The Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) have issued a joint statement highlighting potential risks associated with banks’ partnerships with third parties, particularly Fintech firms.
The regulators aim to underscore the importance of effective risk management practices in these collaborations while reaffirming existing guidance.
The agencies’ statement reflects growing concerns over the increasing reliance of banks on third-party providers to deliver deposit products and services.
These partnerships, often driven by objectives such as revenue growth, geographic expansion, and leveraging innovative technologies, have introduced new operational and compliance challenges.
Banks typically partner with Fintech companies to offer deposit products like checking and savings accounts directly to end users.
These arrangements, known as “banking-as-a-service” or “embedded finance,” often see third parties marketing and distributing the products, maintaining transaction records, processing payments, and managing regulatory compliance functions.
Despite outsourcing these roles, banks remain fully accountable for compliance with all applicable laws and regulations.
The regulators have identified several key risk areas in these third-party arrangements. One significant concern is operational complexity.
The heavy reliance on third parties can reduce a bank’s control over deposit operations, especially if due diligence and ongoing monitoring are insufficient.
Additionally, fragmented operations among multiple third parties can make risk assessment and management more difficult.
Access to records is another critical issue. Banks may face challenges in obtaining essential data from third parties, which can impair their ability to determine deposit obligations.
This uncertainty can lead to delays in customer access to funds, exposing banks to legal and compliance risks.
The reliance on third parties for compliance functions, such as monitoring for suspicious activities and managing customer identification programs, increases the risk of regulatory lapses.
Even when these functions are shared, banks are ultimately responsible for ensuring compliance.
Consumer protection is also a major concern. Inadequate oversight of third-party arrangements can impact a bank’s compliance with consumer protection laws, potentially leading to violations of requirements under regulations like the Electronic Fund Transfer Act and the Truth in Savings Act.
Misleading information or insufficient disclosures to end users can result in regulatory breaches and consumer harm.
Moreover, the absence of direct contracts with all parties performing crucial functions can complicate risk management. Banks may struggle to identify, assess, and mitigate risks effectively when multiple subcontractor relationships are involved.
The rapid growth of these partnerships poses additional risks. Misaligned incentives between banks and third parties can lead to a focus on growth over compliance. The operational capabilities of banks may lag behind the pace of growth, increasing vulnerabilities.
Concentrations of funding from these arrangements can challenge liquidity management, and significant reliance on third-party deposits can pose risks to capital adequacy.
One particularly pressing issue is the misrepresentation of deposit insurance coverage. Marketing materials from nonbank third parties can mislead consumers into believing their deposits are insured by the FDIC, even when they are not.
The regulators stressed the need for clear communication about the scope of deposit insurance and adherence to regulatory requirements to prevent such misrepresentations.
To address these risks, the regulators emphasized the importance of robust governance and risk management practices.
Banks are encouraged to develop comprehensive policies, conduct thorough due diligence, and establish clear contractual agreements with third parties.
Ongoing monitoring and effective oversight are crucial to detecting and mitigating issues in a timely manner.
The agencies have observed examples of effective risk management practices, such as maintaining detailed organizational structures, performing risk-based contingency planning, and implementing strong internal controls.
Additionally, banks should ensure compliance with anti-money laundering and counter-terrorism financing requirements and manage growth, liquidity, and capital implications effectively.