On June 6, 2023, the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Comptroller of the Currency (OCC) collectively issued final joint guidance on third-party relationships, which includes Banking as a Service (BaaS) banks and FinTech partnerships. The much anticipated 68 page,15,000+ word document, titled the Interagency Guidance on Third-Party Relationships: Risk Management offers the agencies’ consolidated views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.
In short, regulators have indicated banks should treat third-party platform partners (including Banking as a Service (BaaS) banks and FinTech partners) as digital branches and will be responsible for ensuring proper risk management oversight. The report provides insights and recommendations to help banking executives better navigate and mitigate risks associated with their third-party vendors. These new guidelines also offers guidance to third parties, like BaaS banks and FinTechs who work with Financial Institutions. Read on for what is new with the final guidance and some practical strategies outlined in the report.
Banks who distribute products and services through third-party FinTech partners fall squarely into the scope of this guidance, reinforcing the need for robust FinTech risk management practices to strengthen operations, safeguard customer interests, and enhance reputations. The guidance emphasizes the need for these entities to prioritize thorough due diligence, regulatory compliance, and strong governance structures. By implementing diligent partner evaluation processes, ensuring adherence with regulatory requirements, and establishing effective governance frameworks, these organizations can effectively mitigate risks, demonstrate regulatory compliance, and cultivate trust with customers, partners, and regulatory authorities.
To establish a strong foundation for third-party risk management, the guidance emphasizes the need for financial institutions to undertake thorough due diligence when selecting their partners. This goes beyond simply reviewing financial statements and conducting background checks. It involves a comprehensive assessment of the overall effectiveness of the relationship, ensuring alignment with strategic goals, and considering risk appetite and compliance with laws and regulations. For example, organizations may evaluate the third party's track record in managing similar engagements, their reputation in the industry, and their commitment to cybersecurity and data privacy.
Additionally, due diligence should not be a one-time exercise but an ongoing process. Changes in the third party's business strategy, products and services, financial condition, insurance coverage, and compliance with contractual obligations should be continuously monitored. This can be achieved through regular reviews, site visits, and audits to ensure that the third-party maintains the necessary controls and meets the agreed-upon standards. SRA Watchtower | FinTech Risk Management and Monitoring can solve for this.
Banks may need to terminate third-party relationships for various reasons, such as contractual breaches, performance issues, or strategic decisions to bring activities in-house. The joint guidance notes that proper termination procedures ensure an efficient transition of services and minimize potential disruptions to the organization and its customers.
When developing termination procedures, the guidance calls on organizations to consider effective transition options. This could involve identifying alternative third-party providers or establishing in-house capabilities to replace the outsourced functions. Managing costs and fees is another critical aspect, as termination may incur penalties or require renegotiation of contracts. The guidance points out that organizations should carefully assess the financial impact of termination and plan accordingly.
The agencies also note that handling data retention and destruction is crucial during the termination process. Banks should ensure that sensitive customer information and proprietary data are properly transferred, securely stored, or destroyed in compliance with applicable laws and regulations. Additionally, organizations should address risks associated with intellectual property and customer impact, such as protecting trade secrets or ensuring a seamless transition for customers, according to the new joint guidance.
In the report, the agencies emphasize that an effective governance structure is crucial for robust third-party risk management. The Board of Directors plays a vital role in providing oversight, setting risk appetite, and approving policies related to third-party relationships. Boards should actively engage in understanding the risks associated with these relationships and ensure that appropriate controls and processes are in place.
The guidance also stresses that management is responsible for implementing risk management processes aligned with the organization's risk profile. This includes establishing clear roles and responsibilities, conducting regular risk assessments, and monitoring the performance of third parties. Management should also prioritize ongoing training and awareness programs to ensure that employees understand their responsibilities in managing third-party risks.
Independent reviews play a critical role in assessing the adequacy of the organization's third-party risk management processes, according to the guidance. These reviews can be conducted by internal audit teams or external consultants and help identify gaps, evaluate controls, and recommend adjustments. Documentation and reporting are essential components of effective governance. They demonstrate compliance, support control activities, and facilitate effective internal communication.
The guidance points out that regulatory agencies will evaluate the effectiveness of a banking organization's third-party risk management practices when conducting supervisory reviews. During these reviews, examiners assess various factors, including the ability of management to oversee relationships, the impact of third-party engagements on the organization's risk profile, compliance with laws and regulations, and the remediation of any identified deficiencies.
Supervisory reviews play a crucial role in assigning ratings to banks and highlighting risks to the organization and its stakeholders. It is essential for banking executives to proactively address any identified deficiencies and take corrective actions to strengthen their third-party risk management framework. By demonstrating a proactive approach to managing third-party risks and actively monitoring their FinTech partners, organizations can enhance their reputation, maintain regulatory compliance, and mitigate potential financial and operational risks.
By adhering to the best practices outlined in the Interagency Guidance on Third-Party Relationships: Risk Management, banking executives can ensure their organizations are well-equipped to navigate the complexities of third-party relationships. While in return, third-party partners like BaaS banks or FinTechs can leverage this guidance to ensure they are also operating within the revised guidance and adhere to regulatory requirements to be trusted partners in securing the safety and soundness of the banking community. Incorporating robust due diligence processes, implementing comprehensive ongoing monitoring, establishing efficient termination procedures, and fostering strong governance structures will enable banks to mitigate potential risks and safeguard their future success.
If you are looking for support around third-party risk or FinTech Risk Management, please contact SRA Watchtower today. To access the full Final Guidance report, please refer to the official resources provided by the regulatory agencies below:
• OCC Bulletin 2023-17 | June 6, 2023
• PDF: Final Guidance on Third-Party Risk Management
• FDIC: FIL-29-2023 | June 6, 2023
As a reference here are links to the 2021 guidelines issued by the OCC:
• PDF: Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks