The Board of Governors of the Federal Reserve System (Fed), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the Agencies) issued the long-awaited final Interagency Guidance On Third-Party Relationships: Risk Management (Final Guidance) on June 6, 2023. The Final Guidance replaces the disparate set of guidance and FAQs separately issued by the Agencies over the years, thereby bringing greater consistency to supervisory expectations for banks in managing risks arising from their business relationships with service providers, contract counterparties, and other third parties.
The Final Guidance will be of particular interest to fintech companies, especially those that partner with or are looking to partner with banks. The Final Guidance explicitly calls out bank-fintech partnerships as within its purview, underscoring the potential risks raised by partnerships that involve novel or complex structures, as well as arrangements where the fintech company rather than the bank serves as the main point of contact for interactions with the end user (such as certain banking-as-a-service models).
Fintech companies that currently partner with banks, or are seeking to, should pay close attention to the Final Guidance, as it is now the definitive source of guidance on supervisory expectations and also a sign of greater supervisory scrutiny on such partnerships. Small banks, which many fintech companies tend to partner with, will likely find the new guidance challenging to implement. In a rare dissenting statement, Federal Reserve Governor Bowman predicted that more resources will be needed to “ensure that small banks understand and can effectively use the guidance to inform their third-party risk management processes.” The Final Guidance notes that the Agencies plan to, but have not yet, developed these additional resources to assist community banks and other smaller banks. Consequently, fintech companies looking to partner with banks, especially small banks, should be prepared for a more rigorous and potentially drawn-out diligence process with their potential bank partner, as well as ongoing monitoring.
Overview of the Final Guidance
Banking organizations are required to operate in a safe and sound manner and in compliance with applicable regulations, whether their activities are performed internally or outsourced to a third party. Operating in a safe and sound manner requires a bank to establish risk management practices governing its activities, including risks arising from its third-party relationships. The Final Guidance provides sound risk management principles that banks can use when developing and implementing risk management practices to assess and manage risks associated with third-party relationships.
The Final Guidance is striking in its expansive scope. It broadly defines third-party relationships, encompassing any business arrangement between a banking organization and another entity, whether the arrangement is formalized by contract or otherwise established. Included in the scope of third-party relationships are:
- outsourced services,
- the use of independent consultants,
- referral arrangements,
- merchant payment processing services,
- services provided by affiliates and subsidiaries, and
- joint ventures.
Importantly, the Final Guidance emphasizes that a bank’s use of such third parties does not diminish or remove its responsibilities to meet those requirements and ensure compliance with applicable regulations, such as those related to consumer protection and financial crimes. In issuing the Final Guidance, the Agencies sought to promote consistency in supervisory approaches to third-party risk management by replacing each agency’s existing guidance on the topic, each of which is rescinded and replaced by the Final Guidance.
Key Considerations for Fintech Companies
The Final Guidance lays out a risk management framework that outlines a series of essential steps for banking organizations that partner with fintech companies, including engaging in sufficient planning, conducting due diligence for third-party selection, negotiating contracts, monitoring on an ongoing basis, and, if necessary, effecting efficient termination. The Final Guidance also details a set of best practices for governance of third-party risk management, including oversight and accountability, independent reviews, and documentation and reporting.
Fintech companies seeking to enter into partnerships with banks should take note of the following key areas in the Final Guidance:
1. Heightened due diligence requirements
The Final Guidance calls for the scope and degree of a bank’s due diligence to align with the level of risk and complexity of the third-party relationship. Fintech companies should pay particular attention to this requirement, as the Final Guidance states that greater operational or technological complexity leads to increased risk. It is likely that a fintech company that is preparing to partner with a bank will have to undergo more thorough and rigorous due diligence with the bank. If the fintech companies will perform higher-risk activities, including critical activities, the Final Guidance calls for more comprehensive diligence.
The Final Guidance sets forth a wide range of topics that, as part of its due diligence, a banking organization should consider about a third party:
- strategies and goals;
- legal and regulatory compliance;
- financial condition;
- business experience;
- the qualification and backgrounds of key personnel and other human resources considerations of a third party;
- risk management;
- information security;
- management of information systems;
- operational resilience;
- incident reporting and management process;
- physical security;
- reliance on subcontractors;
- insurance coverage; and
- contractual arrangements with other parties.
