Contents
The growing prevalence of relationships between incumbent banking institutions and fintechs has resulted in new regulatory guidance to manage third-party relationships: Interagency Guidance on Third-Party Relationships (Risk Management).
Fintech compliance experts with decades of experience created this guide, not freelance copywriters, third-party agencies, or AI-based tools.
See also:
What is the Interagency Guidance on Third-Party Relationships (Risk Management)?
On June 6, 2023, the Federal Reserve, FDIC, and OCC released final guidance on managing risks associated with third-party relationships, including relationships with fintechs (the “Interagency Guidance”). This Interagency Guidance and its associated memo replace the Agencies’ existing guidance to help banks align their third-party risk management practices with the nature and risk profile of their third-party relationships, including fintechs.
Though the Interagency Guidance is consistent with the previously released guidance on third-party relationships, it contains important updates and clarifications regarding the increasing growth of relationships between banks and third parties, especially fintechs.
While the Interagency Guidance does not have the force and effect of law nor does it impose new requirements on banking organizations, it is expected to guide the Agencies’ supervision of banking organizations’ third-party risk management systems going forward.
Who Falls Under the Interagency Guidance on Third-Party Relationships (Risk Management)?
The Interagency Guidance is directed to all banking organizations supervised by the Agencies and advises such organizations to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
The Interagency Guidance broadens the scope of the agencies’ oversight and extends broadly to “any business arrangement between a banking organization and another entity.”
As a result, we expect that fintech partnerships not covered by previous guidance will see increased attention to risk management considerations as banks review their inventories of third-party relationships.
The third-party relationships in scope include outsourced services, independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures.
What Are the Key Components of the Interagency Guidance on Third-Party Relationships (Risk Management)?
Below we provide a brief overview of the key aspects of the Interagency Guidance.
1. Risk Management Framework
Prescribes a principles- and risk-based framework to designate which activities and third-party relationships receive more comprehensive oversight.
Banks are expected to tailor risk management practices commensurate with the organization’s size, complexity, and risk profile and with the nature of the third-party relationship, avoiding a one-size-fits-all approach.
“Critical activities” may require more comprehensive and demanding oversight and management of third-party relationships. The definition of “critical activities” covers activities that could: (i) cause a bank to face significant risk if the third party fails to meet expectations; (ii) have significant customer impacts; or (iii) have a significant impact on a bank’s financial condition or operations.
2. Relationships with Third Parties
Relationships with third parties should be evaluated based on the specific risk posed by the relationship.
The Interagency Guidance expressly mentions third-party relationships formed with novel structures such as fintech companies, suggesting maintaining a complete inventory of all third-party relationships and completing periodic risk assessments for each.
3. Governance
Oversight and Accountability: responsibility for providing oversight for third-party risk management and holding management accountable lies with the Board of Directors.
Independent Reviews: periodic, independent reviews to assess the adequacy of governance processes.
Documentation and Reporting: proper documentation and reporting of all relevant processes.
What Are the Key Implications of the Interagency Guidance on Third-Party Relationships (Risk Management) for Fintechs and Bank-Fintech Relationships?
Although the Interagency Guidance applies directly only to banks, fintechs that have bank partners or plan to partner with a bank should understand the framework this Interagency Guidance creates and how the framework will affect their bank relationships.
Fintechs should know and understand the complex regulatory governance applicable to their bank sponsors or partners, particularly BSA/AML requirements.
We expect the Interagency Guidance will prompt banks to expand due diligence requests, take firmer positions in contract negotiation, and engage in additional ongoing monitoring and oversight.
We outline the following key implications for fintechs and bank-fintech relationships:
1. Risk-Based Supervisory Focus on Key Compliance Activities
BSA/AML and OFAC compliance presents an ongoing challenge given that the bank is on the regulatory hook for compliance. However, the bank has no true “customer-facing” role and depends on its fintech partner for customer identification (CIP/KYC), due diligence procedures, and even monitoring transactions for OFAC screening or other suspicious activities.
2. Higher Supervisory Bar
Fintech partnerships will be under greater supervisory scrutiny, and we expect that fintechs will face a higher bar to enter into and maintain relationships with banking organizations. This will be evident across several compliance requirements, including third-party independent testing and auditing of the fintech’s BSA/AML and OFAC screening processes and performance.
3. Regulation E and Complaints Management Processes
Fintechs should also expect additional requirements, monitoring, testing, and oversight from bank partners on the fintech’s Regulation E dispute resolution and investigation procedures regarding alleged fraudulent or unauthorized transactions, as well as processes and procedures for handling customer complaints.
See also:
4. Complexity of the Onboarding Process
The complexity and cost of the onboarding process for both smaller banks and fintechs is recognized as a key challenge to the future growth of bank-fintech partnerships. To this end, the FDIC has expressed support for a proposed public/private standards-setting organization enabling banks to onboard approved fintechs, thereby reducing the need for each bank to conduct separate due diligence.
Conclusion: What are the 4 Key Compliance Takeaways of the Interagency Guidance on Third-Party Relationships (Risk Management) for Fintechs?
The Interagency Guidance’s release is expected to prompt banks and fintechs alike to review their current risk management framework in anticipation of heightened examination focus on third-party relationships.
In conclusion, we outline 4 key practical takeaways from the Interagency Guidance that fintechs should prioritize:
1. Key Areas of Compliance Program
Understand the compliance obligations when partnering with a bank to maximize time-to-market and a successful launch. A strong compliance program that recognizes the needs of a bank partner, including oversight and auditability, is critical in scaling a bank-sponsored product and avoiding disruptions.
2. Due Diligence
Conduct appropriate due diligence to align with a bank partner/sponsor that understands fintech products and services as a key tool to the long-term success of a partnership.
3. Human Resources
Deploy adequate staff with appropriate skill levels across key compliance functions.
4. CCO Function
Empower the CCO function to effectively partner with other key internal stakeholders and ensure participation in formal reporting, governance activities, and processes.
More Questions About Interagency Guidance on Third-Party Relationships and Risk Management - Talk to the Experts
Need help with support and information on the implications of the Interagency Guidance? Reach out today for a free consultation: info@innreg.com
InnReg has extensive experience with managing the compliance implications of bank-fintech relationships, including the following.
Compliance policy development and management
Assistance in the banking partner selection and onboarding process
Risk assessment and quality control
Implementation of compliance management workflows (e.g., user onboarding, suspicious activity monitoring, advertising compliance)
Support the CCO function and other key stakeholders in establishing an effective compliance governance and risk management framework.
Compliance facilitation across Federal and State regulatory bodies
Monitoring for regulatory changes
Latest LinkedIn Posts
Related Articles
