Do you ever find yourself wondering: What are examiners looking for in my third-party risk management (TPRM) program?
It’s a question the regulatory agencies have been expanding on over the past year – first with the Interagency Guidance on Third-Party Relationships: Risk Management in June 2023, which outlined updated regulatory requirements, and then with Third-Party Risk Management: A Guide for Community Banks in May 2024, which provided more detail in the form of examples and questions for institutions to ask.
Now a new interagency statement on banks’ arrangements with third parties to deliver bank deposit products and services, issued by FDIC, OCC, and Fed (Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services) is offering even more detail on the specific risks of certain types of third-party arrangement and examples of how to manage those risks.
While the statement doesn’t introduce new regulatory requirements, it does offer insights into what examiners will be looking for.
1. BaaS relationships related to deposit products. The statement specifically calls out banking-as-a-service (BaaS) and embedded finance relationships, particularly those involving deposit products like checking and saving accounts. The regulators are particularly concerned about the risks of working with middleware providers, aggregators that serve as a conduit between a financial institution and a fintech provider.3. Liquidity, growth, and other financial challenges. Regulators don’t only want you to prepare for things to go wrong. They also want to see that an institution is prepared to deal with the upside. If a program grows quickly, the risk management and compliance functions that oversee it need to scale and keep pace.
This includes liquidity questions such as:
4. Termination. The statement reminds institutions of the importance of the third-party risk management (TPRM) lifecycle and how it pertains to third-party arrangements for deposit products and services. This includes governance structures, risk assessments, due diligence, contracts, monitoring processes, and contingency plans.
It also highlights the importance of termination plans. What if there’s a major disruption or if the third party fails? Regulators don’t want to see you scrambling to cross that bridge when you come to it. They want to see clear plans, including contracts that spell out what will happen to accounts and data.
5. Controls. Once you know the risks, you need controls to mitigate that risk. When it comes to deposit functions, that can include dual control and separation of duties, payment data verification, error processing procedures, and ongoing monitoring to assess data accuracy, reliability, and timeliness.
Now that the agencies have released more detailed insights into how to manage the specific challenges and risks associated with third-party arrangements for bank deposit products and services, including BaaS relationships, banks have even less justification for insufficient oversight of these relationships.
The regulators are clear: thorough due diligence, ironclad contracts, and ongoing monitoring are essential. Strong internal controls and well-crafted contingency plans can make or break a bank during turbulent times. You can outsource the function but not the responsibility.
Don’t ignore the statement’s valuable regulatory warning. Over my 30+ year banking career, I’ve seen too many banks get caught up in the excitement of rapid growth, only to stumble when they outpace their risk management capabilities. The message is clear: manage your growth strategically. Set prudent concentration limits, shore up your liquidity, and always, always ensure you're treating your customers fairly and equitably.
These aren't just regulatory checkboxes. They're the pillars of a resilient, forward-thinking institution. And now the regulators are drawing an underline under those pillars. Make sure you’re using this information to tweak your TPRM program and vendor oversight.
Need Help with TPRM?