On July 25, 2024, the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (collectively, the “Agencies”) issued a joint statement to banks regarding risks associated with working with third parties to provide bank deposit products and services to customers (“Joint Statement”). The Agencies also issued a request for information (RFI) to solicit comment on bank-fintech arrangements that involve banking products and services delivered to end users. The issuance of the Joint Statement and RFI follows final joint guidance on managing risks associated with third-party relationships and an increase in enforcement actions levied by the Agencies related to bank-fintech arrangements.

Joint Statement

While the Agencies make clear they support responsible innovation and the use of third-party arrangements, the Joint Statement is a reminder that a bank’s use of third-party arrangements to deliver deposit products and services to customers does not diminish the compliance obligations of the bank. The Joint Statement does not set forth new supervisory expectations or alter existing legal or regulatory requirements.

The Agencies also acknowledge that while third-party arrangements can provide benefits to banks such as raising deposits and increasing revenue, the “evolution and expansion of these arrangements” has led to greater complexity. As a result, the Agencies highlight the following potential risks that each bank should consider in structuring and operationalizing third-party relationships for delivery of banking products and services to end customers.

Potential Risks

The Joint Statement lists potential operational and compliance risks to consider, including among others:

• Substantially relying on third parties to manage a bank’s deposit operations;
• Fragmented operational functions for deposit products and services among multiple third parties;
• Potential lack of sufficient access by a bank to the deposit and transaction system of record and other crucial information and data maintained by the third party;
• Reliance on third parties to perform regulatory compliance functions; and
• Insufficient oversight of third-party arrangements that may impact a bank’s compliance with certain consumer protection laws and regulations.

Potential growth risks associated with third-party arrangements cited in the Joint Statement include:

• A third party’s incentives to grow their business may be misaligned with the bank’s regulatory obligations;
• A bank outgrowing its operational capabilities due to an increase in volume or size of these arrangements;
• Significant and rapidly increasing funding concentrations;
• Difficulty in managing emerging liquidity risks as a result of a significant portion of a bank’s assets being attached to a single third-party; and
• Increased pressure on capital levels due to rapid balance sheet growth.

The Joint Statement also flags potential risks pertaining to end user confusion and misrepresentation of deposit insurance coverage. These potential risks include:

• Misleading statements and marketing in which nonbank third parties are reasonably mistaken for an insured depository institution by end users; and
• Violating regulatory obligations due to an arrangement that provides inaccurate or misleading information regarding the extent to which, or manner by which, deposit insurance coverage is available.

Risk Management Practices and Considerations

The Joint Statement sets forth effective governance and risk management practices for banks to consider as they manage their third-party arrangements, including:

• Operationalizing appropriate policies and procedures designed to mitigate risks;
• Employing risk assessments that identify and analyze risks specific to the features of each arrangement;
• Conducting sufficient due diligence on third parties;
• Entering into contracts that clearly define roles and responsibilities of banks and third parties;
• Assessing potential risks when the bank does not have a direct contractual relationship with all parties with significant roles in the arrangement; and
• Establishing ongoing monitoring processes.

The Joint Statement highlights the importance of a bank having adequate policies, procedures, oversight, and controls to help ensure that the bank complies with applicable AML/CFT and sanctions requirements. It also notes the importance of establishing liquidity risk management strategies, as well as maintaining capital adequacy. In addition, the Agencies recommend that banks conduct analysis on whether parties involved in the arrangement may meet the definition of a deposit broker under 12 U.S.C. § 1831f and whether there are any associated reporting obligations.

Request for Information

The Agencies issued an RFI requesting feedback on complex bank-fintech arrangements. These include arrangements involving deposit-taking activities, payment activities, and lending products and services. The Agencies are requesting comment on the nature and implications of bank-fintech arrangements in connection with a variety of financial services and effective third-party risk management practices for banks.

In particular, the Agencies ask for information about the role of “intermediate platform providers” or “middleware providers,” which act as intermediaries between banks and fintech companies. Generally, intermediate platform providers, as defined in the RFI, enable individual banks to connect with numerous fintech companies, and provide technological, operational, and information services that enable individual banks to connect with numerous fintech companies more seamlessly. The RFI notes that an intermediate platform may enter into its own arrangements with banks and third parties to provide these services, and cautions that use of an intermediate platform provider further distances the bank from the end user.

The RFI also requests comments on topics such as (i) the different ways in which bank-fintech arrangements may be structured, (ii) risk management, and (iii) the impact of arrangements on end user access to different financial products and services.

The Agencies also ask whether enhancements to existing supervisory guidance could help to address the risks associated with bank-fintech arrangements.

Comments on the RFI are due by September 30, 2024.

Key Takeaways

Although by its terms, the Joint Statement does not impose any additional or altered legal requirements on banks, it indicates that bank-fintech arrangements are going to be subject to increased scrutiny by the Agencies and that the Agencies understand that these arrangements may be unique from other relationships between a bank and third-party vendor. In her statement issued in connection with the Joint Statement, Governor Michelle Bowman offered a slightly different view, expressing concern about the “disjointed approach” to guidance that the Agencies are taking with respect to bank-fintech relationships as providing insufficient clarity on the Agencies’ supervisory expectations. Governor Bowman also stated that while she supports the RFI, she hopes that it does not lead to duplicative or contradictory guidance or result in unnecessarily restricting innovation in the banking system.

When viewed along with the number of recent enforcement actions by the Agencies in the fintech space, the Joint Statement could increase the compliance and risk mitigation standards a bank may decide to contractually impose on its fintech partners and their third parties. Generally, fintechs will have to expect more stringent and thorough compliance demands and expectations from banks when entering into a partnership, and fintechs will have to make more significant investments to comply with such expectations.

This continues to be an emerging space that will continue to evolve as the Agencies stated they are considering whether additional steps could help ensure that banks effectively manage risks associated with banks’ third-party arrangements. Stay tuned for market and regulatory updates.

[View source.]