Last week, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, the agencies) issued a joint statement highlighting potential risks associated with banks’ arrangements with third parties to deliver bank deposit products and services. While the information is not new, it clearly memorializes the issues that have been at the forefront of recent enforcement actions involving banks operating under a Banking-as-a-Service (BaaS) model.
The agencies’ statement underscores the importance of responsible innovation and compliance with applicable laws and regulations, including consumer protection laws and anti-money laundering (AML) requirements. The statement acknowledges that while banks are not prohibited from engaging in third-party arrangements, they must manage these relationships in a manner consistent with safe and sound practices.
The statement identifies several risks associated with third-party arrangements for delivering deposit products and services:
- Operational and Compliance Risks: Banks that rely heavily on third parties for deposit operations may face heightened risks if they lack adequate initial due diligence and ongoing monitoring. Fragmented operations among multiple third parties can complicate risk assessment and management.
- Access to Records: Insufficient access to crucial information and data maintained by third parties can impair a bank’s ability to determine its deposit obligations, potentially leading to delays in end-users’ access to their deposits.
- Compliance Functions: Reliance on third parties for regulatory compliance functions, such as monitoring suspicious activity and customer identification, increases the risk of non-compliance with regulatory requirements.
- Consumer Protection: Inadequate oversight of third-party arrangements can impact a bank’s compliance with consumer protection laws, such as Regulation E (to investigate and resolve certain payment disputes within required timeframes) and Regulation DD (to provide certain disclosures regarding consumer deposit accounts), and may result in consumer harm.
- Contractual Relationships: Multiple levels of third-party and subcontractor relationships where the bank does not have direct contracts with certain entities may pose challenges to the bank’s ability to identify, assess, monitor, and control various risks.
- New Technologies: Arrangements leveraging new technologies or methods with which bank management lacks experience may result in inadequate risk and compliance management practices.
- Audit Coverage: Weak audit coverage and follow-up processes can reduce the effectiveness of oversight and risk management.
- Growth and Liquidity Risks: Rapid growth resulting from third-party arrangements can strain risk management and operational processes. Significant funding concentrations and liquidity risks may arise, particularly when funding is deployed in illiquid or long-term assets.
- End User Confusion: Misleading statements and marketing by third parties can confuse end users about deposit insurance coverage, potentially leading to regulatory violations.
The agencies emphasize that banks must operate in a safe and sound manner and comply with applicable laws and regulations. Effective board and senior management oversight crucial to ensure that risk management practices are commensurate with the complexity, risk, size, and nature of the activity and relationship. The statement provides examples of effective risk management practices, including:
- Developing and maintaining appropriate policies and procedures that detail organizational structures, lines of reporting and authorities, expertise and staffing, internal controls, and audit functions.
- Conducting and documenting due diligence that is of sufficient scope and depth to determine whether the bank can rely on third parties to perform certain roles.
- Entering into clear contracts and agreements that clearly define roles and responsibilities of banks and third parties.
- Establishing effective ongoing monitoring processes, commensurate with the risk of each activity and relationship, and sufficient to timely detect any issues.
- Maintaining a clear understanding of management information systems (MIS) that will be used to support the activity, including any obligations and contractual reporting requirements.
- Developing risk-based contingency plans, which address potential operational disruption or business failure at the third party that may disrupt end users’ access to funds, including contractual provisions that facilitate the contingency plans. The contract may address the transfer of the relevant accounts, data, or activities to another entity in the event of the third party’s bankruptcy, business failure, business interruption, or failure to perform as expected.
- Implementing internal controls to mitigate risks. These could include, dual control and separation of duties, payment data verification, and clear error processing and problem resolution procedures.
- Ensuring compliance with AML/CFT requirements, including monitoring for and reporting suspicious activity, customer identification programs, and customer due diligence and sanctions compliance.
- Establishing appropriate concentration limits and liquidity risk management strategies. This may include contingency funding plans describing how the bank will respond to unexpected deposit withdrawals and reasonable assumptions, such as non-maturity deposit customer behavior.
- Establishing policies and procedures related to misrepresentations of deposit insurance coverage.
The joint statement builds on last year’s guidance, discussed here, issued by the agencies to banking organizations on managing the risks associated with third party relationships. The guidance provided suggestions for banking organizations to consider through each stage of its third-party relationship “life cycle” from planning, due diligence and third party selection, contract negotiation, ongoing monitoring, and termination. It also provided a list of items examiners will consider in the scope of their supervisory reviews.