by Margaret E. Tahyar and Ledina Gocaj
On June 6, 2023, the Federal Reserve, FDIC and OCC (the Agencies) released final interagency guidance on banking organizations’ management of risks associated with third-party relationships. Davis Polk’s memo on the guidance is linked here. Our key takeaways:
- The guidance itself does not break much new policy ground. We do not expect that larger banking organizations with mature third-party risk management will need to make significant changes to process and policy. There is less that is new in the guidance than much of the commentary would lead one to believe.
- But, the supervisory bar will be higher. It is unlikely that the guidance will make third-party risk management any easier because the supervisory bar is likely to be higher. Both the Blue Ridge and the Cross River actions, as well as comments by agency principals, make it clear that fintech partnerships will be under greater supervisory scrutiny. Any contract involving customer contact or data is likely to be sensitive. As a result, we think fintechs will be facing a higher bar entering into and maintaining relationships with banking organizations.
- The supervisory focus should be risk-based, especially on “critical activities,” defined as those that could have significant customer impacts, cause a banking organization to face significant risk if a third party fails to meet expectations or have significant impact on a banking organization’s financial condition or operations. It remains to be seen, however, how the risk-based focus will be translated at the supervisory level. It may be a challenge for some second lines of defense and supervisory teams to move away from a checklist approach into a risk-based approach.
- Boards of directors should expect supervisory focus on the adequacy of their oversight. A banking organization’s board should be aware of contracts involving higher risk activities. The board must provide clear guidance regarding acceptable risk appetite and approve appropriate policies. As a necessary corollary, the board is ultimately responsible for ensuring management provides it adequate reporting and opportunity to fulfill its obligations regarding oversight and accountability.
- The complexity and cost of the onboarding process for smaller banks and fintechs may hinder bank-fintech partnerships. Federal Reserve Governor Michelle W. Bowman did not support the guidance, citing in her statement concerns that the Agencies have not yet developed “clear, usable, and more appropriately tailored expectations for small banks when considering third-party risk management” like those accompanying the Federal Reserve’s past third-party risk management guidance.
- It remains to be seen whether the Agencies’ increased focus on third-party relationships will result in an increased number of examinations of service providers under the Bank Service Company Act. The Bank Service Company Act authorizes the Agencies to regulate and examine the performance of services authorized under the Act provided to banking organizations by third-party service providers.
Margaret E. Tahyar is a Partner and Ledina Gocaj is Counsel at Davis Polk & Wardwell LLP.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).