party independent testing and auditing of the fintech’s BSA/AML and OFAC screening processes and performance.

3. Regulation E and Complaints Management Processes

Fintechs should also expect additional requirements, monitoring, testing, and oversight from bank partners on the fintech’s Regulation E dispute resolution and investigation procedures regarding alleged fraudulent or unauthorized transactions, as well as processes and procedures for handling customer complaints.

4. Complexity of the Onboarding Process

The complexity and cost of the onboarding process for both smaller banks and fintechs is recognized as a key challenge to the future growth of bank-fintech partnerships. To this end, the FDIC has expressed support for a proposed public/private standards-setting organization enabling banks to onboard approved fintechs, thereby reducing the need for each bank to conduct separate due diligence.

Interagency Guidance Bank Fintech

Conclusion: What are the 4 Key Compliance Takeaways of the Interagency Guidance on Third-Party Relationships (Risk Management) for Fintechs?  

The Interagency Guidance’s release is expected to prompt banks and fintechs alike to review their current risk management framework in anticipation of heightened examination focus on third-party relationships.

In conclusion, we outline 4 key practical takeaways from the Interagency Guidance that fintechs should prioritize:

1. Key Areas of Compliance Program

Understand the compliance obligations when partnering with a bank to maximize time-to-market and a successful launch. A strong compliance program that recognizes the needs of a bank partner, including oversight and auditability, is critical in scaling a bank-sponsored product and avoiding disruptions.

2. Due Diligence

Conduct appropriate due diligence to align with a bank partner/sponsor that understands fintech products and services as a key tool to the long-term success of a partnership.

3. Human Resources

Deploy adequate staff with appropriate skill levels across key compliance functions.

4. CCO Function

Empower the CCO function to effectively partner with other key internal stakeholders and ensure participation in formal reporting, governance activities, and processes.

Compliance takeaways interagency guidance

More Questions About Interagency Guidance on Third-Party Relationships and Risk Management - Talk to the Experts

Need help with support and information on the implications of the Interagency Guidance? Reach out today for a free consultation:

InnReg has extensive experience with managing the compliance implications of bank-fintech relationships, including the following.

  • Compliance policy development and management

  • Assistance in the banking partner selection and onboarding process

  • Risk assessment and quality control

  • Implementation of compliance management workflows (e.g., user onboarding, suspicious activity monitoring, advertising compliance)

  • Support the CCO function and other key stakeholders in establishing an effective compliance governance and risk management framework.

  • Compliance facilitation across Federal and State regulatory bodies

  • Monitoring for regulatory changes 

InnReg Compliance Consulting and Outsourcing
InnReg Compliance Consulting and Outsourcing
InnReg Compliance Consulting and Outsourcing
InnReg Compliance Consulting and Outsourcing
InnReg Compliance Consulting and Outsourcing
InnReg Compliance Consulting and Outsourcing

Subscribe for Compliance Insights

Subscribe for Compliance Insights

Subscribe for Compliance Insights

Latest LinkedIn Posts