The expectations could vary depending on whether the institution was regulated by the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), or the Federal Deposit Insurance Corporation (FDIC). This year, the agencies released proposed interagency guidance on risk management for financial institutions entering into third-party relationships, followed shortly afterward by a guide for community banks that need to conduct due diligence on fintechs. Community financial institutions need to understand this recent guidance and take action to ensure that their third-party risk management programs properly address the relevant risks in fintech relationships. A new type of third-party relationship Partnering with a fintech can be a different risk management experience than partnering with other IT Continued on page 8 providers. Many community financial institutions have developed third-party risk management processes for their relationships with traditional technology partners. These traditional technology partners have typically provided “standard” IT solutions focused on basic day-to-day “back-office” functions like processing transactions. They usually offer these fundamental services to institutions for less than it would cost each bank to keep the process in-house. Fintech relationships are often (although not always) customer-facing partnerships. They enable community financial institutions to provide a new product or service, access a new customer base, or enhance efficiencies. Financial institutions can’t necessarily depend on their technology partners to educate them on the process of partnering with a fintech. These companies are nimble organizations that can change dramatically in short spans of time. As fintechs race to get their products to market ahead of their competition or launch a new version with the latest enhancements, compliance with federal banking regulations probably won’t be their top priority. Their culture and business processes may vary greatly from the community financial institutions they partner with and from the traditional technology companies that community financial institutions are used to working with. New guidance for managing these new relationships In response to the rise of this new type of relationship between community financial institutions and fintech companies, the federal regulatory agencies that oversee America’s financial institutions issued proposed interagency guidance on managing risk in thirdparty relationships. Shortly thereafter, that regulatory language was followed by a guide focused specifically on helping community financial institutions understand how to conduct due diligence on fintechs under the new guidance. The guide offers relevant considerations, potential sources of information, and helpful examples on the following six key due diligence topics: • Business experience & qualifications • Financial condition • Legal & regulatory compliance • Risk management & controls • Information security • Operational resilience This action by regulators should streamline the third-party due diligence expectations for all financial institutions. July • August 2022 7
RkJQdWJsaXNoZXIy MTU2Mjk4Mw==