U.S. Financial Regulators Continue Focus on Bank-Fintech Partnerships through Guidance and Request for Information

Posted

GettyImages-1490939019-300x193On July 25, 2024, the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) issued a joint statement describing potential risks related to banks’ deposit arrangements with fintechs and other third parties. The agencies also published a joint request for information (RFI) seeking input on the risk management practices employed in a wider variety of arrangements between banks and fintechs. These joint actions follow an increase in regulators’ enforcement actions involving bank-fintech arrangements and are the latest step in their efforts to more closely monitor those relationships.

Joint Statement Regarding Bank and Third-Party Deposit Arrangements
The Joint Statement focuses on perceived risks in banks’ arrangements with fintechs and other third parties to provide deposit products and services, such as checking or savings accounts. Although the Joint Statement notes that it does not independently establish new supervisory guidelines, it is an indication that the agencies are preparing to increase scrutiny of these relationships.

The Joint Statement notes that the agencies have observed that partnerships between banks, fintechs and other third parties to provide deposit products and services have grown more complex in recent years, and that this increased complexity also increases certain risks.

For example, banks’ substantial reliance on third parties to manage deposit operations could weaken banks’ own internal controls and management over deposit functions. Similarly, the agencies noted that banks’ reliance on third parties to perform regulatory compliance could raise the risk of banks failing to meet those requirements. In particular, the agencies reiterated that banks retain ultimate responsibility for compliance obligations, regardless of whether functions (such as customer due diligence or suspicious activity reporting) are shared between banks and third parties.

The Joint Statement emphasized that banks should continue to review and implement existing regulatory guidelines, including the Interagency Guidance on Third-Party Relationships: Risk Management that the agencies jointly issued in June 2023. The Joint Statement reiterates that banks should adhere to key risk management principles, including:

  • Risk Assessments. Banks should develop risk assessments to identify and evaluate the risks specific to each arrangement between a bank and third party. Risk assessments should involve the individuals that work across each relevant, functional area of the bank and account for the features unique to each arrangement.
  • Defined Roles. Contracts between banks and third parties should clearly define the roles of each party. Banks should address the allocation of responsibility for key obligations, such as customer or end-user relationship management, risk management, due diligence and complaint handling, among others.
  • Active Monitoring. Banks should develop ongoing monitoring practices that can detect issues and are commensurate with the level of risk involved in each arrangement.
  • Risk Contingency Plans. Banks should develop contingency plans that address potential operational disruptions or business failures that could affect an end user or consumer’s access to funds.
  • Oversight and Control Functions. Banks should have adequate policies in place to ensure compliance with applicable anti-money laundering (AML) and countering the financing of terrorism (CFT) requirements, as well as sanctions compliance. Additionally, bank internal controls should mitigate risks inherent in deposit functions. For instance, banks may implement controls with respect to the separation of duties, payment data verification, error processing and problem resolution.
  • Managing Growth and Liquidity Implications. Banks’ deposit arrangements with third parties could result in the banks’ deposit business becoming highly concentrated. Consequently, banks should establish processes to address concentration limits, as well as diversification, liquidity risk management, exit strategies and capital adequacy.
  • Minimizing Misrepresentations. In some instances, end users may not understand the type of account relationship that they’ve established through a non-bank third party, or that such party is not a federally insured depository institution. Banks should maintain procedures regarding the management of deposit-related arrangements and ensure compliance with regulations that prohibit misrepresentations concerning deposit insurance.

Request for Information Concerning Bank and Third-Party Arrangements, including Fintech Partnerships
The FDIC, FRB and OCC are continuing to evaluate whether enhancements to existing guidance are needed to address risks related to bank-fintech arrangements. The agencies issued the RFI to collect input on the benefits, risks and effective risk management practices regarding bank-fintech arrangements and to assist in their evaluation of whether additional guidance may be warranted.

The RFI covers a broader range of services than deposit products, and seeks comment on various bank and third-party arrangements, including:

  • Payment-related fintech arrangements, under which banks may partner with fintech companies that provide fund-transfer services, wire transfers, prepaid services, debit or credit cards, contactless payments, and other payment solutions;
  • Consumer and small business lending arrangements, in which a fintech companies facilitate loans through online platforms, or market and distribute loan products; and
  • Intermediate platform provider arrangements, in which fintech companies provide an intermediate technology platform to facilitate relationships between banks and other fintech companies seeking to distribute banking products and services. Such platforms allow banks to connect with multiple fintech companies and provide technological, operational and information services in one centralized platform.

The agencies are seeking public comment to solidify their understanding of how these arrangements currently operate and the effectiveness with which parties perform risk management. Comments are due September 30, 2024.

Collectively, the Joint Statement and RFI are further evidence that the agencies continue to be highly focused on banks’ arrangements with fintechs and other third parties. The parties involved in those arrangements should evaluate their risk management practices in light of these publications and consider implementing enhanced compliance management where warranted.