In recent times, regulatory guidance from the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) and The Federal Reserve Board of Directors has underscored the critical importance for banks to grasp and manage risks effectively when engaging in partnerships with fintech firms. This guidance serves as a reminder for banks to assess and mitigate risks associated with each partnership, including potential issues such as defaults and termination. Moreover, the OCC has drawn attention to nested relationships within the fintech realm, where firms provide services to other entities who may also be fintechs without adequate controls, exposing banks to additional risks. These regulatory measures align with recent actions addressing third-party risk management deficiencies, emphasizing compliance with corporate governance practices, consumer protection rules, the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations in fintech partnerships, including recordkeeping banks are failing to meet due to how the relationships and integrations with their fintech partners are structured.
The regulatory landscape has sent shockwaves throughout the Banking as a Service (BaaS) and Fintech sectors, where banks fear penalties and fintechs are concerned about reputational damage and BaaS providers (Banks and non-banks) must engage in damage control. To navigate this complex terrain, BaaS providers can learn valuable lessons from Money Service Businesses (MSBs) in managing their relationships with authorized agents (storefronts where money transmission activities originate), especially in sponsorship arrangements.
Drawing from extensive experience with BaaS providers that have successfully navigated these challenges, here are some key tips to ensure robust Third-Party Relationship management:
Choose Licensed Partners: Opt for fintech and BaaS partners that hold MSB licenses. Licensed MSBs undergo rigorous regulatory scrutiny, which lowers the risk for banks. Each jurisdiction where an MSB is licensed serves as a regulator, in addition to federal oversight from bodies like the Consumer Financial Protection Bureau (CFPB).
Detailed Agreements: Establish clear and comprehensive Master Service Agreements (MSAs) delineating each party's responsibilities for BSA/AML compliance. Generic language isn't enough; specify compliance obligations in detail and ensure all parties approve and sign the agreement.
Inclusion in Audits: Incorporate fintech and BaaS partners into the bank's external BSA/AML audit. This enables better understanding and evaluation of partners' risk profiles.
Training: Provide BSA/AML training and any other relevant compliance training to key personnel at fintech/BaaS partners. Education is essential for ensuring alignment with regulatory requirements.
Ongoing Monitoring: Continuously monitor fintech/BaaS partners for certifications (SOC, PCI, Etc.), transaction activities (direct visibility or through compliance reports), consumer protection adherence (verification of websites/Apps and marketing material), financial stability, and other relevant factors. Regular assessments help identify and address potential risks proactively.
Recordkeeping: Ensure your IT and back office systems provide your compliance team with the ability to obtain records tied to your fintech partnership programs in real-time.
Governance: (1) Create a board committee that's engaged in the fintech partnering decision making process and who's sole charter / purpose is to monitor the bank's fintech partnership programs. (2) Conduct early enough periodic internal audits of the bank's policies and procedures as it relates to the Fintech partnership activities to help detect internal control breakdown prior to regulatory examinations taking place.
By implementing these strategies, banks can enhance the management of their third-party relationships and navigate the evolving regulatory landscape with confidence and compliance. In an environment where regulatory scrutiny is intensifying, proactive measures are key to maintaining trust and stability in fintech partnerships.
Comments