The FDIC is proposing guidance that will affect marketplace lenders and their banking partners. On July 29, 2016, the FDIC issued FIL-50-2016, which seeks comment on proposed Guidance for Third-Party Lending for FDIC-supervised institutions when lending through a business relationship with a third party. The guidance would apply to all FDIC-supervised institutions that engage in third-party lending, regardless of asset size.
What Is Third-party Lending?
The proposed guidance defines third-party lending as an arrangement that relies on a third party to perform a significant aspect of the lending process. This includes institutions originating loans for third parties; institutions originating loans through third parties or jointly with third parties; and institutions originating loans using platforms developed by third parties. These include marketplace lending companies with bank partnerships.
Due Date for Comments
Comments are due October 27, 2016 and should be sent to firstname.lastname@example.org.
The FDIC is seeking comment on the following topics:
- the definition of third-party lending and scope of the guidance
- potential risks arising from the use of third-party lending programs
- elements of third-party lending risk management programs
- supervisory considerations.
- examination procedures.
The proposed guidance would replace previous third-party guidance and greatly expands its scope to include activities conducted through third-party lending relationships. The proposed guidance states that the FDIC would evaluate lending activities conducted through third-party relationships as though the activities were performed by the institution itself. This is important, because an institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, including those with market lending platforms, and for identifying and controlling the risks arising from those relationships. In addition, the proposed guidance says that institutions that engage in new or significant lending activities through third parties will generally receive increased supervisory attention.
The proposed guidance outlines numerous risks that may arise or be heightened based on the use of third parties by financial institutions. They include:
- Strategic Risk – risk arising from adverse business decisions
- Operational Risk – risk of a loss resulting from inadequate or failed internal processes, people, and systems
- Transactional Risk – risk arising from problems with service or product delivery
- Pipeline and Liquidity Risk – risk associated with transactions failing to be consummated and funded as expected
- Model Risk – risk occurring when a financial model used to generate or value transactions does not perform the task or capture the risk it was designed to, especially when third-party lending models are used that are not adequately understood by financial institutions
- Credit Risk – risk that a third party, or any other creditor necessary to the third-party relationship, is unable to meet the terms of the contractual arrangements or otherwise perform as agreed
- Compliance Risk – risk arising from violation of laws, rules, or regulation, or from noncompliance with internal policies or procedures or with the institution’s business standards
- Consumer Compliance Risk – risk arising in numerous areas related to lending activities, including fair lending, debt collection, credit reporting, privacy, and unfair and deceptive acts or practices
- Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Risk – risk arising from relying on a third party to conduct any aspect of BSA/AML, such as customer information collection, due diligence, and suspicious activity monitoring and reporting.
Third-Party Lending Risk Management Program
To manage the risks identified by the FDIC, the proposed guidance requires institutions to establish a third-party lending risk management program and compliance management system that is commensurate with the significance, complexity, risk profile, transaction volume, and number of third-party lending relationships the institution has. Institutions engaging in third-party lending activities would need a process for evaluating and monitoring third-party lending relationships. The process described in the proposed guidance includes four elements: 1) risk assessment; 2) due diligence in selecting a third party; 3) contract structuring and review; and 4) oversight.
Developing a Third-Party Lending Risk Management Program
According to the proposed guidance, institutions should incorporate third-party lending activities into their strategic planning process and establish clear risk tolerance limits around the size of the overall program. This includes ensuring the proper management, expertise, and staffing to conduct due diligence and manage the third-party lending relationships.
