The growing prevalence of relationships between incumbent banking institutions and fintechs has resulted in new regulatory guidance to manage third-party relationships.
What is the Interagency Guidance on Third-Party Risk Management?
On June 6, 2023, the Federal Reserve, FDIC, and OCC released final guidance on managing risks associated with third-party relationships, including relationships with fintechs (the “Interagency Guidance”). This Interagency Guidance and its associated memo replace the Agencies’ existing guidance to help banks align their third-party risk management practices with the nature and risk profile of their third-party relationships, including fintechs.
Though the Interagency Guidance is consistent with the previously released guidance on third-party relationships, it contains important updates and clarifications regarding the increasing growth of relationships between banks and third parties, especially fintechs.
While the Interagency Guidance does not have the force and effect of law nor does it impose new requirements on banking organizations, it is expected to guide the Agencies’ supervision of banking organizations’ third-party risk management systems going forward.
As an outsourced fintech compliance service provider since 2013, we advise our clients on the current fast-changing regulatory landscape.
Subject-matter experts with decades of experience wrote this analysis, not freelance copywriters, third-party agencies, or AI-based tools. If we do not cover all your questions here, email us at info@innreg.com, and we will gladly give you a free consultation.
Who Falls Under the Interagency Guidance on Third-Party Risk Management?
The Interagency Guidance is directed to all banking organizations supervised by the Agencies and advises such organizations to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
The Interagency Guidance broadens the scope of the agencies’ oversight and extends broadly to “any business arrangement between a banking organization and another entity.”
As a result, we expect that fintech partnerships not covered by previous guidance will see increased attention to risk management considerations as banks review their inventories of third-party relationships.
The third-party relationships in scope include outsourced services, independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures.
What Are the Key Components of the Interagency Guidance on Third-Party Risk Management?
Below we provide a brief overview of the key aspects of the Interagency Guidance.
| 1. Risk Management Framework |
|
|
2. Relationships with Third Parties
|
|
|
3. Governance
|
|
What Are the Key Implications of the Interagency Guidance on Third-Party Risk Management for Fintechs and Bank-Fintech Relationships?
Although the Interagency Guidance applies directly only to banks, fintechs that have bank partners or plan to partner with a bank should understand the framework this Interagency Guidance creates and how the framework will affect their bank relationships.
Fintechs should know and understand the complex regulatory governance applicable to their bank sponsors or partners, particularly BSA/AML requirements.
We expect the Interagency Guidance will prompt banks to expand due diligence requests, take firmer positions in contract negotiation, and engage in additional ongoing monitoring and oversight.
We outline the following key implications for fintechs and bank-fintech relationships:
1. Risk-Based Supervisory Focus on Key Compliance Activities
BSA/AML and OFAC compliance presents an ongoing challenge given that the bank is on the regulatory hook for compliance. However, the bank has no true “customer-facing” role and depends on its fintech partner for customer identification (CIP/KYC), due diligence procedures, and even monitoring transactions for OFAC screening or other suspicious activities.
2. Higher Supervisory Bar
Fintech partnerships will be under greater supervisory scrutiny, and we expect that fintechs will face a higher bar to enter into and maintain relationships with banking organizations. This will be evident across several compliance requirements, including third-party independent testing and auditing of the fintech’s BSA/AML and OFAC screening processes and performance.
3. Regulation E and Complaints Management Processes
Fintechs should also expect additional requirements, monitoring, testing, and oversight from bank partners on the fintech’s Regulation E dispute resolution and investigation procedures regarding alleged fraudulent or unauthorized transactions, as well as processes and procedures for handling customer complaints.
4. Complexity of the Onboarding Process
The complexity and cost of the onboarding process for both smaller banks and fintechs is recognized as a key challenge to the future growth of bank-fintech partnerships. To this end, the FDIC has expressed support for a proposed public/private standards-setting organization enabling banks to onboard approved fintechs, thereby reducing the need for each bank to conduct separate due diligence.
Conclusion: What are the 4 Key Compliance Takeaways of the Interagency Guidance on Third-Party Risk Management for Fintechs?
The Interagency Guidance’s release is expected to prompt banks and fintechs alike to review their current risk management framework in anticipation of heightened examination focus on third-party relationships.
In conclusion, we outline 4 key practical takeaways from the Interagency Guidance that fintechs should prioritize:
1. Key Areas of Compliance Program
Understand the compliance obligations when partnering with a bank to maximize time-to-market and a successful launch. A strong compliance program that recognizes the needs of a bank partner, including oversight and auditability, is critical in scaling a bank-sponsored product and avoiding disruptions.
2. Due Diligence
Conduct appropriate due diligence to align with a bank partner/sponsor that understands fintech products and services as a key tool to the long-term success of a partnership.
3. Human Resources
Deploy adequate staff with appropriate skill levels across key compliance functions.
4. CCO Function
Empower the CCO function to effectively partner with other key internal stakeholders and ensure participation in formal reporting, governance activities, and processes.
More Questions About Interagency Guidance on Third-Party Risk Management - Talk to the Experts
Need help with support and information on the implications of the Interagency Guidance? Reach out today for a free consultation: info@innreg.com
InnReg has extensive experience with managing the compliance implications of bank-fintech relationships, including the following.
- Compliance policy development and management
- Assistance in the banking partner selection and onboarding process
- Risk assessment and quality control
- Implementation of compliance management workflows (e.g., user onboarding, suspicious activity monitoring, advertising compliance)
- Support the CCO function and other key stakeholders in establishing an effective compliance governance and risk management framework.
- Compliance facilitation across Federal and State regulatory bodies
- Monitoring for regulatory changes
The Author: InnReg is a team of over 30 Regulatory Compliance and Innovation Consulting experts helping fintechs succeed in highly regulated markets since 2013, globally. InnReg provides fintech compliance and operations consulting and outsourcing services focused on mitigating regulatory risk while helping clients launch innovative fintech products and services.
