10.12.2021

Federal: Comment Letter to Banking Regulators on the Proposed Interagency Guidance on Third-Party Relationships

October 8, 2021

Via Electronic Mail

Ann E. Misback  
Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue NW
Washington, DC 20551  
Docket No. OP–1752

James P. Sheesley
Assistant Executive Secretary
Attention: Comments-RIN 3064–ZA26,
Legal ESS
Federal Deposit Insurance Corporation
550 17th Street NW
Washington, DC 20429

Chief Counsel’s Office
Attention: Comment Processing
Office of the Comptroller of the Currency
400 7th Street SW
Suite 3E-218
Washington, DC 20219
Docket ID OCC-2021-0011

Re: American Fintech Council Comment on “Proposed Interagency Guidance on Third-Party Relationships: Risk Management”

To Whom it May Concern:

The American Fintech Council (AFC) submits this comment letter in response to the request for comment by the Board of Governors of the Federal Reserve System (Federal Reserve), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC and, together with the Federal Reserve and FDIC, the Agencies) on proposed guidance on managing the risks associated with third-party relationships (Proposed Guidance). AFC believes that well-regulated, responsible partnerships between financial institutions and technology companies are critically important for the financial health of consumers and the banking system as a whole. The innovative offerings that are created and facilitated by these responsible partnerships help to expand access for communities that have been traditionally underserved, creating a more inclusive and resilient financial system. The Proposed Guidance presents an important opportunity for the Agencies to promote these responsible partnerships while simultaneously discouraging predatory practices and offerings that are detrimental to hardworking families’ financial well-being and the stability of the financial system. AFC respectfully submits the following comments and welcomes the opportunity to assist the Agencies in achieving this goal.

AFC supports the Proposed Guidance, which would allow community banks and small banks greater flexibility to implement mutually beneficial arrangements with third parties. AFC believes that two modifications to the Proposed Guidance would further support responsible innovation in the banking industry. First, the Proposed Guidance should not unduly interfere with the ability of community banks and other small banks to establish appropriate and beneficial arrangements with third parties. And second, the Proposed Guidance should use this opportunity to promote responsible bank-fintech lending partnerships that meet the needs of consumers. We explain these recommendations more fully in the discussion that follows.

1. The Proposed Guidance should not unduly interfere with the ability of community banks and other small banks to establish appropriate and beneficial arrangements with third parties.

The Proposed Guidance would offer a framework for banking organizations to consider in developing third party-risk management practices, taking into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship. The Proposed Guidance also would expressly adopt a tailored approach with respect to smaller and less complex banking organizations. In response to concerns by smaller and less complex banking organizations that they are expected to institute third-party risk management practices more appropriate for larger and more complex banking organizations, the Proposed Guidance would state that banking organizations should adopt risk management practices commensurate with (i) the level of risk and complexity of their third-party relationships and (ii) the risk and complexity of the banking organization’s operations.

Additionally, rather than mandating specific features of a third-party risk management program, the Proposed Guidance would describe “principles” for banking organizations to consider when scaling the nature of their risk management activities. For example, the Proposed Guidance would not employ the word “should” and instead would outline practices that banking organizations “typically” conduct. This approach would align with the Agencies’ recently released guidance for community banks on conducting due diligence on financial technology companies, which lists a series of considerations that community banks “may” take into account, as appropriate to the circumstances.

AFC appreciates the Agencies’ proposed adoption of this principles-based approach, which would increase the flexibility for community banks and small banks to pursue mutually beneficially partnerships with third parties. In our experience, these institutions are often unable to access the benefits of these partnerships, due to, among other things, uncertainties over their regulatory and supervisory compliance obligations. It is often these institutions, however, that benefit more from these third-party partnerships than larger banking organizations. Partnerships with technology firms provide an additional avenue for many smaller banking organizations to overcome barriers that may stand in the way of a successful digital transformation of their products and services.

