US Regulators Propose New United Guidance to Banks on FinTech Vendor Risk Management

July 15, 2021

The Federal Reserve is joining the Federal Deposit Insurance Corp. (FDIC) and the Office of the Comptroller of the Currency to provide newly aligned advice to banks about third-party risk management, particularly for fintech partners as the number and complexity of digital transformation programs increase across financial institutions. The new guidance document was released in July.

Among the highlights of the VRM guidance proposal for banks: 

  • It offers a framework for banking organizations to consider in developing risk management practices throughout the life cycle of third-party relationships, including planning to manage the relationship and its risks, due diligence and third-party selection, contract negotiation, oversight and accountability, ongoing monitoring, and termination.
  • It also offers a framework that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship, and promotes compliance with applicable laws and regulations, including those related to consumer protection.

“As the banking industry becomes more complex and technologically driven, banking organizations are forming more numerous and more complex relationships with other entities to remain competitive, expand operations, and help meet customer needs,” the regulators wrote in the guidance. “A banking organization can be exposed to substantial financial loss if it fails to manage appropriately the risks associated with third-party relationships.”

The guidance also recognizes the need for different approaches to fintech vendor risk and compliance management based on the relative size of a bank or financial institution. 

“Banking organizations, including smaller and less complex banking organizations, should adopt risk management practices commensurate with the level of risk and complexity of their third-party relationships and the risk and complexity of the banking organization’s operations,” the regulators wrote in the guidance.

This is the first time the three agencies have moved as one to advise banks on the risks of fintech partnerships and other relationships with nonbank firms, American Banker reported. Over the past decade, each of the regulators has issued distinct third-party management guidelines: the FDIC issued guidance on partnerships in 2008, while the Fed and OCC issued their own separate versions in 2013.

The proposed guidance would replace each agency’s existing guidance on this topic and would be directed to all banking organizations supervised by the agencies.

American Banker noted that the guidance also appeared to encourage banks to share regulatory burdens when working with the same potential business partner or vendor, stating that “banking organizations may collaborate when they use the same third party, which can improve risk management and lower the costs among such banking organizations.”

Comments on the proposal are due 60 days after publication.

 


Previous Article
As the Most Recent Ransomware Attack Shows, Cybersecurity Risks Are (Still) Active Threats to Business Continuity
As the Most Recent Ransomware Attack Shows, Cybersecurity Risks Are (Still) Active Threats to Business Continuity

In our news roundup, we explore the depth of the cybersecurity problems behind the Colonial Pipeline ransom...

Next Article
Federal Agencies Watching for Medicare Abuse as Telehealth Expanded during the Pandemic
Federal Agencies Watching for Medicare Abuse as Telehealth Expanded during the Pandemic

The HHS OIG is actively investigating and prosecuting bad actors who try to take advantage of telehealth pr...

Take the next step with risk management solutions that meet you where you are.

HOW TO BUY