The federal banking regulators (The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation) issued on July 25 a lengthy joint statement outlining the potential risks that financial institutions face in arrangements with third parties to deliver bank deposit products and services. 
Third-Party Relationships
FinCEN Issues Proposed Rulemaking Aimed at Strengthening and Modernizing AML Programs Across Multiple Industries
On July 3, the Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking (NPRM) as part of a broader initiative to “strengthen, modernize, and improve” financial institutions’ anti-money laundering and countering the financing of terrorism (AML/CFT) programs. In addition, the NPRM seeks to promote effectiveness, efficiency, innovation, and flexibility with respect to AML/CFT programs; support the establishment, implementation, and maintenance of risk-based AML/CFT programs; and strengthen the cooperation between financial institutions (“FIs”) and the government.
This NPRM implements Section 6101 of the Anti-Money Laundering Act of 2020 (the “AML Act”). It also follows up on FinCEN’s September 2020 advanced notice of proposed rulemaking soliciting public comment on what it described then as “a wide range of questions pertaining to potential regulatory amendments under the Bank Secrecy Act (‘BSA’) . . . . to re-examine the BSA regulatory framework and the broader AML regime[,]” to which FinCEN received 111 comments.
As we will discuss, the NPRM focuses on the need for all FIs to implement a risk assessment as part of an effective, risk-based, and reasonably designed AML/CFT program. The NPRM also focuses on how consideration of FinCEN’s AML/CFT Priorities must be a part of any risk assessment. However, in regards to addressing certain important issues, such providing comfort to FIs to pursue technological innovation, reducing the “de-risking” of certain FI customers and meaningful government feedback on BSA reporting, the NPRM provides nothing concrete.
FinCEN has published a five-page FAQ sheet which summarizes the NPRM. We have created a 35-page PDF, here, which sets forth the proposed regulations themselves for all covered FIs.
The NPRM has a 60-day comment period, closing on September 3, 2024. Particularly in light of the Supreme Court’s recent overruling of Chevron deference, giving the courts the power to interpret statutes without deferring to the agency’s interpretation, this rulemaking, once finalized, presumably will be the target of litigation challenging FinCEN’s interpretation of the AML Act.
Treasury Issues Request for Information on Use of AI in Financial Services
The U.S. Department of the Treasury (“Treasury”) has released a Request for Information on the Uses, Opportunities, and Risks of Artificial Intelligence (“AI”) in the Financial Services Sector (“RFI”). Written comments are due by August 12, 2024.
AI is a broad topic and the term is sometimes used indiscriminately; as the RFI suggests, most AI systems being used or contemplated in the financial services sector involve machine learning, which is a subset of AI. The RFI implicitly concedes that Treasury is playing “catch up” and quickly needs to learn more about AI and how industry is using it. The RFI discusses a vast array of complex issues, including anti-money laundering (“AML”) and anti-fraud compliance, as well as fair lending and consumer protection concerns – particularly those pertaining to bias.
Continue Reading Treasury Issues Request for Information on Use of AI in Financial Services
Federal Banking Agencies Issue Guide to Third-Party Risk Management Practices for Community Banks
On May 3, 2024, the Board of Governors of the Federal Reserve System (the “Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) jointly released the “Third-Party Risk Management: A Guide for Community Banks” (the “Guide”), presenting it as a resource for community banks to bolster their third-party risk management programs, policies, and practices.
The Guide serves as a companion to the Interagency Guidance on Third-Party Relationship: Risk Management issued in June 2023 (on which we blogged, here). It also relates to the OCC’s Fall 2023 Semiannual Risk Perspective, which emphasizes the need for banks to maintain prudent risk management practices – including practices tailored to address Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships.
The Guide acknowledges the widespread collaborations between community banks and third-party entities, and recognizes the strategic importance for such partnerships to improve competitiveness and adaptability. These collaborations provide community banks with access to a diverse array of resources, such as new technologies, risk management tools, skilled personnel, delivery channels, products, services, and market opportunities.
However, the Guide underscores that reliance on third parties entails a loss of direct operational control, thereby exposing community banks to a spectrum of risks. Banks are still accountable for executing all activities in compliance with applicable laws and regulations. “These laws and regulations include . . . those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering).” Accordingly, the Guide emphasizes that the engagement of third parties does not absolve a bank of its responsibility to operate in a safe and sound manner and to comply with regulatory requirements, “just as if the bank were to perform the service or activity itself.” The Guide sets forth this concept in bold, on the first page.
The Guide’s emphasis on governance practices highlights the critical role of oversight, accountability, and documentation in ensuring regulatory compliance and safeguarding the interests of both banks and their customers. Although the Guide styles itself as offering a framework tailored to the specific needs and challenges faced by community banks, it also offers direction to all financial institutions in regards to effective third-party risk management.
Recent FDIC Consent Orders Reflect Ongoing Scrutiny of Bank Relationships with Fintechs
In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders (here and here) with two banks who partner with fintechs to offer “banking as a service” (BaaS) related to safety and soundness concerns relating to compliance with the Bank Secrecy Act (BSA), compliance with applicable laws, and third-party oversight.
BaaS refers to arrangements in which banks integrate their banking products and services into the services of non-bank third-party distributors and the distributors deliver the integrated banking services directly to the customer. A common example of BaaS is banks’ delivery of lending services through fintech partners’ digital platforms. BaaS has gained popularity in recent years as the bank partner can generally roll out banking services to customers at a much faster pace and for lower costs than traditional banking products and services.
These two consent orders do not arise in a vacuum. In June 2023, the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements. The guidance explained that supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations. At that time, we noted that we expected increased regulatory attention to bank/fintech partnership programs like the BaaS relationships addressed here. Although these FDIC consent orders did not specifically cite to the interagency guidance, the guidance presumably was used to support the third-party oversight criticisms in the supervisory examinations of the two banks.
OCC Risk Perspective Report Focuses on Third-Party Relationships with Fintechs
In its Fall 2023 Semiannual Risk Perspective, published on December 7, the Office of the Comptroller of the Currency (“OCC”) reported on key issues facing the federal banking system. In evaluating the overall soundness of the federal banking system, the OCC emphasized the need for banks to maintain prudent risk management practices. The key risk themes that the OCC underscored in the report included credit, market, operational, and compliance risks.
Of particular note was the discussion on the Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships. We also will discuss briefly certain other compliance and operational risks highlighted by the OCC.
Continue Reading OCC Risk Perspective Report Focuses on Third-Party Relationships with Fintechs
Federal Banking Agencies Issue Guide for Community Banks on Conducting Due Diligence on Fintech Companies
The OCC, FDIC, and Federal Reserve Board have issued a guide that is intended to assist community banks in conducting due diligence when considering relationships with financial technology (fintech) companies (Guide).
The issuance of the Guide follows the agencies’ July 2021 release of proposed interagency guidance for banking organizations on managing risks associated with third-party…