Bank Regulators Seek Guidance on Fintech Regulation

By Natalie Decoste

Three government agencies that oversee banking regulations are seeking public comments on a new regulation involving a risk management framework for third-party relationships.

The Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) are seeking comments on their newly proposed regulation. The new rule would offer a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships. This framework would assess the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.

The proposed guidance from the three agencies is based on the OCC’s existing third-party risk management guidance from 2013. The new version includes changes to reflect the extension of the scope of applicability to banking organizations supervised by all three federal banking agencies in 2021.

The third parties referred to in the proposal include vendors, fintech companies, affiliates, and banking organizations’ holding companies. According to the guidance document, a third-party relationship is any business arrangement between a banking organization and another entity, by contract or otherwise. These relationships may exist despite a lack of a contract or remuneration.

Banks and financial institutions routinely partner with third parties, such as fintech companies, to offer their customers an expanded variety of innovative products and services. Banks can offer products or services that would otherwise be too difficult, cost-prohibitive, or time-consuming to develop internally through these third-party relationships.

By using third parties, management at financial institutions may have reduced control over activities, and the third parties may introduce new risks or increase existing risks. The risks that the three agencies are concerned with include operational, compliance, reputation, strategic, and credit risks and the interrelationship of these risks. These issues can arise from greater complexity, ineffective risk management by a banking organization, and inferior performance by the third party.

“Banking organizations should have effective risk management practices whether the banking organization performs an activity in-house or through a third party. A banking organization’s use of third parties does not diminish the respective responsibilities of its board of directors to provide oversight of senior management to perform the activity in a safe and sound manner and in compliance with applicable laws and regulations, including those related to consumer protection,” read the proposal.

While risk is a significant concern when financial institutions partner with third parties, these partnerships also allow banks to meet the banking needs of underbanked or underserved consumers. The proposed guidance notes that these partnerships enable companies to offer savings, credit, financial planning, or payments to increase consumer access.

The proposed guidance lays out considerations related to the management of risks arising from third-party relationships. Should the regulation be enacted, the framework would replace each agency’s existing guidance on this topic and be directed to all banking organizations supervised by the agencies.

“They have been seeing this in their exams and the advance of technology, so there is an increase of use of third parties with these innovative products and the new technology. That could be a concern—where there is something new, there are always heightened concerns in how you manage those risks,” said David Schwartz, president, and chief executive of Florida International Bankers Association.