On July 13, 2021, The Federal banking regulators issued a joint agency request for comment on proposed guidance on managing risks associated with third-party relationships, frequently called Vendor Management or Third-Party Risk Management in a bank. A close read of the guidance, which begins on page 17 of this document https://www.fdic.gov/news/press-releases/2021/pr21061a.pdf shows the agencies are keenly aware of arrangements where banks provide financial services via financial technology companies (Fintechs).
There are times when additional guidance is good news for financial institutions, including Fintechs, and this proposed guidance is an example of that. This guidance should have a positive effect in the industry in that it provides banks with a roadmap for working with Fintechs, and it provides Fintechs with insight into what banks will be requiring.
This new issuance is only proposed guidance; it is not final guidance. Further, it is not a final rule so that it does not carry with it the weight of a law. Even when final, it will have advisory effect. But, like other pieces of advice from Federal agencies banks and Fintechs ignore it at their peril.
Guidance For Banks:
The guidance provides banks with a wonderfully prescribed roadmap, for how to design their Vendor and Third-Party Risk Management policies, standards, and procedures, and this detail is very helpful. Section II of the guidance provides a quick overview but for the most part, the guidance turns granular after that. In the overview section, banks are reminded of the Vendor and Third-Party Risk Management lifecycle, which involves: 1) Strategy; 2) Selection Due Diligence; 3) Contracts; 4) Governance; 5) Monitoring; 6) Contingencies. In other words, if one is a new Vendor Management Risk Manager setting out to craft the Vendor and Third-Party Risk Management program from scratch, the work is practically half done. The guidance also removes any doubt that a bank’s Fintech relationships fall under this guidance. It is also good news for bank auditors in that their audit work programs can mirror this guidance.
Guidance For Fintechs:
Most important, the guidance is a positive development for Fintechs in that it should help a Fintech understand exactly why their bank is reaching out so often with due diligence and monitoring information requests. Fintechs should expect these information requests from their banks to increase in number, scope, and frequency. This guidance should also help Fintechs understand how to interact with their vendors and subcontractors. When contemplating a Fintech’s vendors, the Fintech should approach their vendors as if the Fintech itself must follow the guidance. Why? Because the Fintech’s bank will require it.
How should Fintechs respond? Fintechs should respond with preparation and with planning with respect to their banking relationships.
Preparation: Fintechs should use this guidance as a roadmap to assemble their bank documentation dossier, and they should do this while they are still in the “concept” stage of their development. None of the elements in the guidance is difficult when the supporting documentation is assembled by the Fintech in real-time. In this manner, the burden on the Fintech is spread out. But when Fintechs go through the early start-up stage, approach a bank, and receive the due diligence requests from the bank, the resultant burden on the Fintech may be staggering if the Fintech must start from scratch to create everything causing delays. To summarize, just as banks can use the guidance to craft their Vendor and Third-Party Risk Management programs, Fintechs can use the guidance to create their “Due Diligence Package.”
The only caveat to all this good news for Fintechs is that creating this Due Diligence Package requires a deep knowledge of the subject matter, and the subject matter differs depending on what type of Fintech is involved. Depending on the knowledge base, subject-matter-expertise, and availability of the Fintech’s founders, they might not be able to create this Due Diligence Package for their bank themselves. Fintech founders might have to seek out assistance from subject matter experts. This takes time and it takes money.
The Heads-Up in this article is not to simply inform Fintechs of what is coming, but to encourage them to add extra time into the project plan for their launch – extra time to create their Due Diligence Package and extra time for their bank to work through their processes and procedures as well. A Fintech may expect a launch in 3 months, only to learn after speaking to six different banks that the banks’ backlog for conducting due diligence on prospective Fintechs is 9 months. That can derail a project plan fairly quickly.
Planning: Fintechs should start their search for a bank, and start to establish bank relationships, at the crack of dawn. Sunrise is too late. Success for Fintechs comes from getting the banking partnership started extremely early in the process and starting to work through the requirements of this guidance. As Fintechs approach banks, they should ask for the bank’s Due Diligence requirements. Ideally, there should not be much difference in the Due Diligence request list from bank to bank. At least, this appears to be what the joint agencies are hoping for! Use the bank’s Due Diligence requirements as a training springboard for Fintech staff to start thinking about the discipline of vendor management.
Regarding the Fintech’s vendor and third-party relationships, the Fintech needs to ensure that their Risk or Compliance staff has the necessary background to craft the Fintech’s Vendor Management and Third-Party Risk Management program. As mentioned above, the guidance itself takes them half-way there.
The agencies are requesting comment on the new guidance, and information on that is included in the document linked above. There are facts to note in case you are not familiar with the process or the regulators’ habits. First, if you have questions or, especially, if you oppose something in the guidance, submit a comment. The regulators are obliged to consider them all. Second, don’t expect this proposed guidance to turn into a final statement anytime soon. The comments are due 60 days after publication in the Federal Register. The regulators will take time to consider all comments and to reach agreement among themselves on its content. Especially when acting as a group, they are not known for making speedy decisions. Finally, expect change. There may not be much in this instance but the comments will show a need to change something. There is surely something that should be changed in this 91-page document.