Banks have increasingly been open to working with new technology companies in the last several years. But recent consent orders show that some banks may have bitten off more than they can chew.
“[T]here are still pockets of the industry that have a procurement mindset around third parties,” says Bradford Hardin, a partner and cochair of the financial services practice at Davis Wright Tremaine. “Banking should have moved beyond that a while ago but has not entirely.”
Third-party partnerships can bring new capabilities, opportunities and customers but can also invite a number of risks. Regulators hold banks accountable for their partners’ actions as if the bank performed the action itself. Managing and overseeing third-party relationships is nothing new, but the types of third parties that banks are working with, and the nature and objective of these relationships, have changed.
Banks need to elevate and evolve how they manage these relationships, working closely with their partners to ensure compliance with all applicable laws, as well as validate and monitor their partners. To learn more about regulators’ expectations for banks when it comes to third-party partnerships, Bank Director analyzed more than a dozen formal enforcement actions from federal prudential regulators from 2023 and 2024 that looked specifically at technology issues or complex technology partnerships. Third-party risk management and oversight of new products is a major focus of at least 10 of those actions. [This article is second in a series about consent orders; you can read the first article on Bank Secrecy Act and money laundering compliance here.]
Managing third-party partners starts at the due diligence stage. Prudential regulators like the Federal Deposit Insurance Corp., the Federal Reserve and the Office of the Comptroller of the Currency are concerned that fintechs interested in working with banks may present more or different risks than existing relationships. In turn, they expect a bank’s risk assessment to reflect these heightened risks during due diligence, says James Stevens, an Atlanta-based partner with Troutman Pepper.
Banks need to modify due diligence processes to be “substantially more comprehensive” if the third party will be used by customers or could market to them, Stevens says. The relationships can include cryptocurrency services, payments facilitation or banking as a service arrangements, where a financial institution partners with another company that uses the bank’s charter to attract customers.
This can include updating written “policies, procedures and processes” governing the third-party relationships. These items govern how the bank identifies risks within the products and services it or its partners issue as well as how it selects, assesses and oversees third parties, according to the consent orders. Banks should also establish criteria that boards use to review and approve third-party fintech partners.
One banking as a service bank with a lot of fintech due diligence experience is FinWise Bancorp. Before even beginning the formal due diligence process with a prospective BaaS partner, the bank lays out its expectations and provides a list of requirements the partner must meet to advance. After that, the Murray, Utah-based bank begins its comprehensive vetting process, which includes providing partners with a detailed outline of each party’s responsibilities if they start a relationship and requires the fintech to have a compliance team in place, says CEO Kent Landvatter.
The $586 million bank has two internal committees assess the fintech: its third-party oversight committee considers the potential partner’s reputational and BSA risks as well as business model, financial statements, beneficial ownership and funding ability, to assess if they can be a vendor to the bank. The project risk committee delves into the partner’s specific product to ensure it meets all applicable regulatory and legal requirements. Finally, the company submits the committee minutes to the board for review.
This rigorous approach has meant FinWise has lost out on partnerships that ended up at other banks, Landvatter says. At the same time, FinWise does not have any outstanding formal enforcement actions, according to the FDIC’s website.
“Two to three years ago, we lost partners in those first steps who went to other banks because they said ‘[Our approach was] too hard,’ or ‘This other bank isn’t requiring that.’ In hindsight, I think it was the right decision,” he says. “In particular, one of the banks that one of our potential partners went to is in trouble now. There are no shortcuts in compliance.”
Due diligence transforms into active oversight once a bank begins a third-party partnership. Regulators want to see evidence that banks are monitoring their partners and managing the programs, Stevens says. Bank boards and executives need to think about how to provide the necessary resources like staffing and funding, infrastructure, technology controls and organizational capabilities to manage and oversee these relationships.
They should monitor the partnership’s activities and performance and have contingency plans if they need to wind down the relationship. They should also maintain systems to document and report their oversight, monitoring and risk management of these relationships to executives and the board.
For example, if a bank engages with a third party that offers the bank’s deposit product to consumers through an external website or mobile application, the bank should have ongoing monitoring of the third party’s consumer disclosures and customer onboarding process, Stevens says. The bank should also know about the third party’s history of, and approach to, customer complaints and establish a process for complaints the third party must report to the bank, so the bank can act appropriately.
The regulatory scrutiny has led to a recent slowdown in product launches between banks and fintechs, says Hardin. Sponsor banks are “quite cautious” now when it comes to expanding existing programs, he says, and some that “dabbled” in the banking as a service space have decided to exit.
Proactive banks wanting to strengthen their management of third-party partnerships should pair the remedies outlined in recent enforcement actions with the regulators’ interagency guidance on third-party partnerships, which came out in the summer of 2023. These enforcement actions are from exams that likely predate the publication of the guidance and instead use older guidance, says Konrad Alt, a partner at the advisory and investment firm Klaros Group. Alt is working with several banks that have received regulatory feedback on these partnerships, as well as institutions wanting to grow in this space. He believes that enforcement actions that speak to the 2023 guidance will be published in 2025.
Bank Director’s Review of Enforcement Actions Finds Three Types of Risks in Third-Party Relationships
Bank Secrecy Act/anti-money laundering risk: Each third-party fintech will carry its own BSA/AML compliance risk, which includes its potential susceptibility to facilitating money laundering, terrorist financing and sanctions violations. In response, banks should know what each fintech’s processes are for mitigating these risks and complying with applicable laws and regulations.
Compliance risk: An effective compliance oversight program starts by evaluating the products, services and activities offered by the partners for compliance with applicable laws and regulations. The bank should also create a process to address each partner’s activities if its compliance program identifies noncompliance or violations of laws and regulations.
Operational risk: Banks should evaluate the amount of staff needed to ensure adequate oversight and management of the partnership, and that the staff has the requisite experience needed to be effective. Staff should also maintain documentation of the products and services the third party offers. This includes a list and descriptions of these products and services, along with risk assessments of the partners and the products.