These partnerships can make community banks more competitive with their larger, national counterparts, which have the resources to either acquire or independently build their own technology solutions. AFC’s membership has a proven track record of facilitating modern, innovative products, especially in online lending, which can provide essential financial services to consumers who have otherwise been all but left behind by legacy financial institutions. Empowering smaller banking organizations to form these partnerships in a safe and responsible manner is critical to ensuring competition throughout the market, which creates lower prices and a variety of superior options for consumers. Sound, unambiguous third-party risk management guidance will help to propel and foster responsible innovation while creating a level playing field across the ecosystem. In many cases, the ability for these institutions – many of which previously have played a critical role in delivering affordable credit to low- and moderate-income communities – to continue to drive the industry forward and create innovative solutions depends on their ability to partner effectively with third parties. It is clear that supporting responsible partnerships through sound guidance will continue to lead to tremendous growth and benefits for consumers and the financial system as a whole.

Accordingly, the Proposed Guidance should not unduly interfere with the formation of mutually beneficial third-party partnerships. The Proposed Guidance should be modified in the following ways to reflect commercial realities, lessen compliance burden, and clarify supervisory expectations:

  • Benefits of third-party partnerships. While the Proposed Guidance would acknowledge that banking organizations engage with third parties for a range of purposes, including to offer competitive and innovative products that otherwise would be difficult, cost-prohibitive, or time-consuming to develop in-house, or to enhance their operational and compliance infrastructure, the Proposed Guidance should acknowledge that these purposes may be particularly essential or beneficial to the competitiveness of community banks and other small banking organizations. The Proposed Guidance also should acknowledge that, if managed appropriately, third-party partnerships can enhance safety and soundness, promote financial inclusion, and lead to the development of innovative products and services, among other benefits. By acknowledging these benefits, the Proposed Guidance would align with the Fintech Diligence Guidance, which states that, “[b]y providing access to new or innovative technologies, companies specializing in financial technologies (or “fintech”) can provide community banks with many benefits, such as enhanced products and services, increased efficiency, and reduced costs, all bolstering competitiveness.” In addition, these changes would align the Proposed Guidance with the Comptroller’s Handbook on Model Risk Management, which notes that banking organizations may gain operational efficiencies and improve their competitive edge through third-party relationships.
  • FAQs on fintech partnerships. The Proposed Guidance would include the OCC’s 2020 FAQs as an exhibit and requests comment on the extent to which the concepts included in these FAQs should be incorporated into the final version of the guidance. Certain of these FAQs address partnerships between banking organizations and fintechs, including FAQs 10 and 16, which, respectively, state that an arrangement with a fintech company is not necessarily considered a “critical activity” and that a banking organization may engage with a start-up fintech company with limited financial information, provided it takes into account certain considerations and approaches. The concepts underlying these FAQs should be incorporated into the Proposed Guidance, because they provide useful considerations for establishing responsible partnerships with fintechs. When incorporating these and similar concepts into the final guidance, the Agencies should affirm, consistent with the Proposed Guidance generally and the Fintech Diligence Guidance, that banking organizations have the flexibility to establish these partnerships based on the size and complexity of the banking organization and the third party, the risk appetite of the banking organization, the benefits and risks of the activities to be conducted by the fintech, and related considerations. The Proposed Guidance should also expressly note that, even where risks presented by a fintech partnership cannot be entirely mitigated, banking organizations have the flexibility to accept the risk if the banking organization determines that the risk is within its risk tolerance and can be appropriately monitored on an ongoing basis.
  • Life cycle generally. The Proposed Guidance would outline a broad range of considerations that banking organizations “typically” consider throughout the third-party risk management life cycle. While the Proposed Guidance would state that these activities should be conducted in a risk-based manner, the Proposed Guidance should clarify that these considerations are not intended to be operationalized by examiners or banking organizations as a “checklist,” but rather should be understood as illustrative practices that may be appropriate under certain circumstances.
  • Subcontractor due diligence. The Proposed Guidance would state that banking organizations typically conduct due diligence on the third party’s critical subcontractors under certain circumstances, such as when the third party outsources significant activities. The Agencies should revise this aspect of the Proposed Guidance in two important respects.

