I just attended a payments training session on partnering with fintechs. Most banking and payments technology comes from service providers, which can be a fintech or a larger financial institution. This question came up: "Where can I find guidelines on how to work with service providers?" Being from the Fed, I mentioned the June 2023 Interagency Guidance on Third-Party Relationships: Risk Management. My classmate was appreciative since he was not aware of this new guidance, despite being an executive at his bank. Supervision notices usually go to key regulatory contacts, so he did not get the memo. Throughout the training sessions, various teachers mentioned the guidance, a sign of its relevance to payment topics.

Why third-party relationships?
Financial institutions have many business arrangements, and, in this digital age, they need to stay innovative to survive. However, they cannot do it alone. They may rely on third parties to provide technology and resources. Other third-party services include those carried out by payment processors, consultants, or referral partners that send new customers. While third parties bring benefits such as increasing accessibility to new markets and products, they can introduce risks related to operations, compliance, and information security.

Why interagency guidance?
Supervisory guidance does not mean new requirements but generally clarifies existing rules. Stakeholders from financial institutions and their providers often say that requirements are not consistent across agencies. We are now seeing more guidance issued jointly by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency to address the inconsistencies.

Why is information sharing vital?
Remember my classmate who didn't get the memo? It is important to train each business line on risk management principles since risk is present throughout every institution. For example, complying with regulations and maintaining the confidentiality of data is crucial for everyone from frontline workers to executives. Service providers would also benefit from being aware of these guidelines, since financial institutions are required to perform due diligence on their providers. If providers do not share information during due diligence or fail to meet risk management standards, they could lose their financial institution customers.

What's new?
According to a memo from Federal Reserve Board staff, the third-party guidance addresses these areas:

  • Tailoring risk management practices

    Financial institutions can decide which providers are most critical so they can design their risk management process accordingly.

  • Incorporating clarifying examples

    Financial institutions can request audit items from third parties such as a System and Organizational Controls report or a Payment Card Industry compliance report as the "Right to Audit" section mentions.

  • Supporting community banks

    Smaller financial institutions will have access to additional resources from the agencies.

  • Including fintech partnerships

    Financial institutions should treat fintechs as a third party in their risk management assessment.

What is ahead?
To support the growing number of fintech relationships, the Fed announced the Novel Activities Supervision Program, which will focus on crypto-assets, distributed ledger technology, and technology-driven partnerships with nonbanks that deliver financial services directly to customers. This new supervisory program will also follow a risk-based approach.

Let me know what other risk-management topics you would like to read about.

By Lali Shaffer, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed