Federal banking regulators have again demonstrated their focus on bank oversight and management of risk from third party relationships through a series of guidance and proposed guidance published in the third quarter of 2021. The Federal Reserve, FDIC and OCC published proposed interagency guidance on managing risk of third-party relationships in July1 and a guide for community banks on conducting due diligence on fintech companies in August. Then, in September, the Federal Reserve issued a guide on community bank access to innovation through partnerships. These guidance documents, which we discuss separately below, have a common theme: partnering with third parties can have significant advantages for banks, including a quicker and more efficient means to access new technologies, but regulators expect banks to manage third-party risk with appropriate policies, processes and programs.
- Proposed Interagency Guidance
The proposed interagency guidance published earlier this year is intended to replace and harmonize three preexisting guidance documents: the Fed’s “Guidance on Managing Outsourcing Risk,” issued December 2013;
2 the FDIC’s “Guidance for Managing Third-Party Risk,” issued June 2008;
3 and the OCC’s “Third-Party Relationships: Risk Management Guidance,” issued October 2013
4 and supplemented with FAQs in March 2020.
5 The stated purpose of the proposed guidance is to help banks with identifying and addressing risks incumbent in third party vendor, outsourcing and other business relationships and complying with applicable statutes and regulations.
The proposed interagency guidance is largely based on the OCC’s 2013 guidance and proposes to incorporate the OCC’s 2020 FAQ. Consistent with the 2013 OCC guidance, the proposed interagency guidance provides that a bank’s third party risk management program should be commensurate with its size, complexity and risk profile, and that third-party relationships involving critical activities in particular should be subject to comprehensive and rigorous oversight by banks. In line with the OCC’s 2020 FAQ, the proposed guidance describes critical activities as significant bank functions that could (i) cause the bank to face significant risk if the third party fails to meet expectations, (ii) result in significant customer impacts, (iii) require significant investment in resources to implement and manage, or (iv) have a major impact on the bank’s operations if the bank cannot find an alternative third party or bring the activity in-house.
The proposed guidance would require banks to manage third-party risk at all stages of the relationship lifecycle, including:
- Planning;
- Due diligence and selection;
- Contract negotiation;
- Ongoing monitoring of the relationship; and
- Termination of the relationship (including transition of the activity in-house or to a new third party provider).
With respect to due diligence and contract negotiation, the proposed guidance takes many cues from the OCC’s 2013 guidance, including:
- Advising banks to perform due diligence with respect to the third party’s strategies and goals, financial condition, business experience, fee and compensation structure (including incentives to risky behavior), qualification of the third party’s principals, risk management and controls, information security, information technology, operational resilience, incident management, use of subcontractors, insurance program, and contractual arrangements with third parties that may cause conflicts; and
- Addressing as appropriate the following in written contracts with third parties: the nature and scope of the relationship and services, service level agreements, responsibilities for providing information and reporting regarding the relationship or services, audit rights and related remediation, compliance with laws and regulations, compensation and fees, ownership and licensing of relevant data, technology and intellectual property, confidentiality, information security, data use rights, operational resilience and business continuity, indemnification, insurance requirements, dispute resolution, limitations on liability (and ensuring they are proportionate to the level of risk), termination rights, handling of customer complaints, and use of subcontractors (including notice or consent rights).
While the proposed interagency guidance is substantively similar to the three agencies’ existing guidance on third party oversight, promulgation of the final guidance is likely to cause banks to re-assess their third party oversight and risk management programs, which may result in new and modified requirements in banks’ playbooks for negotiating agreements with fintechs and other vendors and outsourced providers.
- Guides for Community Bank Engagement with Fintechs
Both the August guide on conducting due diligence on fintechs and the September guide on accessing innovation through partnerships are addressed to community banks and published as voluntary guides rather than binding guidance. However, the guides contain several common themes with the proposed interagency guidance discussed above, and so community banks would be wise to give them attention notwithstanding their “voluntary guide” status.
With the digitization of banking services becoming necessary to remain competitive, fintech partnerships have gained importance important to community banks that may not have the IT department or technology budget necessary to keep up with the in-house innovation and development of larger national and multi-national banks. The regulators acknowledge that fintech partnerships can provide access to expertise, access to enhanced products and services, increased efficiency, reduction in costs, and enhanced competitiveness for community banks that do not have the tech staff or budget that their larger national and multinational banks have for innovation. But, consistent with the proposed interagency guidance, the guides caution community banks to properly oversee their third party relationships.
The August guide on Conducting Due Diligence on Financial Technology Companies focuses on the following six key due diligence topics:
- Business Experience and Qualifications – assess the fintech’s business experience, overall operational and managerial competence, customer references, assessment of customer complaints and other past operational issues, ownership and license rights to critical intellectual property, use of subcontractors, and other customers;
- Financial Condition – review the fintech’s financial statements, reports and other financial data to assess its ability to stay in business. The guide also recommends understanding the fintech’s source of funding (e.g., cash flow from operations, debt, or equity injections), the competitive landscape for the fintech, and whether it is reliant on one or a small number of significant clients;
- Legal and Regulatory Compliance – evaluate the fintech’s awareness of and compliance with legal and regulatory requirements. Determine if it has the appropriate licenses, search for lawsuits and perform diligence on any legal actions, settlements, enforcement actions, fines and customer complaints;
- Risk Management and Controls – evaluate the effectiveness of the fintech’s risk management policies, processes and controls to assess its ability to operate in a safe and sound manner;
- Information Security – evaluate the fintech’s information security program to assess the adequacy and integrity of its processes for handling and protecting sensitive data; and
- Operational Resilience – evaluate the fintech’s ability to continue or resume operations following a disaster or other disruption event, including evaluation of business continuity and disaster recovery plans, locations of data centers, and the efficacy of responses to prior disruptions.
The September guide on community banks accessing innovation through partnerships resulted from the Fed’s conversations with over 40 community banks, fintechs and other industry stakeholders. This guide summarizes (i) the different types of partnerships and associated benefits and risks for each and (ii) the key elements of success for those types of partnerships as observed by community banks and their fintech partners.
The guide addresses three types of third-party relationships:
- Operational technology partnerships – the fintech provides a solution to improve the bank’s internal processes, monitoring capabilities, or technical infrastructure.
- Customer-oriented partnerships – the bank uses the fintech to enhance a customer-facing product or activity, such as the bank’s mobile banking app, account opening tools, or P2P tools. Under this model, however, the interaction with the customer is still with the bank.
- Front-end fintech partnerships – here the fintech interacts directly with the customer in providing bank products and services. This includes banking-as-a-service offerings.
Key elements of a successful partnership with fintechs identified in the guide include:
- Top-down commitment to innovation at the bank.
- Alignment on priorities and objectives between the fintech and bank. Here the guide notes that banks prefer to work with fintechs that understand what it means to be a fiduciary and are willing to partner with the bank on its compliance obligations in addition to the technology solution.
- A thoughtful approach to connectivity, noting that banks prefer third party solutions that (i) can integrate seamlessly with the bank’s systems, and (ii) facilitate flow of data across bank systems and segments.
____
1 Proposed Interagency Guidance on Third-Party Relationships: Risk Management, 86 Fed. Reg. 38182-38204 (July 19, 2021).
2 Guidance on Managing Outsourcing Risk, SR Letter 13-19/CA Letter 13-21 (December 5, 2013, updated February 26, 2021).
3 Guidance for Managing Third-Party Risk, FIL-44-2008 (June 6, 2008).
4 Third-Party Relationships; Risk Management Guidance, OCC Bulletin 2013-29 (October 30, 2013).
5 Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulleting 2013-29, OCC Bulletin 2020-10 (March 5, 2020).
[View source.]
