Third-party guidance spurs US bank rethink on fintech partners

Bankers in the US are warning that final interagency guidance on third-party risk management could force them to rethink their efforts at partnering with fintech firms—one of the ways in which they currently try to foster innovation in the discipline.

“We are a bit complacent in dealing with risks from fintech because we always think of them as small players,” says the head of third-party risk management at one global bank. “We overlook the fact that they can become integral to our functioning in a very short period of time.”

For this reason, the new regulatory guidance is now much-needed by the industry, he says—most banks have not given enough attention to the risks posed by such arrangements.

The final guidance introduces greater specificity, particularly in the areas of fintech partnerships and due diligence process, setting a higher compliance standard for banks.

“Banks regulated by the Federal Reserve and the Federal Deposit Insurance Corporation are faced with a considerable amount of work, as the new guidance is much more prescriptive than the previous versions,” says a senior enterprise risk manager at one US bank.

The long-awaited guidance, issued jointly on June 6 by the Federal Reserve, the FDIC and the Office of Comptroller of the Currency (OCC), draws heavily on the OCC’s 2013 guidance, along with its list of frequently asked questions, published in 2020, and responses to the original consultation in July 2021. It replaces each agency’s existing general guidance on third-party risk management with a principles-based, consistent directive.

Compared with the initial proposal in 2021, the final version places greater emphasis on a risk-based approach, granting banks flexibility to tailor their third-party risk management programs according to the specific level of risk, complexity and size of their organizations, and the nature of their third-party relationships.

Linda Tuck Chapman, chief executive officer of the Third Party Risk Institute and former third-party risk executive at several North American banks, says the guidance provides “more meat on the bones than anybody has ever seen before”, and urges banks to thoroughly analyse it.

While compliance may appear challenging for FDIC- and Fed-regulated banks, Brian Kostek, managing director of regulatory risk at Protiviti and a former OCC bank examiner, says banks need not treat it as rigid law and strive for a “perfect one-to-one match” in their risk management programs.

He also suggests OCC-regulated banks should not expect significant changes, as the guidance largely builds upon previous OCC regulatory materials.

“That said, you should still do an assessment of your third-party risk management program to see if there’s any gap or pitfalls against the guidance,” he adds.

Focus on fintech

While the guidance is applicable to all third-party relationships, it explicitly highlights the risks of bank-fintech partnerships—in direct response to comments received on the initial proposed guidance. Many respondents expressed concerns about the growing reliance of banks on third-party fintech companies for technological advancements and innovations.

“The agencies recognize that some banking organizations are forming relationships with fintech companies, including under new or novel structures and arrangements,” notes the final guidance, and warns that: “Depending on the specific circumstances, including the activities performed, such relationships may introduce new or increase existing risks to a banking organization.”

Some sources believe the emphasis on fintech partnerships indicates regulators have already conducted a thorough review on this front. In other words, fintech companies should expect increasing requests from their partnering banks and heightened scrutiny from these regulatory bodies in the coming months.

John DelPonti, managing director at BRG’s financial institution advisory practice, foresees a growing number of banks terminating their fintech partnerships due to the substantial cost of compliance. He says one of the major challenges for banks lies in effectively articulating the risks posed by fintech, particularly when many of these companies are at early stages and lack comprehensive evaluation materials.

The head of third-party risk management at the US bank, however, says the risk management of fintech should be no different to that of other third-party relationships.

“To comply with the guidance, you do not need to build a separate program for fintech,” he says. “The right approach should be developing a program that applies to all vendors offering innovative technology solutions.”

A senior operational risk manager, who has worked at several global banks, echoes this point, emphasizing that while the guidance explicitly highlights fintech relationships, it does not imply that banks should single them out during the risk management process.

Regulators use fintech partnerships as an example, probably because it is something new and frequently brought up by commenters,” he says. “Banks should be careful not to overinterpret it.”

Due diligence demands

For conventional third-party providers, banks believe the due diligence requirements might be the most challenging aspect of the new guidance. Regulators expect banks to thoroughly examine and understand their third-party vendors—including, but not limited to, their business strategy, financial condition, internal risk management and information security.

In response to the 2021 consultation, many banks raised concerns that third-party vendors are often unwilling to provide detailed information for confidentiality and competitive reasons. In response to the comments received, the final guidance acknowledges these challenges but does not reduce regulatory expectations. Incorporating concepts from the OCC’s FAQs 14 and 24, it advises banks to consider information from various sources, such as public regulatory disclosures.

Regulators have also added specifications beyond the original OCC rules. Notably, the final guidance provides details on how banks should perform due diligence on the legal and regulatory compliance of third-party vendors by comprehensively evaluating their ownership structures, exposure to sanctions, and responsiveness to compliance issues.

Third Party’s Tuck Chapman thinks the guidance sets the “highest possible standard” that is extremely challenging for banks to achieve. Regarding the agencies’ expectation on banks to examine third parties’ ownership structures, for example, she says no single financial institution she’s contacted currently evaluates the ultimate beneficial owner.

A senior model development manager at a second global bank says banks will need to reconsider their third-party relationships if vendors fail to provide critical information such as ownership structure. He says a unified and strong stance among banks will enhance their negotiation power in the long run.

Speaking on a panel at the Commodity Futures Trading Commission on July 18, Kevin Greenfield, deputy comptroller for operational risk policy at the OCC, emphasized that it is banks’ ultimate responsibility to secure their services and products, which is also the leading principle behind the guidance.

“You can outsource the activity, but you cannot outsource the responsibility,” he says.

In response to comments that banks should be allowed to perform less stringent due diligence for certain types of third parties, the final guidance reiterates its risk-based, tailored approach—a recurring theme throughout the document, underscoring that the scope and degree of due diligence should be determined by the level of risk and complexity of each third-party relationship.

Too often people overreact to these guidelines and start rigidly requesting vendors to provide exactly these five or ten documents

Brian Kostek, Protiviti

Protiviti’s Kostek says banks should view the guidance as a tool to enhance their understanding of partnered vendors and establish productive collaboration, rather than demanding vendors for every piece of information mentioned in the document.

“Too often people overreact to these guidelines and start rigidly requesting vendors to provide exactly these five or 10 documents,” he says. “And if the vendors cannot offer the information, they think it is going to be an issue. Every vendor treats these requirements differently, and it is important for banks to set reasonable expectations based on their own third-party relationships.”

Sources say it is still unclear how the guidance will be translated into practical supervision and examination. While it offers a certain level of flexibility that the industry seeks, the senior operational risk manager calls for greater clarity on how regulators plan to assess the complexity and the materiality of third-party relationships.

“The current guidance leaves room for interpretation,” he says. “Unfortunately, you will see banks and regulators spend most of their time debating how they define the complexity of relationships.”

Kostek, meanwhile, offers some pragmatic advice. “Take a deep breath and really think about what you need to do to address themes of the guidance within your risk management function, and then go from there,” he says. “The guidance is here to assist—there’s no need to try and meet every line overnight.”