Life of the (Third) Party: Regulators Call for Banks to Examine Fintech Risks in Final Guidance for Third-Party Relationships

Banking organizations are working more closely than ever with financial technology companies (“fintechs”) and other third parties as they aim to expand, stay competitive, and meet consumer expectations. These third-party relationships are interpreted “broadly”¹ and may include outsourced services, the use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and novel structures provided by fintechs.² These relationships can be hugely beneficial to banking organizations and their customers, but they may also present unique risks.

To manage those risks, the nation’s three banking regulators—the Board of Governors of the Federal Reserve System (“Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) (collectively, the “Agencies”)—recently issued final guidance (the “Guidance”),³ amending and finalizing proposed guidance issued in 2021 and clarifying the Agencies' uniform expectations with respect to third-party oversight.⁴ This Guidance aims to spell out third-party risk management expectations that are both consistent—applying to all banks, regardless of which Agency is their primary regulator—and flexible—making allowances for different types of banks and different types of third-party relationships.

Although the Guidance does not impose new requirements—banking organizations will recognize its grounding in the OCC’s 2013 guidance—it offers insight into the Agencies’ perspective on third-party risks, revealing their intent to be flexible in examining relationships with fintechs and highlighting key factors that banking organizations should consider before partnering with third parties and when designing risk management systems and processes.⁵ And while the Guidance does not carry the force of law, it will be consequential for regulated banking organizations and their third-party partners, especially for smaller community banks and fintechs.

The following provides a summary of the relevant takeaways from the Guidance and offers a detailed analysis of its impact on community banks and fintechs.

I. Third-Party Risk Management Framework

A. Uniformity and Consistency

A key goal of the interagency Guidance is to “promote consistency in their third-party risk management guidance”⁶—consistency that has been lacking in the past. Before the Agencies proposed guidance in 2021, each Agency issued its own separate guidance, creating a fractured and inconsistent picture of regulators’ expectations applicable to the banking organizations they regulate.⁷ The Agencies have now determined that the OCC’s 2013 guidance and its related 2020 FAQs provide the most current and comprehensive discussion of third-party risk management for banking organizations. That earlier guidance forms the basis of the final Guidance, which now applies consistently to all banking organizations under the Agencies’ purview.

B. Tailored Risk Management 

Though the Agencies strive for consistency, they also recognize that “[n]ot all relationships present the same level of risk, and therefore not all relationships require the same level or type of oversight or risk management.”⁸ So while the Guidance applies to all banking organizations, it calls for risk management practices and strategies that are tailored—and routinely updated—to the circumstances of each banking organization and each of its third-party relationships.

This means, for example, that a banking organization should have more rigorous oversight and management of third parties that perform higher-risk activities, including what the Guidance refers to as “critical activities.”⁹ While the Agencies defer to management to designate which activities are critical, the Guidance considers those activities to include ones that would expose the banking organization to significant risk if the third party failed to perform and ones that have a significant impact either on customers or on the banking organization’s financial condition or operations.¹⁰ 

C. Life-Cycle Based Risk Management Principles

Like the proposed guidance, the final Guidance includes the five-part life-cycle risk management framework that banking organizations can adapt based on their business and third-party relationships. The stages of this life cycle are discussed below.

1. Planning. The appropriate level of planning will depend upon the entities and activities at issue. For instance, when critical activities are implicated by a potential third-party relationship, presentation to the banking organization’s board of directors may be appropriate during the planning stage. Planning during this process will typically include assessing the risks and benefits of the business arrangement; evaluating the arrangement’s impact on bank employees or customers; thinking through information-security concerns; making an oversight plan; and developing contingency plans.
   
   
2. Due Diligence and Third-Party Selection. The due-diligence process should generally involve an assessment of a third party’s ability to perform under the agreement, to follow required policies and legal requirements, and to conduct business in a safe and sound manner.¹¹ But the “scope and degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship.”¹² When there is greater risk, or when a third party will be performing a critical activity, the banking organization should conduct a more rigorous diligence process.
   
