Banking regulators have issued a joint statement outlining the potential risks that financial institutions face in arrangements with third parties to deliver bank deposit products and services and examples of risk management practices to manage such potential risks.

The joint statement does not establish new expectations for financial institutions, the regulators said. “This statement reemphasizes existing guidance; it does not alter existing legal or regulatory requirements or establish new supervisory expectations,” the FDIC, OCC and Federal Reserve Board, said in releasing the statement. 

The banking agencies issued guidance for risk management with third-party relationships in June, 2023. In May, the regulators issued a guide to third-party risk management at community banks.

 In addition to the list of potential risks, the agencies published a request for information and comment on the relationships banks have with fintechs.

“The agencies support responsible innovation and support banks in pursuing third-party arrangements in a manner consistent with safe and sound practices and in compliance with applicable laws and regulations, including, but not limited to, those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering),” the agencies said.

As they have in the past, the agencies warned that “a bank’s use of third parties to perform certain activities does not diminish its responsibility to comply with all applicable laws and regulations.”

Potential Risks 

Operational and Compliance

• Significant operations performed by a third party: Those operations may place a heavy reliance on third parties to manage a bank’s deposit operations and can reduce a bank’s existing controls over the deposit function.
• Fragmented operations: Fragmented operational functions for deposit products among several third parties may make it more difficult for the bank to assess risks and assess if all third parties can perform assigned functions as intended.
• Lack of access to records: A lack of access by a bank to the deposit and transaction system of record and other crucial information maintained by the third party can impair the bank’s ability to determine its deposit obligations.
• Third parties performing compliance functions: Reliance on third parties to perform regulatory compliance tasks may increase the risk of the bank failing to meet its regulatory requirements.
• Insufficient risk management to meet consumer protection obligations: Insufficient oversight of these arrangements may impact a bank’s compliance with consumer protection laws and regulations.
• Lack of contracts: Multiple levels of third-party and subcontractor relationships, in which the bank does not have direct contracts with third parties, may pose challenges to the bank’s ability to identify and monitor various risks.
• Lack of experience with new methods: Arrangements leveraging new methods of facilitating deposit products may result in inadequate risk and compliance management practices.
• Weak audit coverage: Lack of sufficient audit scope and coverage, follow-up processes, and remediation may result in inadequate oversight.

Growth

• Misaligned incentives: A third party’s incentives may not align with those of the bank, such as when a third party may have the incentive to promote growth in a manner that is not aligned with the bank’s regulatory obligations.
• Operational capabilities lag growth: Rapid growth as a result of these arrangements may result in risk management and operational processes struggling to keep pace.
• Financial risks from funding concentrations: Arrangements may result in a significant increase in funding concentrations, which may make it more challenging for the bank to manage and mitigate liquidity and funding risks.
• Inability to manage emerging liquidity risks: Arrangements where a significant proportion of a bank’s deposits or revenue are associated with a third party may pose liquidity risks; as a result, the bank may be reluctant to make decisions necessary to manage those risks, including, if necessary, to terminate the arrangement.
• Pressure on capital levels: Arrangements may result in material and rapid balance sheet growth without commensurate capital formation.

End User Confusion and Misrepresentation of Deposit Insurance Coverage

• Potentially misleading statements and marketing: Third-party arrangements for the delivery of deposit services can pose risks of end-user confusion related to deposit insurance.
• Regulatory violations: Inaccurate or misleading information regarding the extent or manner under which deposit insurance coverage is available could constitute a violation under 12 C.F.R. Part 328, Subpart B.

The agencies have observed examples of effective risk management practices that a bank may consider when managing third-party arrangements for the delivery of deposit products and services

Those include:

Governance and Third-Party Risk Management

• Developing and maintaining appropriate policies that provide details about organizational structures, lines of reporting and authorities, expertise and staffing, internal controls, and audit functions to ensure that risks are understood and mitigated.
• Developing appropriate risk assessments that identify risks specific to features of each arrangement.
• Conducting and documenting due diligence that allows the bank to determine if it can rely on third parties to perform the various necessary roles to deliver deposit products and services on the bank’s behalf.
• Entering into contracts and agreements that clearly define roles and responsibilities of banks and third parties and enable banks to manage the risks of the arrangements effectively.
• Assessing potential risks when the bank does not have a direct contractual relationship with all parties with significant roles to determine whether and how such risks can be sufficiently mitigated.
• Establishing effective monitoring processes, commensurate with the risk of each activity and relationship.

Managing Operational and Compliance Implications

• Maintaining a clear understanding of any management information system (MIS) that will be used to support the activity, including any obligations and contractual reporting requirements when the deposit and transaction system of record is managed through the third party or through a subcontractor to another party.
• Developing and maintaining risk-based contingency plans, which address potential operational disruption or business failure at the third party that may disrupt end users’ access to funds, including contractual provisions that facilitate the bank’s contingency plans.
• Implementing internal controls to mitigate risks inherent in deposit functions.
• Establishing adequate policies and oversight to help ensure the bank complies with applicable laws and regulations, including consumer protection requirements.

Managing Growth, Liquidity, and Capital Implications

• Establishing appropriate concentration limits, diversification strategies, liquidity risk management strategies, and exit strategies, as well as maintaining capital adequacy.
• Performing appropriate analysis to determine whether parties involved in the placement of deposits meet the definition of a deposit broker under 12 U.S.C. § 1831f and implementing regulations, 12 C.F.R. § 337.6, and appropriately reporting any such deposits as brokered deposits in the Call Report.

Addressing Misrepresentations of Deposit Insurance Coverage

• Establishing policies and procedures and developing prudent risk management practices for certain deposit-related arrangements to ensure compliance with 12 C.F.R. Part 328, Subpart B, which prohibits misrepresentation of deposit insurance.
• Ensuring such policies and procedures include, as appropriate, provisions related to monitoring and evaluating activities of persons that facilitate access to the bank’s deposit-related services or products to other parties, as required under Part 328

[View source.]