Banking as a Service Compliance Trends 2023: Third - Party Risk Management

March 9, 2023

Due diligence . . . it’s not just the initial checklist exercise,

It's lifetime of relationship oversight. 

When you decide to buy a car, do you walk into a dealership and buy the first thing you see, with no test drive or CarFax report?  Or perhaps, when you buy a house, do you buy it based on the realtor’s photos and description alone, or would you visit the property, ask some searching questions about the damp stain in the corner, and maybe pull the flood cert. and appraisal?  

Similarly, when you wish to engage an embedded  or business critical vendor, you shouldn’t approve the business relationship based solely upon surface level information. Diving beneath the superficial layer of handshakes and review of information searchable via the vendor’s website is a critical step in ensuring your organization is not blind sided by spillover consequences birthed from unchecked third-party risk.

In our inaugural 2023 BaaS Compliance trends article, we took a look at Marketing Compliance pitfalls and best practices, and as promised, in our second installment of this series we will cover Third-Party Risk Management (“TPRM”). In today’s digital world, financial services organizations are similar to matryoshka dolls -- numerous vendors roll up into fintechs, numerous fintechs then roll up into banks and banks are charged with presenting safety and soundness of this elaborate structure to their regulators. With the many layers (nesting dolls),and some spectacular interconnected failures in 2022,  it becomes evident why this topic is of high importance in 2023. 

So without further ado, let’s get into TPRM. 

The Foundation

In one way or another, all fintechs are obligated to have a robust TPRM program in place. Either fiduciary responsibilities (to shareholders or investors), statutory and/or regulatory obligations, or contractual mandates (to strategic partners) require sound due diligence to be performed. The fintech should be aware of risks introduced by all third-party relationships and should have mitigating controls in place should the worst case scenario occur.

As of late, the concept of due diligence within the financial services sector is becoming both newsworthy and contentious.  Whether it is financial veteran JP Morgan Chase putting up millions for a fintech where the latter’s customers were allegedly over-inflated by a factor of 10 1, blue chip investors and funds putting boatloads of money into the now fallen crypto exchange FTX2, or the catastrophic impact 3AC had on Blockfi, Voyager, and Celsius.  We can take away some learnings; risk management does not equate to total risk avoidance; but risk exposure should not equate to complete ruin. 

Now add in the layer in which BaaS banks are not simply interacting with fintechs as separate third-parties; but from the regulator’s perspective the fintech’s failures of maintaining their compliance risk (e.g. AML program or Marketing compliance failures) is charged against the bank, as the bank's failure to maintain compliance risk. 

The Spirit of TPRM

The spirit of TPRM can be likened to airport security; the goal is to act as a mechanism that provides continuous assurance of safe collaboration.  TSA checkpoints are basically the pre-contract due diligence procedures of your TPRM Program; both  should screen out the majority of critical threats before the collaborator is permitted to enter the risk controlled environment. If a threat makes it beyond the initial screening point, the police dogs, sheriff agents, and Marshalls (i.e. third-party monitoring program) should capture and extinguish  post-contractual risks before it is permitted to spread further. Lastly customs, is similar to TPRM vendor termination procedures; before the third-party leaves your realm of oversight you want to ensure they have not maintained items they should not have, (e.g. retrieval of IP, or consumer date).  

TPRM, generally speaking, should begin with a foundational policy document that outlines vendor risk management, as well as dedicated resources that will support the growth, development, and management of the program. Each third-party relationship should be evaluated based upon proximity risk and impact risk: essentially, will a failure of a key risk area within the third-party impact the fintech and, if there is a failure, how significant would the impact be. Third-parties that would have a significant impact to the fintech’s risk profile are those that would require enhanced due diligence.

For example, a provider of company swag or in-office coffee/tea products would be regarded as low risk, since the impact of failure by the vendor to ongoing business by the fintech would be low, and these services are not critical to the fintech conducting its core business. Conversely, a business partner providing trading services, transaction monitoring, liquidity, payment rails, or handling  customer PII (personal identifiable information) would be classified as critical, both in terms of proximity and impact risk.

Relationship elements that increase risk are things such as, (i) will the third-party have direct access to customers; (ii) will the third-party have access to customer PII; (iii) could reputational damage to the third-party reflect poorly on the fintech; (iv) if the third-party ceases operations, will this significantly impact operations, (v) to what extent, systems between vendor and vendee integrated third-party?

Regulatory Movement

Historically TPRM primarily focused on risk that had direct immediate customer impact (e.g., customer treatment or protection of data); this often meant third-parties that did not interact with the customer were excluded from scope of any robust diligence. But now regulators are subtly sounding the alarm in joint statements, in essence their perspective is that the interdependencies that exist in the BaaS ecosystem require an expansion of existing practices to address these huge iceberg risks capable of sinking the proverbial ship. 

Over the past year  a number of BaaS banks have received regulatory reprimands, orders or actions to improve the oversight of their BaaS programs, including the area of third-party risk management (TPRM)4.

It’s clear from our vantage point the scope of TPRM must extend to safeguard beyond operational risk to include equally important risks such as business continuity risk and reputational risk. Proactive movement is always encouraged but if we had to call it, we would say by Q4 2024 forced improvements will be placed on banks and in turn waterfall down to fintechs and the business critical vendors that serve the fintechs. 

Final Thoughts

Due diligence is a prime responsibility of all financial intermediaries, not just from a regulatory standpoint, but to better understand your own business and ensure all of your team's hard work isn’t washed away by spillover damage from a third-party relationship.

As always, if you need support in managing your compliance obligations, we are always here to help!

Visit AskDegree for the latest risk management and compliance trends impacting the digital world.