On July 29, 2016, the Federal Deposit Insurance Corporation (FDIC) proposed examination guidance on third-party lending arrangements (Proposed Guidance)1 to supplement the FDIC’s existing “Guidance for Managing Third-Party Risk” (Existing Guidance).2 The Proposed Guidance would apply broadly to any lending arrangement where a third party “perform[s] a significant aspect of the lending process,” including a wide range of support activities from marketing, to underwriting, to customer service and collections. Categories of lending particularly targeted by the Proposed Guidance include: (i) origination of loans for third parties; (ii) origination of loans through third-party lenders or jointly with third-party lenders; and (iii) origination of loans using third-party platforms. Thus, a broad swath of loan programs, including marketplace lending, private-label and co-branded credit cards, automobile lending and basic mortgage lending may be affected.
In addition to consolidating already established regulatory requirements concerning third-party relationship management, the Proposed Guidance highlights specific expectations concerning third-party lending and emphasizes that “[i]nstitutions that engage in new or significant lending activities through third parties will generally receive increased regulatory attention.”3 Interested parties may submit comments on the proposal to the FDIC by September 12, 2016.
Risks Particular to Third-Party Lending and Resulting Regulatory Expectations
The Proposed Guidance is based on the broad risk categorizations articulated in the Existing Guidance (strategic, reputation, operational, transaction, credit, compliance and “other”) but expands upon this prior guidance to focus on areas of particular concern for third-party lending relationships.
- Strategic Risk: A key strategic risk highlighted by the FDIC is the potential misalignment of incentives between the insured institution and its third-party relationship.
- Operational Risk: The Proposed Guidance notes that heightened concerns are raised when employees of the third parties operate at remote locations that are not under direct supervision of the insured institution.
- Transaction Risk: Several aggravating factors are noted in the section addressing transaction risk, including: potential lack of adequate resources at the third party to manage the institution’s requirements; insufficient resources to manage supervisory expectations and applicable laws and regulations; or reliance by the insured institution on the third party to perform the institution’s own business processes.
- Pipeline and Liquidity Risk: While “liquidity” is an “other” risk mentioned in passing in the Existing Guidance, it is an area of significant focus in the Proposed Guidance. The FDIC indicates that banks may face liquidity risk if they are dependent on selling loans to a third party through a pipeline and the third-party purchaser experiences conditions that make it unable to purchase loans.
- To mitigate this risk, financial institutions are advised to develop a “back-up” purchaser and ensure their contractual agreements permit selling to another party in the event the intended third party is unable to purchase. This expectation may prove challenging in the context of lending programs that place limitations on portfolio transfers for a variety of valid reasons.
- The FDIC also suggests that if the institution relies on cash collateral, it is expected to document how the collateral level was deemed appropriate, document the accessibility of the collateral and have a written process in place for periodically reanalyzing these assessments.
- Model Risk: The FDIC expresses concern about the reliance of certain banks on third-party credit models and notes that some banks are “highly dependent” on such models. The FDIC suggests that certain institutions may not sufficiently understand the formulas underlying these models.
- The FDIC encourages financial institutions to ensure that third-party models are independently verified both prior to and after implementation.
- The FDIC also suggests these models may be particularly subject to fair lending risk given the limited history of some models in the marketplace.
- Credit Risk: Broadly, the FDIC is concerned that the interests of third parties may not be aligned with financial institutions when determining whether a borrower should be approved for credit because of fee based transactional models that incentivize originators to emphasize volume over credit quality or the funding of transactions where the third party is providing a related product, such as during a retail sale. Given these concerns, the FDIC emphasizes that credit underwriting standards must be established by the financial institution, not the third party.
- Compliance Risk: The FDIC also highlights compliance risks in the areas of fair lending, debt collection, credit reporting, privacy, unfair and deceptive acts and practices and anti-money laundering/Bank Secrecy Act (AML/BSA) issues. The FDIC expects that financial institutions will independently monitor and assess these risks and be cognizant of the potential for further elevation of risk arising out of specific products, the depth of third-party involvement, the number of third parties utilized, and the size and volume of the third-party lending program, particularly in relation to the effectiveness of the institution’s own compliance management system.
As with other third-party relationships, the Proposed Guidance indicates that lenders should have a strong risk management program for third-party lending arrangements. The program should include long-term strategic planning, detailed policies (that at a minimum include a dozen required elements), an initial risk assessment of each relationship based on comprehensive diligence, ongoing oversight (the scope and frequency of review tailored to volume and risk), and a variety of newly detailed contract requirements (including discretion to require the third party to implement bank policies and procedures, access to information for risk management and compliance, and a legal “opinion” concerning any potential recourse to the institution). Among other things, the Proposed Guidance highlights that:
- Clear limits should be developed and documented for each third-party program and for all of a bank’s third-party programs in their totality. These limits should detail restrictions on the percentage of capital devoted to such arrangements, the proportion of individual loan types in a portfolio and the relevant credit criteria that define these loan types.
- Ongoing oversight should include periodic audits, transaction testing and site visits.
- A detailed review of any external credit models should be performed.
- Third parties’ vendor management process should be assessed. Financial institutions need to be concerned not only with their own vendors but also with the vendors of third parties with whom they have a lending relationship.
Role of the Board
The Proposed Guidance continues with the recent regulatory trend of imposing additional compliance obligations on boards of directors. The Proposed Guidance indicates that in addition to approving third-party lending policies, boards should receive regular reporting on the oversight of third parties, including the results of audits, transactional testing and site visits.
For institutions with significant third-party lending relationships, the FDIC will examine at least every 12 months. Examinations may occur more frequently if a lender experiences significant increases in volume, experiences significant increases in the number of relationships it has with third parties, relies on third-party lending as a material aspect of its operations, or has weaknesses identified in its risk management program. Specific supervisory focus will be applied to:
- Credit underwriting and administration, particularly the requirements that standards be established by the institution, not the third party, and compliance with subprime lending guidance.
- Loss recognition, allowance for loan and lease losses, consumer compliance, AML/BSA, and safeguarding customer information.
- Capital adequacy, including a statement that “[c]apital assessments based on loan volume without consideration of loans originated and sold and associated risk are insufficient.” (It is unclear whether this statement is intended to create new capital obligations beyond existing regulatory capital guidance.)
- Liquidity, including a back-up funding and sensitivity analysis to determine the potential impact of a delay or halt in loan sales.
- Profitability, i.e., institutions must be able to demonstrate that fees are supportable and provide the institution with “an acceptable risk-adjusted return.”
In summary, the Proposed Guidance signals a further uptick in regulatory concern regarding third-party relationships, and will likely require FDIC-regulated institutions to supplement existing policies, procedures and controls in the area. Institutions involved in affected relationships, as well as third parties that rely on bank lending partners, should consider commenting on the more troublesome aspects of the Proposed Guidance.