Third-Party Lending Policies
The proposed guidance requires that third-party lending programs developed by management and approved by the institution’s board, should at a minimum:
- establish limits as a percent of total capital for each third-party arrangement and for the program overall, relative to origination volumes, credit exposures (including pipeline risk), growth, loan types, and levels of credit quality (such as delinquency, losses, and charge-offs)
- establish responsibilities, authorities, and approval requirements for selecting individual third-party lending relationships
- establish minimum performance standards for third parties, requirements for independent reviews of each third party, and a program for management oversight of each third-party arrangement
- establish monitoring, both for individual third parties and as part of the institution’s overall lending activity, to identify, assess and mitigate risks, such as fair lending
- establish reporting processes (including board reporting)
- require access to data or other program information
- define permissible loan types
- establish credit underwriting, administration and quality standards
- establish a consumer complaint process that provides for timely identification and resolution of complaints, complaint monitoring and periodic reporting
- address capital and liquidity support and allowance for loan and lease loss considerations
- ensure that the institution’s compliance officer has the necessary authority, accountability, and resources needed to perform his or her responsibilities, and ensure that he or she has the knowledge and understanding of relevant consumer protection laws and regulations that apply to the third-party lending arrangements
- maintain an adequate training program that incorporates laws, regulations, guidance, and policies and procedures, and ensure appropriate training is provided to relevant third-party personnel.
Elements for Evaluating and Monitoring Third-Party Relationships
For evaluating potential third-party relationships, the proposed guidance places a priority on risk assessments as part of the initial decision to enter into a third-party relationship. Management would need to fully understand and assess the benefits, costs, and potential risks associated with the third-party relationship before entering into it, and conduct a new risk assessment if a third party changes its operations or the institution’s lending operations change over time. The scope of the review, due diligence, and oversight should be commensurate with the risk of the relationship activities. The proposed guidance lists minimum expectations for due diligence and oversight that include:
- policies and procedures
- credit quality of loans solicited or underwritten by the third party
- system of internal controls and extent of internal and external audit
- knowledge and experience of management and staff, particularly firm principals
- repurchase activity and volume
- management information systems
- compliance management systems
- results of the institution’s monitoring of its third party data
- consumer complaints received
- information security program to protect consumer information
- litigation or enforcement actions
- earnings strength and adequacy of capital
- stability of funding sources and back-up sources of liquidity.
Additionally, institutions would be expected to perform ongoing oversight of their third-party operations, including an audit or other independent verification of the third party’s compliance with policies, procedures, contracts, and guidance, regulations, and applicable laws. Institutions should periodically test a sample of transactions and conduct inspections to assess adequacy and compliance of the third party’s operations, the guidance said.
The proposed guidance, said that institutions should have a full understanding of the models used by third parties in lending arrangements. This can be done by reviewing model development documentation and independent model validation, ongoing monitoring, outcome analysis, annual review, and audits before model use, and periodically after implementation.
The FDIC proposes that institutions also assess the adequacy of the third party’s vendor management or third-party risk management process as part of the risk assessment. This includes transaction testing and site visits to the third-party’s vendors if the relationship is large or significant.
Contract Structuring and Review
According to the FDIC, third-party lending relationships and loan sale/purchase agreements should be governed by written contractual agreements that plainly establish the rights and responsibilities of the parties. For third-party arrangements specifically, the following should be incorporated and considered:
- Indemnification, representations, warranties, and recourse terms should limit the institution’s exposure and should not expose the institution to substantial risk.
- Legal counsel should analyze the program and agreements to identify legal risk, and provide an opinion concerning any potential recourse to the institution.
- Agreements should not limit the institution’s ability to sell loans to another entity if the third party is unable to purchase loans under the agreement.
- Termination rights should be sought for excessive risk exposure, material deterioration in the institution’s or third party’s financial condition, or if required by the state regulators or the FDIC.
- Contracts should provide the institution full discretion and authority to require the third party to implement policies and procedures for any function or activity it outsources to the third party, or that are integral to joint activities with the third party.
- Contracts should allow the institution to have full access to any information or data necessary to perform its risk and compliance management responsibilities, including access to loan performance data, internal and external audits, and funding information.
- Contracts should include protections for the institution due to a third party or subcontractor’s negligence, such as insurance.