   The Guidance recognizes that a banking organization may not always be able to obtain all the due diligence information it might typically expect from a third party.¹³ This may be a particular challenge when partnering with fintechs. In such cases, the Guidance directs banking organizations to “document any limitations of [their] due diligence, understand the risks from such limitations, and consider alternatives as to how to mitigate the risks.”¹⁴ The Guidance also provides that banking organizations may share due diligence materials with other banking organizations or through consortiums of banking organizations, though only if each banking organization continues to tailor its due diligence and broader risk management process as necessary under the conditions, while also complying with antitrust guidance.¹⁵
   
   Considerations during this planning process will generally include reviews of the following factors for a specific third party: (a) the third party’s strategy and goals; (b) its legal and regulatory compliance; (c) its financial health; (d) the experience and qualifications of the third party and its leaders; (e) its internal risk management processes; (f) its information-management and security practices; (g) its operational resilience; (h) its incident-reporting and management process and its physical security; (i) its insurance coverage; and (j) its reliance on or arrangements with subcontractors or other parties.¹⁶
   
   
3. Contract Negotiations. A banking organization should closely scrutinize its contractual agreements with third parties and conduct periodic review of executed contracts to ensure they are kept up to date with respect to risk controls and legal protections.¹⁷
   
   Considerations during the contract-negotiation period may include: (a) the nature and scope of the arrangement; (b) performance measures or benchmarks; (c) handling of data and records; (d) the banking organization’s right to audit the service provider and to require remediation; (e) responsibility for legal and regulatory compliance; (f) costs and compensation; (g) ownership and licenses; (h) confidentiality and integrity; (i) operational resilience; (j) indemnification; (k) insurance; (l) dispute resolution; (m) consumer complaints; (n) subcontracting; (o) default and termination; (p) and regulatory supervision.¹⁸
   
   
4. Ongoing Monitoring. Effective third-party management includes ongoing monitoring of third-party relationships. Through ongoing monitoring, a banking organization can evaluate a third party’s controls and performance of its contractual obligations; it can also identify and quickly respond to any issues that arise. While the appropriate level or frequency of such monitoring will depend on the relationship and activities at issue, monitoring will include a review of performance and controls reports, periodic visits and meetings, and regular testing. For these purposes, a banking organization may consider contracting with external resources to assist in the evaluation. The Guidance provides an illustrative list of factors that may be considered in ongoing reviews, including the overall effectiveness of the third-party relationship, the consistency of the relationships with the banking organization’s strategic goals, changes to the third party’s business strategy or key personnel, and changes in the third party’s financial condition or insurance coverage.¹⁹
   
   
5. Termination. When considering whether to terminate a third-party relationship, a banking organization may consider factors such as the costs and fees associated with termination, whether the activity can be effectively and efficiently transitioned, data retention and security issues, the handling of intellectual property, and risks to the banking organization or its customers.²⁰   

D. Governance

While the Guidance recognizes that banking organizations may structure their third-party risk management processes in various ways, any appropriate process should typically include the following elements:²¹ 

1. Oversight and Accountability. A banking organization’s board of directors is responsible for overseeing third-party risk management. The board or its designated committee should typically consider the following factors, among others: whether the third-party relationships are managed consistent with laws, regulations, and the organization’s goals and risk appetite; whether periodic reporting on third-party relationships is sufficient; and whether management has appropriately remedied any performance risks or addressed changing issues.
   
   
2. Independent Reviews. The Guidance describes the importance of banking organizations obtaining periodic independent reviews of their third-party risk management processes. These reviews should generally consider factors such as whether the relationships align with the organization’s strategies, policies, and standards; whether oversight processes are well designed; whether risk management activities are appropriately staffed; and whether conflicts of interest are avoided with respect to third-party oversight at the banking organization. Management should respond promptly if an external review identifies any gaps in the organization’s risk management process.
   
