Last week the Federal Reserve, OCC and FDIC released updated guidance for US banks on how to manage third-party relationships. The 68-page document aims to unify regulators' messaging amid a spate of enforcement actions that have sent ripples through the fintech ecosystem and prompted calls for more clarity on how banks and fintechs should partner.

The new guidance doesn’t create additional requirements for banks, but does offer a lot of tactical advice on how banks should manage risks associated with fintech partnerships– we'll break this down in more detail below. Fintechs are also getting a better understanding of their own responsibilities in these partnerships, though it’s worth calling out the major regulatory questions not being addressed here that will notably affect segments including data aggregation, lending, and Banking-as-a-Service.

At a baseline, the new guidance is likely to increase investment in third-party risk management across the banking industry. The overall effect of this will be [Spoiler Alert] an increase in the cost of compliance for a large share of banks and their fintech partners. This presents its own opportunities for finding ways to help banks– particularly smaller, relatively less-resourced institutions– meet industry-wide risk management practices.

We’ll tackle what the guidance means practically in this two-part series covering:

1. [This piece] How banks should interpret this guidance;
2. [Part II] How fintechs can prepare for the implementation of this guidance– and what questions are still outstanding.

Guidance breakdown for banks

Who is this guidance for?

While all organizations within fintech should consider how they approach managing the risks associated with third-party relationships, this guidance is specially written for US banks of all sizes. The guidance strives to balance clarity with flexibility so banks can have a clear understanding of what’s expected, while still creating a set of policies and procedures that are appropriate for that bank.

First, what is a “third party”?

A third party is any service provider, business partner, distributor, or agent of the bank. This includes technology vendors, professional service firms, and distribution partners. In fintech, this can take the form of Banking-as-a-Service providers, digital banking services, and RegTech. While fintechs should be running their own risk management programs with their third party relationships (including banks they work with!), the guidance is specifically focused on risk management where the “first-party” is the bank.

Third-party relationship risks

Banks are able to improve and diversify their offerings through partnerships with third-party firms, though those partnerships also introduce risk. As examples:

• Data security: If a third party has a data breach, it can leak the bank’s customers’ data.
• Financial stability: If a third-party partner fails, it could impact the bank's financial stability.
• Compliance: Banks need to ensure that their third-party partners are compliant with all applicable laws and regulations. If a third-party partner is not compliant, it could expose the bank to fines or penalties.
• Reputation: Even if a third-party is operating in compliance, unpopular business practices can affect the reputation of the bank.

To mitigate these and other risks, banks are expected to run thoughtful risk management programs. Previous guidance sought to offer clarity on expectations and best practices. However as then-Comptroller of the Currency Thomas J. Curry stated, there were still “... concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic.”

What is in the guidance?

The 2013 guidance called out some activities that banks should be doing to mitigate the risks involved in working with third parties. Those activities included: