Increased risk exposure from third-party providers, particularly fintechs, poses threats to the entire financial system, and banking regulatory agencies should have the ability to oversee them.
FSOC: Supervision Key to Reducing Third-Party Cyber Risk
In its 2018 annual report, FSOC urged Congress to pass legislation that would empower federal banking agencies, including the NCUA, to “have adequate examination and enforcement powers to oversee third-party service providers.” It also encouraged the agencies to continue efforts to increase information sharing amongst themselves and state and federal regulators.
FSOC believes the authority to supervise third-party service providers’ IT security is essential to address cybersecurity risks facing the financial system. It also noted that the rapid adoption of fintech innovations could pose operational risks, particularly when it comes to market concentration. If one key provider should fail, it could disrupt a significant number of financial institutions or markets.
GAO: Guidance on Alternate Data Use in Lending Needed
The GAO had a similar view when partnering with fintechs using alternative data, including items like rent payment history, educational institution and degree, and email address, when making lending decisions. While this data could potentially make loans available to more people, it may also unintentionally cause discrimination or violate other fair lending laws.
While the CFPB has collected data on alternative data use in underwriting, it hasn’t provided any guidance to fintechs or banks on best practices. The GAO encouraged the CFPB to communicate with lenders on how to properly use alternative data to remove uncertainty and promote further innovation. It also recommended that the Federal Reserve, FDIC, and OCC “communicate in writing to banks that engage in third-party relationships with fintech lenders on the appropriate use of alternative data in the underwriting process, including issues to consider when selecting types of alternative data to use.”
CUs Left Out
Neither of these calls to action are original. FSOC has made the same recommendation before, particularly when it comes to the NCUA, the only banking agency that lacks the authority to oversee third parties, the Credit Union Times, noted.
“Lack of authority over third-party servicers does limit the extent to which the NCUA can evaluate and supervise the risks to credit unions posed by fintech companies,” NCUA Executive Director Mark Treichel told the publication.
Do We Want Regulators Supervising Fintech Firms?
How much good would increased regulatory supervision of fintechs and other third parties do for banks and credit unions?
It’s a mixed bag. On the one hand, if regulators oversaw critical third-party vendors, it would make it easier to share information about a systemically important part of the financial system. With so many institutions relying on the same vendors for essential functions, a struggling vendor has the potential to impact many banks and credit unions.
These vendors, particularly fintech firms, might also help modernize regulation as they are not necessarily used to operating in a highly regulated environment and would add to the volume of voices calling for reform. It could also lighten a bank’s regulatory load, potentially reducing required due diligence and monitoring of third-party vendors.
However, as I’ve warned in the past, there is a fine line between protecting the financial system and regulators supervising third-party vendors and fintechs.
The more agencies take responsibility for overseeing fintech companies, the more a fintech company begins to look like a bank or a credit union. If agencies begin to regulate third-party partners, what’s to stop them from offering their products and services directly to consumers and small businesses—cutting banks and credit unions out of the loop?
Banks and credit unions have already lost market share to fintechs. More than a third of all personal loans are owned by fintech firms, according to The Wall Street Journal.
Perhaps it’s good news that fintech firms aren’t particularly interested in being regulated. Last summer the OCC’s Office of Innovation began accepting applications “for special purpose national bank charters from financial technology (fintech) companies that are engaged in the business of banking but do not take deposits.” Fintech companies that are granted this charter would face supervision similar to banks including:
- Safety and soundness
- An acceptable contingency plan to address significant financial stress and outline strategies for restoring the bank’s financial strength and options for selling, merging, or liquidating the bank in the event the recovery strategies are not effective.
- Initial heightened separation like a de novo
- Commitment to financial inclusion, similar to the Community Reinvestment Act
Not a single company has applied yet.
I’m not sure I blame them. Why would a fintech want to be regulated like a bank when right now they seem free to operate on a different playing field with less operational overhead and fewer regulatory requirements?
Meanwhile, financial institutions engage in considerable vendor due diligence, carefully monitoring third-party vendors and collecting a long list of documentation including Statement on Standards for Attestation Engagements 18 (SSAE 18s), disaster recovery plans and tests, incident response plans and tests, financials, summary findings, and evaluations. They work to ensure vendors are meeting specific, measurable performance standards. Through the examination of banks and credit unions, regulators are essentially examining these third-party companies.
How will this story end? It’s far too early to tell. What I can say is that regulating third parties is a careful balancing act.