   
3. Documentation and Reporting. Banking organizations should carefully document and report on their third-party relationships and related risk management processes. The Guidance notes that banking organizations should document their governance processes and should also maintain a current inventory of all third-party relationships associated with higher-risk activities, including critical activities. The Guidance also notes that the level of documentation and reporting needed will depend on the specific relationships at issue. 

E. Supervisory Reviews

Finally, the Guidance makes clear that each of the Agencies will consider banking organizations’ third-party risk management frameworks, processes, and practices in the context of standard supervisory reviews. When reviewing third-party risk management within a banking organization, the Agencies’ examiners will typically conduct the following activities: assess the organization’s ability to oversee and manage its third-party relationships; evaluate the impact of those relationships on the organization’s performance and risk profile; test or review the third parties’ compliance with laws and regulations; discuss any risks or deficiencies identified in the organization’s management processes; and review remediation plans.²²

In some cases, corrective measures, including enforcement actions, may be necessary to address any unsafe or unsound practices by a banking organization or third party with which it contracts. The message here is clear: banking organizations should comply with the Guidance and be prepared to demonstrate their compliance during supervisory reviews.

II. Impact of the Guidance: Special Considerations for Community Banks and Fintechs

A. Community Banks

One key theme from commenters in response to the proposed Guidance was that any increased risk management expectations would have an outsized impact on smaller regulated institutions, such as community banks. Federal Reserve Board Governor Michelle W. Bowman voted against approving the Guidance for that very reason, saying she did not believe the Guidance offered enough for community banks. In her statement following the vote, Gov. Bowman criticized the Guidance’s failure “to provide clear, usable, and more appropriately tailored expectations for small banks when considering third-party risk management,” to mitigate regulatory burdens on smaller institutions.²³

Numerous commenters raised this concern. In response, the Agencies repeatedly reiterated that the Guidance is intended to be principles-based and flexible, adapting to the risk management needs of any particular organization and relationship. Thus, community banks should tailor their risk management policies and procedures to match their respect size and complexity.

Because the Guidance relies heavily on the OCC’s existing third-party risk management guidance, OCC supervised banks will be relatively familiar with many of the risk management expectations issued in the final Guidance. But for small community banks not subject to OCC supervision, the Guidance may represent a more dramatic shift in risk management programs. In response, the Agencies also indicated that they plan to issue additional guidance on third-party risk management addressed to small, non-complex community banking organizations.²⁴

B. Fintechs

The Agencies underscored that the Guidance applies to banking organizations’ relationships with fintechs, effectively subjecting fintechs to heightened supervision and oversight controls.²⁵ Fintechs partnering with banking organizations should consider the following factors:

1. Risk Management is Tailored to Risk Level. The Guidance suggests that banking organizations evaluate a third party’s ownership structure and whether it maintains the requisite licenses or corporate powers; determine whether the third party or owners are subject to sanctions; determine if the third party has the expertise and controls to ensure the banking organization remains in legal compliance; consider the third party’s responsiveness to any compliance issues; and consider if the third party has articulated a process to mitigate potential harm to consumers.²⁶  These suggestions may be particularly relevant to relationships with fintechs that engage in crypto-asset activities.  In February of 2023, the Federal Reserve released a policy statement on Section 9(13) of the Federal Reserve Act.²⁷ The Federal Reserve explained that it has “not identified any authority permitting national banks to hold most crypto-assets, including bitcoin and ether, as principal in any amount,” which amounted to a presumption that such activities are prohibited under the law.²⁸ The Federal Reserve also raised concerns about the lack of regulation and compliance in the crypto-asset sector.²⁹ The Agencies also issued a joint statement on liquidity risks that arises from particular sources of funding from crypto-asset-related entities. The Agencies’ skepticism of the crypto-asset sector demonstrates they would likely view such crypto-asset activities as “critical activities,” requiring a higher level of risk management scrutiny.
   
