On January 30, a Tennessee-based community bank entered into a consent order with the Federal Deposit Insurance Corp. following the agency’s allegations that the Bank engaged in unsafe or unsound banking practices relating to its third-party risk management practices with its fintech partners. While the order does not list the FDIC’s concerns with the bank’s third-party partnerships, the order requires it to come up with a plan within 60 days to end its relationship with its “significant third-party fintech partners.” In addition, the bank must implement a program to evaluate and manage the risks associated with the fintechs it directly works with, and fintechs with whom its direct partners work. 

The consent order mandates a comprehensive set of actions and corrective measures aimed at addressing various aspects of the Bank’s operations, management, and regulatory compliance. Some of the key actions demanded include:

  • Enhanced Internal Audit Functions. Develop and implement a plan to bolster audit functions, focusing on high-risk areas (“on boarding deposits obtained through third parties, processing payments obtained through third parties, and sweeping deposits”) with independent audit reporting.
  • Restricted Growth. The bank needs the FDIC’s approval for any growth by more than 10% during any calendar quarter period in total assets or liabilities, or for expanding or adding business lines that would result in annual 10% growth in total assets or liabilities.
  • Manage Third-Party FinTech Risks.
    • Conduct Risk Assessments and Formalize the Onboard Process. Evaluate risks from direct and indirect fintech partners, ensuring due diligence, compliance oversight, and effective internal controls, and mandate external assessments of the bank’s fintech relationships. Moreover, the bank should establish a process for vetting new fintech partners. 
    • Develop Contingency Plans. Create strategies for terminating significant fintech partnerships, ensuring orderly processes.

Putting It Into Practice: The consent order highlights once again (we blogged about a similar consent order here) the intensified scrutiny by federal regulators on fintech partnerships, emphasizing the need for banks to comply with interagency guidance on third-party relationships. Notably, this reflects a broader regulatory focus on ensuring that banks effectively manage third-party risks, especially within fintech collaborations. Banks are advised to reevaluate their fintech partnerships, assess their current risk management programs against the final guidance, identify necessary enhancements, and develop plans to enhance control effectiveness, thereby aligning with regulatory expectations and strengthening compliance frameworks.