US – Federal bank regulatory agencies remind banks of potential risks associated with bank-fintech arrangements

The federal bank regulatory agencies (The Board of Governors of the Federal Reserve System – Board, the Federal Deposit Insurance Corporation – FDIC, and the Office of the Comptroller of the Currency – OCC) issued a statement reminding banks of potential risks associated with third-party arrangements to deliver bank deposit products and services.

The agencies support responsible innovation and banks engaging in these arrangements in a safe and sound manner and in compliance with applicable law. While these arrangements can provide benefits, supervisory experience has identified a range of safety and soundness, compliance, and consumer-related concerns with the management of these arrangements.

The statement details the potential risks and provides examples of effective risk management practices for these arrangements. In addition, the statement reminds banks of relevant existing legal requirements, guidance, and related resources, and provides insights that the agencies have gained through their supervision. The statement does not establish new supervisory expectations.

Context

Some banks have entered into arrangements with third parties to deliver deposit products and services (such as checking and savings accounts) to end users. Banks may do this in order to increase revenue, raise deposits, expand geographic reach, or to achieve other strategic objectives, including by leveraging new technology or offering innovative products and services.

In these arrangements, a third party, rather than the bank, typically markets, distributes or otherwise provides access to or facilitates the provision of the deposit product or service directly to the end user. (These arrangements are sometimes referred to as “banking-as-a-service” or “embedded finance” depending on the structure and parties involved in the arrangement.)

In some arrangements, banks rely on one or multiple third parties to maintain the deposit and transaction system of record; process payments (sometimes with the ability to directly submit payment instructions to payment networks); perform regulatory compliance functions; provide end-user facing technology applications; service accounts; perform customer service; and perform complaint and dispute resolution functions. These third parties are sometimes referred to as intermediate platform providers, processors, middleware providers, aggregation layers, and/or program managers. A bank’s use of third parties to perform certain activities does not diminish its responsibility to comply with all applicable laws and regulations.

Similar structures have been utilized for certain activities in the banking industry for many years, such as activities related to prepaid card programs. However, the agencies have observed an evolution and expansion of these arrangements to include more complex arrangements that involve the reliance on third parties to deliver deposit products and services.

POTENTIAL RISKS
Depending on the structure, third-party arrangements for the delivery of deposit products and services can involve elevated risks. The agencies have observed that risks may be elevated in certain circumstances, such as the examples below.

Operational and Compliance

. Significant operations performed by a third party: Substantially relying on third parties to manage a bank’s deposit operations can eliminate or reduce a bank’s crucial existing controls over and management of the deposit function. Without adequate initial due diligence and ongoing monitoring, risks to the integrity of a bank’s deposit function are heightened.

. Fragmented operations: Fragmented operational functions for deposit products and services among multiple third parties may make it more difficult for the bank to effectively assess risks and assess whether all third parties can and do perform assigned functions as intended.

. Lack of access to records: A potential lack of sufficient access by a bank to the deposit and transaction system of record and other crucial information and data maintained by the third party can impair the bank’s ability to determine its deposit obligations. In some circumstances, such uncertainty can lead to delays in end-users’ access to their deposits, which in turn can expose the bank to additional legal and compliance risks.

. Third parties performing compliance functions: Reliance on third parties to perform regulatory compliance functions may increase the risk of the bank not meeting its regulatory requirements. Specifically, the third party may perform certain regulatory compliance functions such as monitoring and reporting suspicious activity, customer identification programs, customer due diligence, and sanctions compliance on behalf of the bank. Regardless of whether the functions are shared between the bank and the third party, the bank remains responsible for failure to comply with applicable requirements.

. Insufficient risk management to meet consumer protection obligations: Insufficient oversight of these arrangements may impact a bank’s compliance with consumer protection laws and regulations, such as requirements under Regulation E (implementing the Electronic Fund Transfer Act) to investigate and resolve certain payment disputes within required timeframes, and under Regulation DD (implementing the Truth in Savings Act) to provide certain disclosures regarding consumer deposit accounts. Presenting insufficient or misleading information to end users also may result in violations of laws and regulations, including consumer protection requirements. In addition, inadequate complaint administration and error resolution processes may limit a bank’s ability to effectively identify and address issues impacting end users of the deposit accounts and result in potential consumer harm.

Lack of contracts: Multiple levels of third-party and subcontractor relationships, where the bank does not have direct contracts with entities that perform crucial functions may pose challenges to the bank’s ability to identify, assess, monitor, and control various risks.

Lack of experience with new methods: Arrangements leveraging new technologies or new methods of facilitating deposit products and services with which bank management and staff do not have prior experience may result in inadequate risk and compliance management practices to manage or oversee these arrangements and associated risks.

Weak audit coverage: Lack of sufficient audit scope and coverage, follow-up processes, and remediation may result in inadequate oversight of these arrangements and reduce the effectiveness of the audit function.

Growth

Misaligned incentives: A third party’s incentives may not be aligned with those of the bank, such as when a third party may be incentivized to promote growth in a manner that is not aligned with the bank’s regulatory obligations, resulting in insufficient attention to risk management and compliance obligations.

Operational capabilities lag growth: Rapid growth as a result of these arrangements (either in the overall number of arrangements or in the size of specific arrangements) may result in risk management and operational processes struggling to keep pace.

Financial risks from funding concentrations: Arrangements may result in significant and rapidly increasing funding concentrations, which may make it more challenging for the bank to manage and mitigate liquidity and funding risks, particularly when funding is deployed in illiquid or long-term assets.

Inability to manage emerging liquidity risks: Arrangements where a significant proportion of a bank’s deposits or revenue are associated with a third party may pose liquidity risks, such that the bank may be reluctant to make decisions necessary to manage those risks, including, if necessary, to terminate the arrangement.

Pressure on capital levels: Arrangements may result in material and rapid balance sheet growth (including significant intraday balance sheet levels) without commensurate capital formation.

More details related to RISK MANAGEMENT AND GOVERNANCE CONSIDERATIONS here

Next steps

Separately, the agencies have requested additional information on a broad range of bank-fintech arrangements, including with respect to deposit, payments, and lending products and services. The agencies are seeking input on the nature and implications of bank-fintech arrangements and effective risk management practices.

The agencies are considering whether additional steps could help ensure banks effectively manage risks associated with these various types of arrangements.