Supervisory Considerations for Third-Party Lending Relationships
The following issues must be considered by institutions under the proposed guidance:
- Credit Underwriting – The credit underwriting and administration standards must be established by the institution and not the third party. The institution should establish a process to ensure that loan approvals by the third party comply with the institution’s standards. This should include ongoing monitoring of loans and performance compared with projections.
- Loss Recognition – The board and management are expected to identify adversely classified loans and promptly charge off loans deemed uncollectable.
- Subprime Programs – The interagency Expanded Guidance for Subprime Lending Programs (Subprime Guidance) and the FDIC’s Guidelines for Payday Lending apply if third-party lending arrangements included subprime lending programs. Usually, the Subprime Guidance only applies when the aggregate credit exposure is greater than or equal to 25 percent of tier 1 capital, but for third-party lending arrangements, all subprime programs must follow the Subprime Guidance. The proposed guidance also prevents exclusions for bank-defined prime lending programs that allow for credit underwriting standards with subprime characteristics.
- Capital Adequacy – Institutions engaged in third-party lending arrangements should determine the amount and level of capital necessary to reflect the risk in the third-party lending program. Institutions engaged in significant third-party lending activities are expected to maintain capital well above regulatory minimums. For subprime third-party lending, those institutions are expected to comply with heightened capital requirements.
- Liquidity – Institutions should maintain appropriate liquidity to reflect the funding risk in the institution’s third-party lending program. This includes having an appropriate back-up funding arrangement to address pipeline risk.
- Profitability – Institutions should project and budget costs and earnings of each relationship and for third-party lending programs overall before entering into relationships and periodically thereafter.
- Accounting and Allowance for Loan and Lease Losses – An appropriate allowance for loan and lease losses should be maintained in accordance with GAAP.
- Consumer Compliance – The institution is ultimately responsible for ensuring all aspects of third-party lending activities comply with consumer protection and fair lending requirements to the same extent as if the activities were handled within the institution itself. In addition, the institution should have systems in place to ensure third parties used by the institution have the appropriate authority to conduct business on behalf of the institution, such as appropriate licenses.
- BSA/AML – If the institution relies on a third party to perform BSA/AML function on its behalf, the institution is still ultimately responsible for the third party’s compliance with the BSA/AML requirements.
- Safe Guarding Customer Information – Institutions must ensure that customer information is safeguarded when held by third parties. Specifically, they must comply with interagency guidelines under the Gramm-Leach-Bliley Act.
Examination Procedures for Third-Party Lending Relationships
Examiners will assess third-party lending relationships in accordance with the proposed guidance and other applicable guidance, regulations and laws. For institutions with significant third-party lending program relationships, the examination cycle will be at least every 12 months, and include concurrent risk management and consumer protection examinations. Examiners also will conduct targeted examinations of significant third-party lending arrangements and may also conduct targeted examinations of other third parties where authorized.
- This proposed guidance is another example of the FDIC continuing to raise the bar for marketplace lenders’ relationships with FDIC-insured banks. The FDIC has a negative view of the risks associated with marketplace lending, as evidenced by its November 6, 2015 Financial Institution Letter FIL-49-2015, which addressed the underwriting and credit risks associated with purchased loans and loan participations from third parties. More recently, in the February 1, 2016 issue of Supervisory Insights, the agency discussed the specific risks that banks need to consider when dealing with marketplace lending companies, including third-party risk, compliance risk, transaction risk, servicing risk and liquidity risk, as well as specific due diligence recommendations.
- This guidance is particularly important for marketplace lenders that follow the bank partnership model, and will provide a roadmap for how banks will approach third-party lending arrangements, risk management and compliance. This will certainly play a role in whether marketplace lenders partner with a bank or become licensed lenders.
- Because this guidance would apply to all FDIC-supervised institutions that engage in third-party lending regardless of size, smaller institutions must comply with the additional burdens associated with this proposed guidance to the same extent as larger institutions, in particular the shortened examination cycle.