US Regulators Propose New United Guidance for FinTech Vendor Risk Management

The Federal Reserve is joining the Federal Deposit Insurance Corp. (FDIC) and the Office of the Comptroller of the Currency to provide newly aligned advice to banks about third-party risk management, particularly for fintech partners as the number and complexity of digital transformation programs increase across financial institutions. The guidance document was released in July 2021.

Among the highlights of the VRM guidance proposal for banks: 

• It offers a framework for banking organizations to consider in developing risk management practices throughout the life cycle of third-party relationships, including planning to manage the relationship and its risks, due diligence and third-party selection, contract negotiation, oversight and accountability, ongoing monitoring, and termination.
• It also offers a framework that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship, and promotes compliance with applicable laws and regulations, including those related to consumer protection.

“As the banking industry becomes more complex and technologically driven, banking organizations are forming more numerous and more complex relationships with other entities to remain competitive, expand operations, and help meet customer needs,” the regulators wrote in the guidance. “A banking organization can be exposed to substantial financial loss if it fails to manage appropriately the risks associated with third-party relationships.”

The guidance also recognizes the need for different approaches to fintech vendor risk and compliance management based on the relative size of a bank or financial institution. 

“Banking organizations, including smaller and less complex banking organizations, should adopt risk management practices commensurate with the level of risk and complexity of their third-party relationships and the risk and complexity of the banking organization’s operations,” the regulators wrote in the guidance.

This is the first time the three agencies have moved as one to advise banks on the risks of fintech partnerships and other relationships with nonbank firms, American Banker reported. Over the past decade, each of the regulators has issued distinct third-party management guidelines: the FDIC issued guidance on partnerships in 2008, while the Fed and OCC issued their own separate versions in 2013.

The proposed guidance would replace each agency’s existing guidance on this topic and would be directed to all banking organizations supervised by the agencies.

American Banker noted that the guidance also appeared to encourage banks to share regulatory burdens when working with the same potential business partner or vendor, stating that “banking organizations may collaborate when they use the same third party, which can improve risk management and lower the costs among such banking organizations.”

Comments on the proposal are due 60 days after publication.

• Learn more about SAI360 for vendor risk management
• Browse our insights on identifying and managing risks in financial services organizations.