   Enhanced due diligence requirements for third parties that engage in certain crypto-asset activities (e.g., decentralized finance) may also create a situation where a third party cannot identify an end user and so cannot determine whether an end user is subject to economic sanctions. Uncertainty about the legal and regulatory treatment of certain crypto-asset activities may also encourage some third parties to self-regulate or operate outside current domestic regulations. As a result, banking organizations that have relationships with third-party crypto-asset-related entities may be unable to meet the standards set forth in the Guidance.
   
   
2. The Guidance may subject a third party’s non-bank customers to indirect regulatory scrutiny. The Guidance notes that a third party’s contractual obligations with other entities have the potential to introduce legal, financial, or operational challenges to banking organizations, so it advises organizations to evaluate a third party’s legally binding arrangements with its subcontractors.³¹
   
   Such evaluations may amount to approval of third-party subcontractor arrangements, which may delay due diligence reviews. These evaluations may also encompass “fourth-party” relationships that are immaterial to the services provided to the bank. The Guidance thus opens the door for enhanced oversight into the day-to-day relationships of fintechs that engage with banking organizations. 
   
   
3. Ongoing Oversight of Critical Activities. Banking organizations should consider their ability to provide adequate and ongoing oversight of third parties, particularly when critical activities are at issue. Fintechs provide support for critical activities, including cashless payments, personal finance and wealth management, and bank mobile applications, largely through the use of application programming interfaces. Some fintechs that engage in crypto-asset activities may pose even greater risks. These risks vary depending on the size of the banking organization, the organization’s technological capabilities, or the volume of its business that relies on third parties. And, as the Guidance recognizes, some activities that are critical for some banking organizations may not be for others. These standards may impose heightened burdens on fintechs in particular and many introduce inconsistency in expectations, depending on a fintech’s relationships with various banking organizations.  
   
   
4. Data Aggregators. The Guidance does not explicitly differentiate between data aggregators and other third parties. As a result, the Guidance may cover situations in which consumers direct data aggregators to send information to banking organizations, and the receiving bank has no specific business relationship with the data aggregator other than “fulfilling a shared customer request.”³² Characterizing these interactions as business arrangements would likely trigger additional third-party compliance requirements for the banking organization.

The Guidance is expressly intended to be broad but also flexible. Banking organizations are expected to exercise their own judgment to determine how to apply the Guidance with respect to their relationships with fintechs and other third parties. But fintechs should also familiarize themselves with this Guidance as it will govern their relationships with banking organizations.

III. Conclusion

The Guidance provides greater clarity and consistency in bank regulatory expectations for managing third-party risk. It avoids a one-size-fits-all approach and instead defers to banking organizations on many key points. This will allow management to tailor their practices to the specific needs of their customers and communities. Still, the Guidance may create issues for some banking organizations and their services providers, including fintechs, so both banking organizations and third parties should remain responsive to regulator feedback regarding their specific relationships in the context of the final Guidance. Community banking organizations in particular should be aware of any future Guidance issued by the Agencies on the matter.

¹ Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed. Reg. 37920, 37927 n.6 (June 9, 2023).
² A third-party relationship is any business arrangement between a banking organization and other entity—regardless if there is a contract or remuneration. 88 Fed. Reg. at 37922.
³ 88 Fed. Reg. 37920.
⁴ Proposed Interagency Guidance on Third-Party Relationships: Risk Management, 86 Fed. Reg. 38182 (July 19, 2021).
⁵ 88 Fed. Reg. at 37921.
⁶ Id.
⁷ 88 Fed. Reg. at 37921 nn.2–4.
⁸ 88 Fed. Reg. at 37927.
⁹ Id.
¹⁰ Id.
¹¹ 88 Fed. Reg. at 37929.
¹² Id.
¹³ Id.
¹⁴ Id.
¹⁵ 88 Fed. Reg. at 37929 & n.10.
¹⁶ 88 Fed. Reg. at 37929–31.
¹⁷ 88 Fed. Reg. at 37931.
¹⁸ 88 Fed. Reg. at 37931–34. Additionally, where the organization contracts with a foreign-based third party, it should also consider the contractual provisions that govern what laws will apply to the contract. 88 Fed. Reg. at 37934.