2. Contract negotiation
The Final Guidance stresses the importance of contract negotiation for banks when entering into third-party arrangements. While a fintech company may initially seek to offer its own standard contract or form provisions, a bank may try to seek modifications, resulting in a more involved and drawn-out negotiation than a fintech might expect to encounter with other entities. Fintech companies should therefore expect greater attention from banks than their typical transaction counterparties in the following commercial terms, on the basis of the Final Guidance:
- nature and scope of the arrangement;
- performance measures or benchmarks;
- responsibilities for providing, receiving, and retaining information;
- the right to audit and require remediation;
- responsibility for compliance with applicable laws and regulations;
- cost and compensation;
- ownership and license;
- confidentiality and integrity;
- operational resilience and business continuity;
- indemnification and limits on liability;
- dispute resolutions and customer complaints;
- foreign-based third parties;
- default and termination; and
- regulatory supervision.
Moreover, the Final Guidance states that if a contract is unacceptable for a bank, the bank may consider other approaches, such as looking to bring the activity in-house or looking to other third parties. Accordingly, it will be important for fintech companies negotiating with banks to ensure that they are adequately protecting their own interests and, at the same time, address where appropriate the many areas of focus that their bank counterparty is now expected to scrutinize. For additional insights into strategic approaches to contracting for fintech companies, please see a recent article the co-authors have written separately discussing “Financial Infrastructure as a Service: Top Legal Considerations for Innovators.”
3. Ongoing monitoring
The Final Guidance also requires banks to engage in ongoing monitoring throughout the duration of a third-party relationship, commensurate with the level of risk and complexity of the relationship and the activity performed by the third party. Fintech companies should expect the following examples of typical monitoring activities from their bank partner:
- review of reports regarding their performance and the effectiveness of their controls;
- periodic visits and meetings with their representatives to discuss performance and operational issues; and
- regular testing of the bank’s controls that manage risks from its third-party relationships, particularly when supporting higher-risk activities, including critical activities (in certain circumstances, based on risk, a bank may also perform direct testing of the third party’s own controls).
Awareness of the areas of supervisory sensitivity will be critical to a fintech company’s success in partnering with a bank to deliver banking services.
The Agencies declined to establish any “safe harbors” in the Final Guidance, even for small banks. Rather, key to the third-party risk management framework—as contemplated under the Final Guidance—is the need for banks to tailor their risk management practices commensurate to their size, complexity, risk profile, and the nature of their third-party relationships. This tailored approach acknowledges the variety among different third-party relationships and the unique challenges that arise from such relationships. However, given the breadth of the Final Guidance, this tailoring may be easier said than done, particularly for community banks.
With respect to supervisory exams of a bank’s third-party risk management, the Final Guidance noted that supervision will also be tailored based on the degree of risk and the complexity associated with the bank’s activities and its third-party relationships. While the Final Guidance focuses on bank responsibility for third-party arrangements, it also recognizes that in certain circumstances, an agency may examine the functions or operations that a third party performs on behalf of a banking organization, allowing the Agencies the flexibility needed to address the unique challenges faced by the range of banking organizations and their various types of third-party relationships. In these cases, the agency may address violations of laws and regulations through corrective measures, including enforcement actions, to address unsafe practices by the third party.
Small banks in particular are likely to face challenges in implementing the Final Guidance and some degree of uncertainty in meeting supervisory expectations, which may translate to more challenging contract negotiation dynamics for fintech companies and greater hesitation by banks to enter into innovative arrangements. As bank-fintech partnerships increase in their complexity and incorporate novel strategies or technologies, the Agencies will require banks to step up their risk management, which their fintech partners will need to address.
SR Letter 13–19/CA Letter 13–21, “Guidance on Managing Outsourcing Risk” (December 5, 2013, updated February 26, 2021); FIL–44–2008, “Guidance for Managing Third-Party Risk” (June 6, 2008); OCC Bulletin 2013–29, “Third-Party Relationships: Risk Management Guidance,” and OCC Bulletin 2020–10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013–29.” ↑