The Board of Governors of the Federal Reserve System (Fed), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the Agencies) issued the long-awaited final Interagency Guidance On Third-Party Relationships: Risk Management (Final Guidance) on June 6, 2023. The Final Guidance replaces the disparate set of guidance and FAQs separately issued by the Agencies over the years, bringing greater consistency to supervisory expectations for banks in managing risks arising from their business relationships with service providers, contract counterparties, and other third parties.
The Final Guidance will be of particular interest to fintech companies, especially those that partner with or are looking to partner with banks. The Final Guidance explicitly calls out bank-fintech partnerships as within its purview, underscoring the potential risks raised by partnerships that involve novel or complex structures, as well as arrangements where the fintech company rather than the bank serves as the main point of contact for interactions with the end user (such as certain banking-as-a-service models).
Fintech companies that currently, or are seeking to, partner with banks should pay close attention to the Final Guidance, as it is now the definitive source of guidance on supervisory expectations and also a sign of greater supervisory scrutiny on bank-fintech partnerships. Small banks, which many fintech companies tend to partner with, will likely find the new guidance challenging to implement. In a rare dissenting statement, Federal Reserve Governor Bowman predicted that more resources will be needed to “ensure that small banks understand and can effectively use the guidance to inform their third-party risk management processes.” The Final Guidance notes that the Agencies plan to, but have not yet, developed these additional resources to assist community banks and other smaller banks. Consequently, fintech companies looking to partner with banks, especially small banks, should be prepared for a more rigorous and potentially drawn-out diligence process with their potential bank partner, as well as ongoing monitoring.
Overview of the Final Guidance
Banking organizations are required to operate in a safe and sound manner and in compliance with applicable regulations, whether their activities are performed internally or outsourced to a third party. Operating in a safe and sound manner requires a bank to establish risk management practices governing its activities, including risks arising from its third-party relationships. The Final Guidance provides sound risk management principles that banks can use when developing and implementing risk management practices to assess and manage risks associated with third-party relationships.
The Final Guidance is striking in its expansive scope. It broadly defines third-party relationships, encompassing any business arrangement between a banking organization and another entity, whether the arrangement is formalized by contract or otherwise established. Included in the scope of third-party relationships are outsourced services, the use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures.
Importantly, the Final Guidance emphasizes that a bank’s use of such third parties does not diminish or remove its responsibilities to meet those requirements and ensure compliance with applicable regulations, such as those related to consumer protection and financial crimes. In issuing the Final Guidance, the Agencies sought to promote consistency in supervisory approaches to third-party risk management by replacing each agency’s existing guidance on the topic,1 each of which is rescinded and replaced by the Final Guidance.
Key Considerations for Fintech Companies
The Final Guidance lays out a risk management framework that outlines a series of essential steps for banking organizations that partner with fintech companies, including engaging in sufficient planning, conducting due diligence for third-party selection, negotiating contracts, monitoring on an ongoing basis, and, if necessary, effecting efficient termination. The Final Guidance also details a set of best practices for governance of third-party risk management, including oversight and accountability, independent reviews, and documentation and reporting.
Fintech companies seeking to enter into partnerships with banks should take note of the following key areas in the Final Guidance:
Awareness of the areas of supervisory sensitivity will be critical to a fintech company’s success in partnering with a bank to deliver banking services.
The Agencies declined to establish any "safe harbors" in the Final Guidance, even for small banks. Rather, key to the third-party risk management framework, as contemplated under the Final Guidance, is the need for banks to tailor their risk management practices commensurate to their size, complexity, risk profile, and the nature of their third-party relationships. This tailored approach acknowledges the variety among different third-party relationships and the unique challenges that arise from such relationships. However, given the breadth of the Final Guidance, this tailoring may be easier said than done, particularly for community banks.
With respect to supervisory exams of a bank’s third-party risk management, the Final Guidance noted that supervision will also be tailored based on the degree of risk and the complexity associated with the bank’s activities and its third-party relationships. While the Final Guidance focuses on bank responsibility for third-party arrangements, it also recognizes that in certain circumstances, an agency may examine the functions or operations that a third party performs on behalf of a banking organization, allowing the Agencies the flexibility needed to address the unique challenges faced by the range of banking organizations and their various types of third-party relationships. In these cases, the agency may address violations of laws and regulations through corrective measures, including enforcement actions, to address unsafe practices by the third party.
Small banks in particular will likely face challenges in implementing the Final Guidance and some degree of uncertainty in meeting supervisory expectations, which may mean more challenging contract negotiation dynamics for fintech companies and greater hesitation by banks to enter into innovative arrangements. As bank-fintech partnerships increase in their complexity and incorporate novel strategies or technologies, the Agencies will require banks to step up their risk management, which their fintech partners will need to address.
Wilson Sonsini Goodrich & Rosati advises fintech companies regarding the integration of their innovative technologies into regulated financial systems and counsels them on how to intelligently navigate associated novel and evolving legal issues. For additional information, please contact Jess Cheng, Mara Alioto, or any other member of Wilson Sonsini’s fintech and financial services practice.
 SR Letter 13–19/CA Letter 13–21, “Guidance on Managing Outsourcing Risk” (December 5, 2013, updated February 26, 2021); FIL–44–2008, “Guidance for Managing Third-Party Risk” (June 6, 2008); OCC Bulletin 2013–29, “Third-Party Relationships: Risk Management Guidance,” and OCC Bulletin 2020–10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013–29.”