Last week the Federal Reserve, OCC and FDIC released updated guidance for US banks on how to manage third-party relationships. The 68-page document aims to unify regulators' messaging amid a spate of enforcement actions that have sent ripples through the fintech ecosystem and prompted calls for more clarity on how banks and fintechs should partner.
The new guidance doesn’t create additional requirements for banks, but does offer a lot of tactical advice on how banks should manage risks associated with fintech partnerships– we'll break this down in more detail below. Fintechs are also getting a better understanding of their own responsibilities in these partnerships, though it’s worth calling out the major regulatory questions not being addressed here that will notably affect segments including data aggregation, lending, and Banking-as-a-Service.
At a baseline, the new guidance is likely to increase investment in third-party risk management across the banking industry. The overall effect of this will be [Spoiler Alert] an increase in the cost of compliance for a large share of banks and their fintech partners. This presents its own opportunities for finding ways to help banks– particularly smaller, relatively less-resourced institutions– meet industry-wide risk management practices.
We’ll tackle what the guidance means practically in this two-part series covering:
[This piece] How banks should interpret this guidance;
[Part II] How fintechs can prepare for the implementation of this guidance– and what questions are still outstanding.
Guidance breakdown for banks
Who is this guidance for?
While all organizations within fintech should consider how they approach managing the risks associated with third-party relationships, this guidance is specially written for US banks of all sizes. The guidance strives to balance clarity with flexibility so banks can have a clear understanding of what’s expected, while still creating a set of policies and procedures that are appropriate for that bank.
First, what is a “third party”?
A third party is any service provider, business partner, distributor, or agent of the bank. This includes technology vendors, professional service firms, and distribution partners. In fintech, this can take the form of Banking-as-a-Service providers, digital banking services, and RegTech. While fintechs should be running their own risk management programs with their third party relationships (including banks they work with!), the guidance is specifically focused on risk management where the “first-party” is the bank.
Third-party relationship risks
Banks are able to improve and diversify their offerings through partnerships with third-party firms, though those partnerships also introduce risk. As examples:
Data security: If a third party has a data breach, it can leak the bank’s customers’ data.
Financial stability: If a third-party partner fails, it could impact the bank's financial stability.
Compliance: Banks need to ensure that their third-party partners are compliant with all applicable laws and regulations. If a third-party partner is not compliant, it could expose the bank to fines or penalties.
Reputation: Even if a third-party is operating in compliance, unpopular business practices can affect the reputation of the bank.
To mitigate these and other risks, banks are expected to run thoughtful risk management programs. Previous guidance sought to offer clarity on expectations and best practices. However as then-Comptroller of the Currency Thomas J. Curry stated, there were still “... concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic.”
What is in the guidance?
The 2013 guidance called out some activities that banks should be doing to mitigate the risks involved in working with third parties. Those activities included:
Developing a plan on how the bank will select, assess, and oversee the third party.
Performing proper due diligence on the provider.
Negotiating written contracts outlining rights and responsibilities of all parties.
Conducting ongoing monitoring of the third party.
Transition planning.
The updated 2023 guidance includes both new requirements and further clarifications on the previous guidance.
The tl;dr
Risk management should be “commensurate with the level of risk and complexity of the relationship and the activity performed by the third party.” Risk-adjusted steps in partnering with third parties can include:
Documenting the activities performed by the third party.
Understanding the risks involved with that relationship.
Determining the appropriate actions to mitigate associated risks throughout the full relationship life cycle: Planning -> Due Diligence & Selection -> Contract Negotiation -> Ongoing Monitoring -> Termination.
Higher risk or critical activities may warrant:
Plan sign-off from the board of directors (or a designated board committee).
Documentation on the partner’s financial condition, business experience, qualifications of key personnel, risk management approach, operational resilience, use of subcontractors, information security, and other impactful areas.
Contingency planning for termination of relationship.
Considering how limited diligence information might necessitate additional monitoring efforts.
The guidance contemplates many areas in depth. A few we found particularly interesting:
Subcontractors
“Fourth parties”, or the related parties of third vendors, pose additional risks.
It can be challenging to get a full picture of the relationships between a third party and their subcontractors, but there is particular focus is on contractors that provide a material service, have access to sensitive nonpublic information, perform higher-risk and critical activities, access the banking organization’s infrastructure, and those within extended chains of subcontractors.
It can be impractical to expect a banking organization to assess or oversee all subcontractors of a third party given the lack of direct relationships. The final text promotes flexibility while encouraging a thorough understanding of the access and impact fourth parties can have.
Independent testing of third-party service providers
This is a bit circular, but if a bank is engaging a firm to monitor providers, that firm must undergo diligence and screening.
The importance of communication and coordination between the bank's risk management and business units
Proper staffing: “To support effective monitoring, a banking organization dedicates sufficient staffing with the necessary expertise, authority, and accountability to perform a range of ongoing monitoring activities, such as those described above."
What does this guidance mean, practically?
The guidance seeks to balance providing enough flexibility for banks to implement risk management in the best way for their institution while being specific enough to determine if a banking institution is putting sufficient effort into risk management. It does this by focusing suggestions on the risks a third-party brings to the bank and its customers.
This approach bakes in enough flexibility for the guidance to apply to banks with various types of third-party relationships. However, this does put the obligation on the bank to have an effective process for understanding, documenting and mitigating the impact, access, and role a third party will play.
“Regardless of a banking organization’s approach, applying a sound methodology to designate which activities and third-party relationships receive more comprehensive oversight is key for effective risk management.” (Page 10)
It will be increasingly important to have and uniformly apply policies, procedures and processes that speak to third party diligence. One approach relies on documenting the risk level of a third party based on risk category i.e. How third parties may be involved in “critical activities”. The application of a numeric system with clearly-defined scoring rules can additionally drive consistency.
The bank can then use the documented expected impact and associated risks of the third party to determine the appropriate level of oversight and ongoing monitoring. In order to thoughtfully fill out the rubric, it might be necessary to ask subject matter experts to opine or build a review team that has expertise across the categories.
For example, a third party scoring high-risk for “Access to PII” should undergo a thorough IT security review and the banking organization may consider reviewing System and Organization Control (SOC) reports or independent certifications pertaining to relevant standards.
Below we’ve visualized a portion of an example set of procedures to help illustrate the concept of risk and response over the relationship lifecycle.
In Part 2, we’ll analyze how banks’ application of this guidance impacts fintechs on the other side of the third-party risk management equation.
We'd love your thoughts
Have insights or questions? Join the discussion in TWIF's Slack community!
🧵 Thread for comments in #compliance_and_regulation.
