Regulators to Harmonize How Banks Address Fintech and Service Provider Risk Management

Last week, the federal banking agencies—Federal Reserve Board (Board), Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC)—issued proposed interagency guidance ("Proposal") on risk management for banks and their third-party relationships. As part of the Proposal, the agencies have requested information and comments from industry and the public.

The nondescript term "third-party relationships" covers a wide swath of vendor and outsourcing activities, including everything from a bank's janitorial contractors to the sophisticated service agreements banks use to support fintech platforms. The Proposal provides an opportunity for banks and fintech companies alike to help shape an effective risk management framework that is harmonized across the banking agencies—something that has been lacking among the regulators.

Summarized below are key takeaways from the Proposal, which was published in the Federal Register on July 19, 2021.

Key Themes

Opportunity

The Proposal is an opportunity for participants in the banking and fintech ecosystems to highlight challenges and issues, including any unnecessary regulatory burdens imposed on bank-fintech relationships. As a joint issuance from the banking agencies, the Proposal contains guidance that uniformly impacts all insured depository institutions other than credit unions, given that the National Credit Union Administration did not join the Proposal.

Harmonization

Currently, each of the federal banking agencies has its own version of third-party risk management guidance, including the FDIC's Guidance for Managing Third-Party Risk (2008), the OCC's Third-Party Relationships: Risk Management Guidance (2013), and the Board's Guidance on Managing Outsourcing Risk (2013).

While existing agency guidance materials generally address similar issues, there is divergence in the approach and focus of each agency, which often creates confusion and difficulties for vendors and fintechs working with multiple banks. The agencies are using the OCC's risk management guidance as the baseline to create a single, harmonized guidance document that will be applicable to all insured depository institutions (except credit unions).

Modernization

By technology standards, the agencies' current guidance materials are ancient. The OCC's version, which is being used as the model, is eight years old. Meanwhile, the FDIC has not updated its guidance since the original iPhone's first birthday. The Proposal recognizes that the nature and scope of bank outsourcing relationships with third parties have changed dramatically during this time.

Furthermore, none of the agencies envisioned the types of arrangements that are now instrumental to the fintech ecosystem. Thus, the Proposal provides the opportunity for a much-needed facelift to existing third-party vendor risk management guidance.

Coordination

After a few years of chilly interagency relationships, the Proposal appears to be a good sign for the return of interagency collaboration and cooperation among the Board, OCC, and FDIC. This could bode well for the future of other rulemakings, such as updated Community Reinvestment Act regulations, where the agencies' long history of joint action and uniform rulemaking activities appears to be at an end.

Principles and Scale

A common theme highlighted in the Proposal is that a bank's risk management procedures should apply to every third-party service provider relationship, regardless of size. The Proposal references principles that can be scaled to address a wide range of business arrangements. The Proposal directs banks to tailor their risk management practices for each third-party service provider relationship to reflect the nature, complexity, and criticality of the service being performed for, or on behalf of, the bank.

Highlights

While the Proposal takes an approach substantially similar to that set forth in the OCC's 2013 guidance, there are some notable additions in the Proposal not found in the original guidance, including the following:

Planning Guidance for Third-Party Relationships

"As with all other phases of the third-party risk management life cycle, it is important for planning and assessment to be performed by those with the requisite knowledge and skills. A banking organization may involve experts across disciplines, such as compliance, risk, or technology officers, legal counsel, and external support where helpful to supplement the qualifications and technical expertise of in-house staff."

Consideration of Gaps in Due Diligence

"In some instances, a banking organization may not be able to obtain the desired due diligence information from the third party. For example, the third party may not have a long operational history or demonstrated financial performance. In such situations, it is important to identify limitations, understand the risks, consider how to mitigate the risks, and determine whether the residual risks are acceptable."

Guidance for the Use of Third Parties to Assist in Due Diligence

"In order to facilitate or supplement a banking organization's due diligence, a banking organization may use the services of industry utilities or consortiums, including development organizations, consult with other banking organizations, or engage in joint efforts for performing due diligence to meet its established assessment criteria. . . . Use of such external services does not abrogate the responsibility of the board of directors to decide on matters related to third-party relationships involving critical activities or the responsibility of management to handle third-party relationships in a safe and sound manner and consistent with applicable laws and regulations."

Information Security Considerations

"Consider the extent to which the third party uses controls to limit access to the banking organization's data and transactions, such as multifactor authentication, end-to-end encryption, and secured source code management."

Long Term Considerations for Operational Resilience

"Consider risks related to technologies used by third parties, such as interoperability or potential end of life issues with software programming language, computer platform, or data storage technologies that may impact operational resilience."

Recognition That Smaller Banks May Have Limited Negotiating Power

"In situations where it is difficult for a banking organization to negotiate contract terms, it is important for the banking organization to understand any resulting limitations, determine whether the contract can still meet the banking organization's needs, and determine whether the contract would result in increased risk to the banking organization. If the contract would not satisfy the banking organization's needs or would result in an unacceptable increase in risk, the banking organization may wish to consider other third parties for the service. Banking organizations may also gain advantage by negotiating contracts as a group with other users."

Emphasis That Banks Must Have Access to Their Own Data

"Confirm that the contract sufficiently addresses . . . The ability of the institution to have unrestricted access to its data whether or not in the possession of the third party . . . [and the] ability for the banking organization to access native data and to authorize and allow other third parties to access its data during the term of the contract."

Conclusion

These highlighted sections are among the issues that banks and fintech firms may want to address in commenting on the Proposal. In addition, the Proposal provides an opportunity for suggesting additional changes, addressing other issues, and responding to any of the 18 questions posed by the agencies with regard to how the Proposal could be improved.