Third-Party Relationships

On May 3, 2024, the Board of Governors of the Federal Reserve System (the “Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) jointly released the “Third-Party Risk Management: A Guide for Community Banks” (the “Guide”), presenting it as a resource for community banks to bolster their third-party risk management programs, policies, and practices.

The Guide serves as a companion to the Interagency Guidance on Third-Party Relationship: Risk Management issued in June 2023 (on which we blogged, here).  It also relates to the OCC’s Fall 2023 Semiannual Risk Perspective, which emphasizes the need for banks to maintain prudent risk management practices – including practices tailored to address Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships.

The Guide acknowledges the widespread collaborations between community banks and third-party entities, and recognizes the strategic importance for such partnerships to improve competitiveness and adaptability. These collaborations provide community banks with access to a diverse array of resources, such as new technologies, risk management tools, skilled personnel, delivery channels, products, services, and market opportunities.

However, the Guide underscores that reliance on third parties entails a loss of direct operational control, thereby exposing community banks to a spectrum of risks.  Banks are still accountable for executing all activities in compliance with applicable laws and regulations.  “These laws and regulations include . . . those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering).”  Accordingly, the Guide emphasizes that the engagement of third parties does not absolve a bank of its responsibility to operate in a safe and sound manner and to comply with regulatory requirements, “just as if the bank were to perform the service or activity itself.”  The Guide sets forth this concept in bold, on the first page. 

The Guide’s emphasis on governance practices highlights the critical role of oversight, accountability, and documentation in ensuring regulatory compliance and safeguarding the interests of both banks and their customers.   Although the Guide styles itself as offering a framework tailored to the specific needs and challenges faced by community banks, it also offers direction to all financial institutions in regards to effective third-party risk management. 

Continue Reading  Federal Banking Agencies Issue Guide to Third-Party Risk Management Practices for Community Banks

In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders (here and here) with two banks who partner with fintechs to offer “banking as a service” (BaaS) related to safety and soundness concerns relating to compliance with the Bank Secrecy Act (BSA), compliance with applicable laws, and third-party oversight. 

BaaS refers to arrangements in which banks integrate their banking products and services into the services of non-bank third-party distributors and the distributors deliver the integrated banking services directly to the customer.  A common example of BaaS is banks’ delivery of lending services through fintech partners’ digital platforms.  BaaS has gained popularity in recent years as the bank partner can generally roll out banking services to customers at a much faster pace and for lower costs than traditional banking products and services.

These two consent orders do not arise in a vacuum.  In June 2023, the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements.  The guidance explained that supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.  At that time, we noted that we expected increased regulatory attention to bank/fintech partnership programs like the BaaS relationships addressed here.  Although these FDIC consent orders did not specifically cite to the interagency guidance, the guidance presumably was used to support the third-party oversight criticisms in the supervisory examinations of the two banks.

Continue Reading  Recent FDIC Consent Orders Reflect Ongoing Scrutiny of Bank Relationships with Fintechs

In its Fall 2023 Semiannual Risk Perspective, published on December 7, the Office of the Comptroller of the Currency (“OCC”) reported on key issues facing the federal banking system.  In evaluating the overall soundness of the federal banking system, the OCC emphasized the need for banks to maintain prudent risk management practices. The key risk themes that the OCC underscored in the report included credit, market, operational, and compliance risks. 

Of particular note was the discussion on the Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships.  We also will discuss briefly certain other compliance and operational risks highlighted by the OCC.

Continue Reading  OCC Risk Perspective Report Focuses on Third-Party Relationships with Fintechs

The OCC, FDIC, and Federal Reserve Board have issued a guide that is intended to assist community banks in conducting due diligence when considering relationships with financial technology (fintech) companies (Guide).

The issuance of the Guide follows the agencies’ July 2021 release of proposed interagency guidance for banking organizations on managing risks associated with third-party