BY ANDREAS WESTGAARD AND CHRISTINA HUNT-FUHR
The much-anticipated guidance on third-party relationships issued in June by the Fed, OCC, and FDIC at first left us scratching our heads. The first thing we noted was how NON-specific much of this was. The agencies made it clear that the guidance was designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies. What was not as clear, at first, was what had changed - what precisely do banks and fintechs need to know and do to stay on the right side of the regulatory perimeter?
We undertook a deep dive on this recently for The Financial Brand. We analyzed not just the final guidance itself but mined for clues to how it would be applied in the previous draft guidance, the preamble to the final guidance (which described their considerations of all of the comments they’d received on the draft guidance) and in other public comments the various agencies had issued. We then came up with takeaways for both banks and fintechs.
While leaving a lot of room for interpretation, we think the agencies made certain things very clear:
When it comes to bank-fintech partnerships, the buck stops with the bank
All banks will be held to the same standards when it comes to bank-fintech partnerships, regardless of size
Consumer protection is top of mind
The most important point we’d make is that this is very much “spirit of the law” vs. “letter of the law”: while on the one hand the regulators state that banks have flexibility in their implementation of the guidance, on the other hand they make clear that banks bear full responsibility for managing risk in these relationships, which includes thinking through all possible risks as well as their approach to managing them. And, regulators clearly intend to hold banks accountable for any lapses that occur in the course of bank-fintech relationships. That’s why we advise banks, and by extension fintechs, to get ahead of the guidance and take proactive steps to identify and close any gaps in their existing risk and compliance programs.
You can find the specifics here - and if you have questions, we’re always happy to chat.
Image Source: AgnosticPreachersKid, CC BY-SA 3.0, via Wikimedia Commons