In recent guidance, US regulators noted they will be keeping an eye on the relationships between banks and financial technology (fintech) firms
The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency — the top regulating agencies in the United States — have issued final guidelines to help banks manage risks associated with their third-party relationships.
Experts find that the most noteworthy undertone of the guidance is the emphasis that regulators place on relationships between banks and financial-technology (fintech) firms.
The last decade has seen dramatic growth in the number of non-bank fintech firms offering innovative products in partnership with regulated financial institutions. This includes firms like Personal Capital, Lending Club, Kabbage, and Wealthfront. The growth has prompted debate among banks and regulators over how these new, fintech relationships should be managed to adhere to regulatory obligations and control potential risks.
The joint guidance, issued in earlier this month, came collectively from the three agencies and supersedes the existing third-party risk management guidance issued in 2021. The guidance provides principles for effective third-party risk management for all types of relationships, regardless of how they may be structured. At the same time, the agencies acknowledged that banks have flexibility in their approach to assessing the risks posed by each relationship.
“Banking organizations have flexibility in their approach to assessing the risk posed by each third-party relationship and deciding the relevance of the considerations discussed in the guidance,” the agencies stated in the 68-page guidance report.
Banking organizations have flexibility in their approach to assessing the risk posed by each third-party relationship and deciding the relevance of the considerations discussed in the guidance.
The new guidance applies to all third-party relationships, or “any business arrangement between a banking organization and another entity, by contract or otherwise,” the agencies noted, adding that such relationships “may exist despite a lack of a contract or remuneration” and can include “outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures.”
Implications for fintech partnerships
Legal experts say that the new guidance explicitly pointed out both the benefits and risks of bank-fintech partnerships.
“The agencies recognize that some banking organizations are forming relationships with fintech companies, including under new or novel structures and arrangements,” the agencies’ report stated. “Depending on the specific circumstances, including the activities performed, such relationships may introduce new or increase existing risks to a banking organization.”
In a note to clients, the consulting firm KPMG observed: “Expect continued supervisory intensity, particularly to large organizations, ‘new or novel structures and features’ such as fintech ‘partnerships’, and services for ‘critical activities’.”
The agencies recognize that some banking organizations are forming relationships with fintech companies, including under new or novel structures and arrangements.
Although the guidance applies only to banking organizations, fintechs that partner or want to partner with banks will need to be aware of the framework the guidance creates, stated law firm Davis Polk in an analysis of the guidance. “For example, fintechs should expect their banking organization counterparties to point to the interagency guidance as the basis for due diligence requests, contract negotiation positions, and the need for ongoing monitoring procedures,” Davis Polk noted in the analysis.
In addition, the scope of relationships covered by the new guidelines is broader than that of existing Federal Reserve guidance, which is “limited to outsourcing relationships with service providers and would not necessarily apply to, for example, partnership arrangements with fintechs,” the law firm stated.
While welcoming the new guidance, some industry participants said that further work was needed to create a system in which fintech firms could be accredited to work with banks given their growing importance in the financial system.
“A new nationwide set of requirements and a system for formal accreditation would even the playing field and establish controls that are better aligned with regulator expectations,” said Adam Hughes, chief executive officer of Amount, a digital banking solutions provider, in a recent interview.
“To help ease and streamline the procurement process for technology providers, a certification of adherence to third-party partner risk management requirements, either by a standards body or by a self-regulatory organization, would provide assurance that a third-party vendor meets the compliance requirements expected by prudential regulators,” Hughes said.