Governance, Risk & Compliance: GRC
US Regulators Propose New United Guidance for FinTech Vendor Risk Management
As financial institutions increasingly partner with fintech companies to enhance their digital offerings, effective third-party risk management has become more critical than ever. The complex nature of these relationships poses significant challenges in terms of compliance, operational integrity, and cybersecurity. With regulators, such as the Federal Reserve, FDIC, and OCC, stepping up their scrutiny, organizations must adopt robust frameworks to assess and mitigate risks associated with these partnerships. This focus on enhanced risk management is essential for safeguarding consumer interests and ensuring the stability of the financial system in a rapidly evolving technological landscape. As the financial industry continues to embrace innovation, aligning regulatory expectations with proactive risk management strategies is paramount for maintaining operational resilience and competitive advantage.
What to Know
The Federal Reserve is joining the Federal Deposit Insurance Corp. (FDIC) and the Office of the Comptroller of the Currency to provide newly aligned advice to banks about third-party risk management, particularly for fintech partners as the number and complexity of digital transformation programs increase across financial institutions. The guidance document was released in July 2021.
Among the highlights of the VRM guidance proposal for banks:
- It offers a framework for banking organizations to consider in developing risk management practices throughout the life cycle of third-party relationships, including planning to manage the relationship and its risks, due diligence and third-party selection, contract negotiation, oversight and accountability, ongoing monitoring, and termination.
- It also offers a framework that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship, and promotes compliance with applicable laws and regulations, including those related to consumer protection.
“As the banking industry becomes more complex and technologically driven, banking organizations are forming more numerous and more complex relationships with other entities to remain competitive, expand operations, and help meet customer needs,” the regulators wrote in the guidance. “A banking organization can be exposed to substantial financial loss if it fails to manage appropriately the risks associated with third-party relationships.”
The guidance also recognizes the need for different approaches to fintech vendor risk and compliance management based on the relative size of a bank or financial institution.
“Banking organizations, including smaller and less complex banking organizations, should adopt risk management practices commensurate with the level of risk and complexity of their third-party relationships and the risk and complexity of the banking organization’s operations,” the regulators wrote in the guidance.
This is the first time the three agencies have moved as one to advise banks on the risks of fintech partnerships and other relationships with nonbank firms, American Banker reported. Over the past decade, each of the regulators has issued distinct third-party management guidelines: the FDIC issued guidance on partnerships in 2008, while the Fed and OCC issued their own separate versions in 2013.
The proposed guidance would replace each agency’s existing guidance on this topic and would be directed to all banking organizations supervised by the agencies.
American Banker noted that the guidance also appeared to encourage banks to share regulatory burdens when working with the same potential business partner or vendor, stating that “banking organizations may collaborate when they use the same third party, which can improve risk management and lower the costs among such banking organizations.”
Comments on the proposal are due 60 days after publication.