Overview
The federal banking agencies recently issued a statement outlining the risks to banking institutions in establishing deposit-related third-party relationships, including those involving fintechs and banking-as-a-service (BaaS) providers. The interagency guidance does not alter existing requirements or establish new supervisory expectations, but signals the agencies’ focus on these increasingly expansive relationships and the risks that they entail.
Fragmented Operations
The agencies stressed the necessity for banks to exercise control over, and manage, their third-party relationships that involve delivering deposit products and services to end users, like retail customers. These third parties, or “partners,” record and control crucial data that banks need to assess their deposit obligations. Without diligent monitoring of these partners, banks may risk the integrity of their deposit base, including over-concentration in specific industries, which can have serious implications for their overall growth strategies and liquidity management.
These fragmented operations can be exacerbated by misaligned incentives between banks and their partners. Although these partners frequently focus on their growth prospects, banks need to manage their growth carefully to ensure that they comply with their regulatory obligations, and can provide the necessary oversight for sustainable operations.
Third-Party Management of Regulatory Compliance
Although they are not banks, these partners often are expected to perform various compliance functions for banks, such as customer due diligence and suspicious activity monitoring. Outsourcing responsibility to partners could make it more difficult for banks to ensure that they are meeting their obligations and, consequently, increases their regulatory risks. Agreements that fail to provide banks with strong monitoring and auditing rights (and remedies for non-compliance) for their partners may result in inadequate oversight, and could limit their ability to mitigate lapses in regulatory compliance.
Risk to Customers
The agencies also expressed concern about how the applicability of FDIC deposit insurance is represented to consumers, because deposit insurance will not always be available to losses resulting from a partner’s failure. Potentially misleading marketing by partners will have consequences for banks, which should ensure that their agreements with partners provide for strong rights to review and approve marketing materials related to their programs, prior to dissemination to the public.
Establishing Policies & Procedures
Banks that engage in these relationships also should be prepared and organized to manage any potential weaknesses. Internal policies and controls mitigate the risks inherent to these relationships, and encourage a successful partnership and continued prudent growth. In addition to policies that manage risk, banks should be prepared to conduct due diligence of sufficient scope to determine whether potential partners have appropriately sophisticated operations to address the regulatory needs of the industry. For example, banks should ensure that their partners are equipped with systems that can address concerns related to money laundering, terrorist financing and sanctions compliance, business continuity and disaster recovery, and maintaining appropriate subledgers or other customer records. Additionally, banks should continue their partner due diligence over the life of their agreements.
Action Steps
Considering the recent guidance and based on our experience, we recommend that banks contemplating these relationships should:
- Conduct extensive due diligence on their partners and the partners’ principals, both initially and on ongoing;
- Determine their partners’ regulatory compliance maturity to determine whether they can successfully comply with applicable banking laws and regulations, as well as evolving supervisory expectations;
- Discuss the proposed relationship with their regulator(s) before entering into any agreements; and
- Plan for exiting the relationship before starting it, not after it has begun.
We Can Help
Although they can be very successful when managed correctly, these partner relationships entail significant risk if they are not correctly implemented and monitored by banks. If your institution is looking to expand its presence by partnering with a third party to deliver deposit products and services, the program agreements must be carefully drafted and properly operationalized to ensure that the bank and its customers are fully protected. We also have been involved in several instances when we helped clients navigate the complexities involved in terminating existing relationships.