    - First, the Proposed Guidance should clarify the terms “critical subcontractor” and “significant activities” as conducted by subcontractors. The Proposed Guidance should state that a critical subcontractor is one that conducts “critical activities,” as defined in the Proposed Guidance, on behalf of a third party. The Proposed Guidance also should state that significant activities are those that correspond to the definition of “significant bank function,” as defined in the Proposed Guidance, except as performed by a subcontractor on behalf of a third party. Clarifying these definitions would enable banking organizations to more effectively manage to and meet supervisory expectations, as these key definitions would inform whether supervisors will expect banking organizations to conduct heightened due diligence of a given subcontractor.
    - Second, the Proposed Guidance should expressly acknowledge that, while a subcontractor itself may be designated as a “critical subcontractor,” not all of the activities the subcontractor conducts on behalf of the third party are necessarily critical to the third party and therefore may not warrant heightened due diligence by the banking organization. A critical subcontractor may perform both critical activities and non-critical activities, and banking organizations should have the flexibility to tailor and target their due diligence in a risk-based manner, consistent with the risk-based approach articulated in the Proposed Guidance generally. This approach also would align more closely with the Fintech Diligence Guidance, which emphasizes that the purpose of conducting diligence on the third party’s monitoring of its subcontractors is to provide insight into the operational resilience of the third party.
  • Affiliates and subsidiaries. The Proposed Guidance would include affiliates and subsidiaries of the banking organization as examples of third-party relationships to which the Proposed Guidance applies. Accordingly, banking organizations would be expected to subject their arrangements with affiliates and subsidiaries to the full third-party risk management life cycle, from planning to termination. However, third-party relationships with affiliates and subsidiaries may present different types of risk than relationships with unaffiliated entities; for example, as the OCC Model Risk Handbook acknowledges, “[v]endor products should nevertheless be incorporated into a bank’s broader model risk management framework following the same principles as applied to in-house models, although the process may be somewhat modified” (emphasis added). Moreover, as the Proposed Guidance would recognize, relationships with affiliates are subject to the affiliate transactions restrictions of sections 23A and 23B of the Federal Reserve Act, as implemented in Regulation W. Given that the Proposed Guidance would set forth a risk-based approach to third party risk management, it should acknowledge that affiliates and subsidiaries may present different types of risks than relationships with unaffiliated entities, and therefore it may not be appropriate for banking organizations to subject affiliates and subsidiaries to the full third-party risk management life cycle in all instances.

2. The Agencies should use this opportunity to promote responsible bank-fintech lending partnerships that better meet the needs of consumers.

As described above, responsible bank-fintech partnerships promote the availability of affordable credit, especially for traditionally underserved borrowers, and improve the competitiveness of banking organizations, thereby enhancing their safety and soundness. Consumers are the main beneficiaries of these partnerships, because they benefit from, among other things, lower prices through competition, access to products and services designed to meet their needs, and an elevated customer experience.

Well-regulated partnerships between financial institutions and technology companies are critically important to delivering these benefits to banking organizations and consumers.

The Proposed Guidance, however, would not directly address responsible lending partnerships between banking organizations and fintech firms. Establishing unambiguous standards and identifying key aspects of healthy, responsible partnerships would assist in protecting consumers from predatory schemes and eliminating from the industry practices that are detrimental to consumers’ financial health. Moreover, such standards would allow supervisory staff to encourage and promote responsible lending partnerships that benefit consumers. In the interest of establishing these uniform supervisory expectations, the Proposed Guidance should describe the unique risk management considerations applicable to third-party lending partnerships.

For example, the Proposed Guidance could leverage aspects of the FDIC’s proposed guidance on third-party lending, which would, subject to certain refinements, set forth clear expectations around lending facilitated by bank partnerships. This framework would also clarify supervisory expectations, thereby enabling supervisory staff to promote responsible bank lending partnerships and supervised institutions to better manage to and meet supervisory expectations. This framework could be strengthened to effectively eliminate predatory lenders from the banking system while ensuring that responsible partnerships can continue to help facilitate access to high-quality, low-cost credit.

