On July 13, 2021, the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation issued proposed supervisory guidance to help banking organizations manage risks associated with third-party relationships, including fintechs. If adopted, the guidance would be the first time the agencies have jointly issued guidance specifically targeting banks’ relationships with fintechs and nonbank firms and the “elevated risks” they present to banking organizations and their customers.
The guidance covers six areas of risk management for a third-party relationship’s “life cycle”: (i) planning, (ii) due diligence and selection, (iii) contract negotiation, (iv) oversight and accountability, (v) ongoing monitoring, and (vi) contingency planning and termination. As part of sound risk management, banking organizations are expected to engage in more comprehensive and rigorous oversight and management of third-party relationships that support “critical activities,” which are described as significant bank functions or other activities that: could cause a banking organization to face significant risk if the third party fails to meet expectations, could have significant customer impacts, require significant investment in resources to implement the third-party relationship and manage the risk, or could have a major impact on bank operations if the banking organization has to find an alternate third-party or if the outsourced activity has to be brought in-house.
Much of the proposed guidance sets forth principles and themes that the banking regulators have highlighted on other occasions. For example, the proposal identifies a third-party’s legal and regulatory compliance, financial condition, qualifications and backgrounds of company principals, operational resilience, information security, and insurance coverage as important topics to address during due diligence. In addition, the proposal identifies audit and notification rights, as well as the ability of a banking organization to terminate the relationship in a timely manner without prohibitive expense, as key areas to be negotiated.
The proposed guidance comes at a time of increased collaboration and partnerships between banking organizations and fintechs. These relationships will continue to attract regulatory scrutiny, making it ever the more important for banking organizations to assess their ability to oversee and manage the risks tied to such relationships. Banking organizations should be taking steps now to ensure they have an accurate inventory of all their fintech and other third-party relationships and consider reviewing the scope and sufficiency of certain contractual protections and other provisions in contracts and other agreements that govern those relationships.
If adopted, the guidance would be the first time the agencies have jointly issued guidance specifically targeting banks’ relationships with fintechs and nonbank firms and the “elevated risks” they present to banking organizations and their customers.