The reality show “Love is Blind” has exploded in popularity since it began in 2020. In just three years, it’s had six seasons and international versions in three countries: Japan, Sweden, and Brazil. The premise of the show involves men and women dating each other without seeing each other in person, and they only meet after they decide to become engaged.There is a great deal of personal risk inherent in this sort of scenario, because, as some of the contestants find out, not all relationships (or people) are as they seem. This is something community financial institutions (CFIs) should consider when developing and implementing risk management practices surrounding third-party relationships, including fintechs. While there are many ways that fintech partnerships can be beneficial for CFIs, such third-party relationships can often involve hidden risks that regulators are keeping a close watch for.
Hidden Risks As part of their effort to evaluate the overall strength of the federal banking system, regulators are asking that financial institutions step up their risk management efforts when engaging third parties. This began in June of 2023, when the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Board of Governors of the Federal Reserve System, issued guidance on the subject. In December 2023, the OCC’s acting deputy comptroller, Donna Murphy, testified to the House Subcommittee on Digital Assets, Financial Technology and Inclusion to reiterate the importance of third-party risk management. In their fall 2023 Semiannual Risk Perspective report, regulators highlighted several risk areas related to third-party relationships and the risk management practices that financial institutions should take to minimize them. Here are specific things that regulators will be watching out for that CFIs should be aware of regarding third-party relationships:
Hidden Risks As part of their effort to evaluate the overall strength of the federal banking system, regulators are asking that financial institutions step up their risk management efforts when engaging third parties. This began in June of 2023, when the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Board of Governors of the Federal Reserve System, issued guidance on the subject. In December 2023, the OCC’s acting deputy comptroller, Donna Murphy, testified to the House Subcommittee on Digital Assets, Financial Technology and Inclusion to reiterate the importance of third-party risk management. In their fall 2023 Semiannual Risk Perspective report, regulators highlighted several risk areas related to third-party relationships and the risk management practices that financial institutions should take to minimize them. Here are specific things that regulators will be watching out for that CFIs should be aware of regarding third-party relationships:
- Up-to-date risk management processes. It is important to thoroughly evaluate the risks related to any third-party relationships, and this requires current risk management processes that comply with regulatory financial guidance. CFIs should review their processes for identifying critical activities and ensure that they are up-to-date.
- Effective management and board involvement. A financial institution’s board of directors is ultimately responsible for overseeing third-party risk management, outlining an organization’s risk tolerance, and putting into place board policies that ensure appropriate risk practices and procedures. Regulators made a point of noting that board responsibility extends throughout the entire risk management process and is not limited to any one particular stage.
- BSA and AML compliance. Regulators have cautioned financial institutions to constantly evaluate any Bank Secrecy Act (BSA) or Anti-Money Laundering (AML) risks related to fintech relationships and the controls that need to be in place, as they view these as “operational risks.”
- Diligent oversight for complex or higher-risk activities. In reviewing risks related to third-party relationships including fintechs, CFIs’ risk management efforts should account for the type of relationship as well as the size and complexity of the institution. Third-party relationships involving “critical activity” contracts should be approved by the CFI’s board of directors.
- Retain appropriate talent. Regulators have also noted the importance of ensuring that staff with the right level of experience and knowledge is involved in every stage of the risk management process, from legal counsel and internal experts to external expertise and support.
Other ConsiderationsIn addition to outlining specific areas related to the risks of fintech partnerships and third-party relationships, regulators have noted that they plan to work with CFIs to create new resources that will make it easier for “smaller, non-complex community banking organizations” to manage such risks.
CFIs should also keep in mind that fintech partnerships, particularly those that are more complex or elaborate or where the CFI will be the issuing financial institution for any services or products marketed by the fintech, can mean costly and complicated onboarding, as well as additional costs for ongoing oversight. Partnerships with fintechs or other third-party providers can benefit CFIs in many ways, but it is important that CFIs do thorough due diligence on the risks these relationships can create before delving into any such agreement. With regulators specifically stepping up their oversight in this area, it is more important than ever for CFIs to enter fintech partnerships with an awareness of the additional risks and regulatory oversight that may result.
CFIs should also keep in mind that fintech partnerships, particularly those that are more complex or elaborate or where the CFI will be the issuing financial institution for any services or products marketed by the fintech, can mean costly and complicated onboarding, as well as additional costs for ongoing oversight. Partnerships with fintechs or other third-party providers can benefit CFIs in many ways, but it is important that CFIs do thorough due diligence on the risks these relationships can create before delving into any such agreement. With regulators specifically stepping up their oversight in this area, it is more important than ever for CFIs to enter fintech partnerships with an awareness of the additional risks and regulatory oversight that may result.