We recommend that the Agencies incorporate the following considerations into the Proposed Guidance:

  • The Proposed Guidance should address how the nature and quality of loan products offered in conjunction with third parties may themselves implicate the safety and soundness of banking organizations. Lending products with annual percentage rates (APRs) of greater than 36 percent (i.e., above the Military Lending Act threshold) can result in expensive “debt-trap” cycles of re-borrowing for consumers and may pose longer-term, but nevertheless material, risks to banking organizations, including risks of reputational harm and customer attrition. Such longer-term risks are important considerations within a risk-based third-party risk management framework and therefore should be discussed in the Proposed Guidance. By clarifying the distinction between responsible and irresponsible use of the “issuing bank model” of third-party lending arrangements, this guidance document would encourage responsible bank-fintech lending partnerships.
  • An additional attribute of responsible third-party relationships relative to those that are high-risk and high cost to consumers is the degree to which banking organizations in the relationship retain portions of the loans they have originated (i.e., a version of “skin in the game”). We therefore suggest that the Proposed Guidance state that, in responsible partnerships, the banking organization generally retains some portion, based on the discretion of the originating bank and consistent with its overall financial and business strategy, of the loans it originates. The guidance document should then describe ways in which the banking organization may maintain ongoing involvement throughout the life cycle of the loan. Examples may include that the banking organization should neither expect nor receive super-indemnification for loan performance or that, in a forward-flow relationship with known providers, neither the purchase nor the sale of loans should be mandated or guaranteed.
  • The Proposed Guidance should provide greater clarity on appropriate lending standards for bank-fintech partnerships. These responsible lending standards should address, among other things, origination, funding, compliance, continuous oversight, and risk management. And while the Agencies do not have the statutory authority to set interest rate caps on personal consumer loans, this guidance nonetheless should state that personal consumer loans with certain features are more likely to constitute unsafe or unsound practices that perpetuate cycles of debt, because these features may impair a borrower’s ability to repay and therefore increase the likelihood of borrower default (in turn affecting the safety and soundness of the banking organization). Banking organizations that originate these types of loans, through partnerships or otherwise, should become subject to additional supervisory scrutiny, particularly from a consumer protection and safety and soundness perspective. On that basis, the Proposed Guidance should identify specific features that will trigger examiners’ scrutiny of a particular lending program to determine whether the program raises these safety and soundness and consumer protection concerns. Specifically, the Proposed Guidance should identify that the following loan program characteristics, depending on the particular facts and circumstances, may trigger close examiner review of the program:

    - High interest rates, which could be defined as rates above those set forth in the Military Lending Act. The guidance should be careful, however, not to indirectly impose a rate cap.
    - Loan fees that essentially replicate a high APR. The Military Lending Act provides an example of an approach to limiting these fees.
    - Programs that involve frequent renewals or refinancing, especially where the renewal or refinancing includes additional fees, amortization clauses, or other non-transparent terms.
    - Reliance on practices that insulate the banking organization from the consequences of potentially unsafe and unsound underwriting standards (e.g., unrestricted sale guarantees).
  • This responsible lending guidance, including these features, should then be incorporated into the FFIEC Information Technology Handbook. Banking organizations would benefit from standardized guidance and examination modules across their federal and state regulatory agencies. Uniform supervisory practices that encourage responsible lending partnerships would greatly benefit consumers, banking organizations, and the financial system.

* * * * *

If you have any questions, please contact the undersigned at Yana@fintechcouncil.org.

Sincerely,

Yana L. Miles
General Counsel and Senior Vice President, Head of Regulatory Affairs
American Fintech Council

About the American Fintech Council: The mission of the American Fintech Council is to promote an innovative, responsible, inclusive, customer-centric financial system. You can learn more at www.fintechcouncil.org.