Do you ever find yourself wondering: What are examiners looking for in my third-party risk management (TPRM) program?
It’s a question the regulatory agencies have been expanding on over the past year – first with the Interagency Guidance on Third-Party Relationships: Risk Management in June 2023, which outlined updated regulatory requirements, and then with Third-Party Risk Management: A Guide for Community Banks in May 2024, which provided more detail in the form of examples and questions for institutions to ask.
Now a new interagency statement on banks’ arrangements with third parties to deliver bank deposit products and services, issued by FDIC, OCC, and Fed (Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services) is offering even more detail on the specific risks of certain types of third-party arrangement and examples of how to manage those risks.
While the statement doesn’t introduce new regulatory requirements, it does offer insights into what examiners will be looking for.
1. BaaS relationships related to deposit products. The statement specifically calls out banking-as-a-service (BaaS) and embedded finance relationships, particularly those involving deposit products like checking and saving accounts. The regulators are particularly concerned about the risks of working with middleware providers, aggregators that serve as a conduit between a financial institution and a fintech provider.The regulators see significant operational risks in these relationships and expect heightened risk management when assessing and moving forward with these third-party relationships.
If the Synapse bankruptcy didn’t make you look more carefully at BaaS relationships (and your institution is involved in or is considering entering a BaaS relationship), consider this your notice to move with caution.
2. Detailed risk considerations. Relying on third parties for significant operational functions, such as BaaS arrangements, increases complexity and risk. Questions to think about when assessing the risk of these relationships include:
- Do we have controls to ensure the integrity of our deposit function?
- Do we have access to the deposit and transaction system of record?
- Will we understand our deposit obligations at all times across all partners?
- How will we monitor and ensure third-party compliance, including BSA/AML, Reg E’s payment disputes investigation and resolution requirements, and Reg DD disclosures?
- What about the veracity of claims about deposit insurance coverage?
- What visibility do we have into vendor complaint management and error resolution processes?
- When contracting with a middleware provider instead of directly with a fintech provider, how effective is the middleware provider’s third-party risk management? Is it as strong as our institution’s program? If not, how will we identify, assess, monitor, measure, and mitigate the risks of these relationships?
- Is this product and provider well established and experienced or new to depository products? What is the risk of working with a less-established vendor or product and what will we do to assess and mitigate the risk?
- What insights do we have into audit and remediation processes?
3. Liquidity, growth, and other financial challenges. Regulators don’t only want you to prepare for things to go wrong. They also want to see that an institution is prepared to deal with the upside. If a program grows quickly, the risk management and compliance functions that oversee it need to scale and keep pace.
This includes liquidity questions such as:
- How will the institution handle concentration risk if a flood of deposits distort the balance sheet?
- Where will that liquidity be deployed (short vs. long-term funding, etc.)?
- Will you have the capital to support a newly expanded balance sheet?
- What’s the contingency plan if depositors withdraw their funds en masse?
4. Termination. The statement reminds institutions of the importance of the third-party risk management (TPRM) lifecycle and how it pertains to third-party arrangements for deposit products and services. This includes governance structures, risk assessments, due diligence, contracts, monitoring processes, and contingency plans.
It also highlights the importance of termination plans. What if there’s a major disruption or if the third party fails? Regulators don’t want to see you scrambling to cross that bridge when you come to it. They want to see clear plans, including contracts that spell out what will happen to accounts and data.
5. Controls. Once you know the risks, you need controls to mitigate that risk. When it comes to deposit functions, that can include dual control and separation of duties, payment data verification, error processing procedures, and ongoing monitoring to assess data accuracy, reliability, and timeliness.
The Bottom Line
Now that the agencies have released more detailed insights into how to manage the specific challenges and risks associated with third-party arrangements for bank deposit products and services, including BaaS relationships, banks have even less justification for insufficient oversight of these relationships.
The regulators are clear: thorough due diligence, ironclad contracts, and ongoing monitoring are essential. Strong internal controls and well-crafted contingency plans can make or break a bank during turbulent times. You can outsource the function but not the responsibility.
Don’t ignore the statement’s valuable regulatory warning. Over my 30+ year banking career, I’ve seen too many banks get caught up in the excitement of rapid growth, only to stumble when they outpace their risk management capabilities. The message is clear: manage your growth strategically. Set prudent concentration limits, shore up your liquidity, and always, always ensure you're treating your customers fairly and equitably.
These aren't just regulatory checkboxes. They're the pillars of a resilient, forward-thinking institution. And now the regulators are drawing an underline under those pillars. Make sure you’re using this information to tweak your TPRM program and vendor oversight.
Need Help with TPRM?
Subscribe to the Nsight Blog
Share this
FDIC Shares Most Common Compliance Violations and Findings
FDIC & OCC Release CRA Notice of Proposed Rule Making
