On July 25, 2024, the Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Board of Governors of the Federal Reserve System (collectively, the "Banking Agencies") released both a Joint Statement and request for information (RFI) regarding banks' arrangements with financial technology (fintech) companies for the delivery of bank products and services to end users.
The joint statement and RFI (i) explore the benefits, structures, and components of bank-fintech arrangements,1(ii) highlight the risks associated with the arrangements, (iii) underscore the importance of risk management strategies to combat those risks, and (iv) emphasize that a bank's use of third parties to offer banking products and services does not diminish its responsibility to operate in a safe and sound manner and in compliance with applicable laws and regulations.
The Banking Agencies' release of the joint statement and RFI follows their issuance last year of guidance concerning third-party risk management,2and several recent enforcement actions filed over the last few years against banks relating to improper risk management and oversight (including the risk management of fintech partners). While the Banking Agencies state that the Joint Statement is not intended to create new supervisory expectations or modify existing guidance, the Joint Statement (coupled with the RFI) demonstrates the Banking Agencies' continued supervisory interest in bank-fintech arrangements and in the management of the risks associated with those arrangements. The publication of the Joint Statement and RFI also suggests that additional guidance or regulatory expectations related to third-party risk management may be forthcoming, and/or that the banking industry may continue to see enforcement actions related to inadequate or improper third-party risk management and oversight.
Joint Statement on Banks' Arrangements with Third Parties to Deliver Bank Deposit Products and Services
The Joint Statement addresses banks' arrangements with third parties3for the delivery of bank deposit products and services (such as checking and savings accounts). The Banking Agencies note that banks often enter into these arrangements to leverage new technology and to achieve strategic objectives such as increasing revenue or raising deposits, among other things. Typically, the third party—very often an unregulated institution—markets and facilitates the provision of deposit products offered by the bank, and often performs functions such as maintaining a deposit and transaction system of record, processing payments, servicing accounts, conducting activities for regulatory companies, and managing end user complaints. Some arrangements may include the use of multiple third parties, such as intermediate platform providers, processors, or program managers, to perform some of the foregoing functions.
The Joint Statement describes various risks associated with these arrangements, separating the risks into different categories: operational and compliance risks, risks related to growth, and risks stemming from end user confusion and the misrepresentation of deposit insurance coverage. The following are examples of some of the risks cited by the Banking Agencies4:
Operational and Compliance
- Significant reliance on third parties to manage a bank's
deposit operations and regulatory compliance functions could reduce
a bank's controls over, and management of, deposits.
- Limitations on a bank's access to a third party's deposit and transaction system of record could create uncertainty for a bank in determining deposit obligations and potentially affect end users' access to their deposits.
- A bank's lack of experience with new technology could affect its ability to effectively oversee and manage the arrangements from a compliance management perspective.
Growth
- The bank's and third party's incentives may be
inconsistent, and a third party may prioritize growth over the
bank's fulfillment of its regulatory obligations. This could
result in less attention being paid to risk management and
compliance functions.
- Rapid growth may outpace applicable risk management and operational processes.
- Significant funding concentration could create liquidity risk and rapid balance sheet growth (without commensurate capital formation) and might interfere with a bank's ability to make decisions to manage risks and terminate relationships.
End User Confusion and Misrepresentation of Deposit Insurance Coverage
- End users may be confused regarding the deposit insurance
status of deposit products and services obtained through
third-party arrangements.
- End users may not be aware that deposit insurance does not protect against losses resulting from the insolvency of the third party.
- Inaccurate or misleading information regarding the extent of, or manner under which, deposit insurance coverage is available could constitute a violation of 12 C.F.R. Part 328.
The Banking Agencies emphasize the importance of effective board and senior management oversight to ensure that a bank's risk management practices are commensurate with the complexity, risk, size, and nature of the activity and relationship (upon commencement and as the relationship evolves over time). In addition, the Banking Agencies provide examples of practices deemed to be effective risk management for the risks identified in the statement. Such practices include:
-
- Governance and Third-Party Risk Management;
- Managing Operational and Compliance Implications;
- Anti-Money Laundering (AML)/Countering the Financing of Terrorism (CFT)/Sanctions Compliance;
- Managing Growth, Liquidity, and Capital Implications; and
- Addressing Misrepresentations of Deposit Insurance Coverage.
Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses
Pursuant to the RFI, the Banking Agencies are soliciting input to build on their understanding of bank-fintech arrangements. To better understand the arrangements, the Banking Agencies have requested, among other things, information on the benefits, risks, and implications of bank partnerships with third parties. The Banking Agencies have additionally indicated that they are seeking to determine whether enhancements to existing supervisory guidance may be helpful in addressing risks associated with bank-fintech arrangements.
The comment period to submit information to the Banking Agencies ends on September 30, 2024.
Footnotes
1. The scope of bank-fintech arrangements contemplated differs between the Joint Statement and RFI. In particular, the Joint Statement focuses on bank-fintech arrangements offering deposit products and services, whereas the RFI delves into broader bank-fintech arrangements offering deposits, payments, and lending products and services.
2. See Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed Reg. 37,920 (June 6, 2023). The Banking Agencies additionally released a guide for community banks on third-party risk management earlier this year titled, "Third-Party Risk Management: A Guide for Community Banks."
3. The use of "third parties" is broadly interpreted within the Joint Statement, which indicates that third parties sometimes include non-bank companies such as, but not limited to, fintech companies.
4. Several of the risks cited by the Banking Agencies are reminiscent of the challenges that have plagued some institutions since Synapse Financial Technologies, LLC—an intermediate platform provider/program manager that partnered with these institutions, and partnered with fintech companies to offer the banks' services to end users—filed for bankruptcy earlier this year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.