Third-party lending risks and regulatory expectations
Risk management
Role of the board


On July 29 2016 the Federal Deposit Insurance Corporation (FDIC) proposed examination guidance on third-party lending arrangements to supplement its existing Guidance for Managing Third-Party Risk.(1) The proposed guidance would apply broadly to any lending arrangement where a third party "perform[s] a significant aspect of the lending process", including a wide range of support activities from marketing to underwriting, customer service and collections. Categories of lending particularly targeted by the proposed guidance include the origination of loans:

  • for third parties;
  • through third-party lenders or jointly with third-party lenders; and
  • using third-party platforms.

This may affect a swathe of loan programmes, including marketplace lending, private-label and co-branded credit cards, automobile lending and basic mortgage lending.

In addition to consolidating established regulatory requirements concerning third-party relationship management, the proposed guidance highlights specific expectations concerning third-party lending and emphasises that "[i]nstitutions that engage in new or significant lending activities through third parties will generally receive increased regulatory attention". Interested parties may submit comments on the proposal to the FDIC by September 12 2016.

Third-party lending risks and regulatory expectations

The proposed guidance is based on the broad risk categories articulated in the existing guidance (strategic, reputation, operational, transaction, credit, compliance and other) but expands on this to focus on areas of particular concern for third-party lending relationships.

Strategic risk
A key strategic risk highlighted by the FDIC is the potential misalignment of incentives between the insured institution and its third-party relationships.

Operational risk
The proposed guidance notes that heightened concerns are raised when employees of the third parties operate at remote locations that are not under the direct supervision of the insured institution.

Transaction risk
Several aggravating factors are noted in the section addressing transaction risk, including:

  • potential lack of adequate resources at the third party to manage the institution's requirements;
  • insufficient resources to manage supervisory expectations and applicable laws and regulations; and
  • reliance by the insured institution on the third party to perform the institution's own business processes.

Pipeline and liquidity risk
While liquidity is mentioned in passing in the existing guidance under "Other risks", it is an area of significant focus in the proposed guidance. The FDIC indicates that banks may face liquidity risk if they are dependent on selling loans to a third party through a pipeline and the third-party purchaser experiences conditions that make it unable to purchase loans. To mitigate this risk:

  • financial institutions are advised to develop a back-up purchaser and ensure their contractual agreements permit selling to another party in the event that the intended third party is unable to purchase. This expectation may prove challenging in the context of lending programmes that place limitations on portfolio transfers for a variety of valid reasons.
  • The FDIC also suggests that if the institution relies on cash collateral, it is expected to document how the collateral level was deemed appropriate and the accessibility of the collateral. The institution should also have a written process in place to periodically reanalyse these assessments.

Model risk
The FDIC expresses concern about the reliance of certain banks on third-party credit models and notes that some banks are "highly dependent" on such models. The FDIC suggests that certain institutions may not sufficiently understand the formulae underlying these models and so it encourages financial institutions to ensure that third-party models are independently verified both prior to and after implementation. The FDIC also suggests that these models may be particularly subject to fair lending risk given the limited history of some models in the marketplace.

Credit risk
The FDIC is concerned that the interests of third parties may not be aligned with financial institutions when determining whether a borrower should be approved for credit. This is because fee-based transactional models can encourage originators to emphasise volume over credit quality or the funding of transactions where the third party is providing a related product, such as during a retail sale. Given these concerns, the FDIC stresses that credit underwriting standards must be established by the financial institution and not by the third party.

Compliance risk
The FDIC highlights compliance risks in the areas of fair lending, debt collection, credit reporting, privacy, unfair and deceptive acts and practices and anti-money laundering/Bank Secrecy Act issues. The FDIC expects that financial institutions will independently monitor and assess these risks and be cognizant of:

  • the potential for further elevation of risk arising from specific products;
  • the depth of third-party involvement;
  • the number of third parties used; and
  • the size and volume of the third-party lending programme, particularly in relation to the effectiveness of the institution's own compliance management system.

Risk management

As with other third-party relationships, the proposed guidance indicates that lenders should have a strong risk management programme for third-party lending arrangements. The programme should include:

  • long-term strategic planning;
  • detailed policies that include at least a dozen required elements;
  • an initial risk assessment of each relationship based on comprehensive diligence;
  • ongoing oversight (the scope and frequency of review tailored to volume and risk); and
  • a variety of newly detailed contract requirements. These requirements include discretion to require the third party to implement bank policies and procedures, access to information for risk management and compliance, and a legal opinion concerning any potential recourse to the institution.

Among other things, the proposed guidance highlights the following points:

  • Clear limits should be developed and documented for each third-party programme and for all of a bank's third-party programmes in their totality. These limits should detail restrictions on the percentage of capital devoted to such arrangements, the proportion of individual loan types in a portfolio and the relevant credit criteria that define these loan types.
  • Ongoing oversight should include periodic audits, transaction testing and site visits.
  • A detailed review of any external credit models should be performed.
  • Third parties' vendor management process should be assessed. Financial institutions need to be concerned not only with their own vendors, but also with the vendors of third parties with which they have a lending relationship.

Role of the board

The proposed guidance continues with the recent regulatory trend of imposing additional compliance obligations on boards of directors. The proposed guidance indicates that in addition to approving third-party lending policies, boards should receive regular reporting on the oversight of third parties, including the results of audits, transactional testing and site visits.


For institutions with significant third-party lending relationships, the FDIC will examine at least every 12 months. Examinations may occur more frequently if a lender:

  • experiences significant increases in volume or the number of relationships it has with third parties;
  • relies on third-party lending as a material aspect of its operations; or
  • has weaknesses identified in its risk management programme.

Specific supervisory focus will be applied to:

  • credit underwriting and administration, particularly the requirements that standards be established by the institution, not the third party, and compliance with subprime lending guidance;
  • loss recognition, allowance for loan and lease losses, consumer compliance, anti-money laundering/Bank Secrecy Act and protection of customer information;
  • capital adequacy, including a statement that "[c]apital assessments based on loan volume without consideration of loans originated and sold and associated risk are insufficient" (it is unclear whether this statement is intended to create new capital obligations beyond existing regulatory capital guidance);
  • liquidity, including a back-up funding and sensitivity analysis to determine the potential impact of a delay or halt in loan sales; and
  • profitability – that is, institutions must be able to demonstrate that fees are supportable and provide the institution with "an acceptable risk-adjusted return".


The proposed guidance signals a further uptick in regulatory concern regarding third-party relationships and will likely require FDIC-regulated institutions to supplement existing policies, procedures and controls in this area. Institutions involved in affected relationships, as well as third parties that rely on bank lending partners, should consider commenting on the more troublesome aspects of the proposed guidance.

For further information on this topic please contact David E Teitelbaum, John K Van De Weert or Sean A Smith at Sidley Austin LLP office by telephone (+1 202 736 8000) or email ([email protected], [email protected] or [email protected]). The Sidley Austin LLP website can be accessed at


(1) For discussion of several legal concerns regarding the guidance, please see this link.