Banking Regulators Release Guidance on Third-Party Partnerships
On June 6, 2023, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency (OCC) issued final joint guidance on managing risks associated with third-party relationships. Promulgated after the publication of and comments from stakeholders on the July 2021 proposed guidance, this final guidance details a risk-based approach to evaluating, negotiating and monitoring third-party partnerships under which banks are expected to provide more scrutiny to partnerships that are more complex, risky or operationally critical. While the guidance specifically notes the “significant benefits” of third-party partnerships, such as those with fintechs, the regulators emphasize the risks that third-party relationships present – and they note that the use of third parties does not relieve a banking organization of its responsibility to comply with existing laws and regulations. This guidance replaces each agency’s existing guidance on third-party relationships.
Risk-based approach to third-party partnerships
The guidance emphasizes that to facilitate sound risk management, banks should adopt risk management practices that are “commensurate with the level of risk and complexity of their respective third-party relationships.” As such relationships present different levels and types of risk, not all third-party relationships require the same extent of oversight or risk management, and it is the responsibility of each banking organization to determine the risks associated with each third-party partner and calibrate its risk management processes accordingly.
The guidance does not prescribe specific requirements for oversight of third parties, but it sets forth “principles” and “examples of considerations” that may be relevant to banking organizations throughout the course of a risk management life cycle based on its specific third-party relationships. For example, the regulators suggest that banks consider:
- Maintaining a complete inventory of their third-party relationships and conducting periodic risk assessments of each relationship.
- Conducting proper due diligence, including evaluating whether a third party has the proper licenses or approvals to operate and the third party’s subcontracting arrangements.
- Reviewing whether contracts specify the legal obligations of each party to comply with applicable laws and regulations.
The guidance specifically addresses the growing prevalence of fintech partnerships under “new or novel” arrangements with banking institutions. Suggesting the potential for new or increased risk due to, for example, the differing roles and responsibilities of fintechs and banks as compared to other third-party relationships and the different levels of interaction with customers of each party, the guidance notes that banks must “understand how the arrangement with a third party … is structured so that the banking organization may assess the types and levels of risks posed and determine how to manage those third-party relationships accordingly.”
This guidance extends to any “business arrangement” between a banking organization and another entity, including those not structured by contract. Despite comments from industry suggesting the term “business arrangement” (which is meant to be synonymous with the term “third-party relationship”) was overly broad, the regulators suggest that the terms are intentionally expansive, intended to capture not only the “full range of third-party relationships that may pose risk to banking organizations,” but also types of partnerships that may develop in the future.
In addition, the FDIC clarified in a Financial Institution Letter issued along with the guidance that relationships between banks and their direct customers of “traditional bank products and services (such as deposit accounts or retail or commercial loans) would not be addressed in a third-party risk management framework and are covered by the various risk management processes and rules that apply to traditional lending and deposit relationships.” However, bank relationships with third parties engaged in lending, payment or deposit activities “for the benefit of the bank or through the bank should be evaluated by banks using both the third party risk management guidance and the various risk management processes and rules that apply to traditional lending and deposit relationships.”
Historical and continued focus on third-party risks
While prudential regulators have a long-standing history of emphasizing the potential risk of third-party partnerships (such as through the now rescinded 2008 FDIC guidance on third-party risk, the 2013 Fed guidance, and the 2013 OCC guidance and 2020 FAQs), we have seen enhanced activity in this arena likely due to the rise of banking as a service, digital banking, and increased vendor usage and the associated increase of third-party relationships.
In March of this year, the FDIC took action against a bank that made loans in connection with a fintech partnership, suggesting the bank “engaged in … unsafe or unsound banking practices related to its compliance with applicable fair lending laws and regulations.” The consent order requires the bank to implement third-party compliance oversight and internal controls, including conducting a risk assessment of all third-party relationships to identify fair lending risks and obtaining the FDIC’s approval for any new third-party partners, among other requirements. Similarly, the OCC in September 2022 assessed penalties against a bank for “unsafe or unsound practice(s), including those relating to third-party risk management.” The agreement with the OCC requires the bank to, among other things, “implement and thereafter adhere to a written program to effectively assess and manage the risks posed by third-party fintech relationships … commensurate with the level of risk and complexity” of those partnerships.
Fintech companies that partner with banks likely will see enhanced compliance obligations and oversight as banks continue to see increased regulatory scrutiny in connection with such partnerships.