Community Banks and BaaS: New Guidance on Managing Risks

On May 3rd, the joint federal regulatory agencies for banks (the agencies) released guidance for the management of third party risk in community banks. This was a follow up to the agencies’ final TPRM guidance published in June 2023*. For Risk Managers in community banks – especially those that offer BaaS (Banking as a Service) services to Fintechs, this was an important piece of guidance, mostly for the additional examples of Due Diligence and Monitoring provided that appear to be focused on BaaS relationships.

Community bank Risk Managers understand that the field of TPRM is increasing in importance due to the growth in the number of Fintechs and the number of community banks offering BaaS services to these Fintechs. These BaaS relationships in community banks go beyond typical outsourcing or vendor relationships where a bank relies on a third party for some aspect of operations. Today’s BaaS relationships involve the community bank providing access to bank infrastructure (such as payment rails), in what many have dubbed “renting out the bank charter.” 

When Risk Managers who work for community banks that offer BaaS services combine last week’s new guidance with prior guidance, and add in the dozens of comments about TPRM found in consent orders over the past six months, what message should they be gleaning about the current TPRM environment in addition to what they already know?  What should their next steps be?

The Message

The message is twofold. First, third party relationships can be beneficial to community banks. Focusing on BaaS specifically, the benefits these relationships bring to the bank include new technologies (tech stack), technological expertise, delivery channels, markets, along with resources and expertise.   Second, third party relationships expose the community bank to increasing risks. BaaS relationships in particular, if not managed properly, can result in financial loss to the bank, enforcement actions, and reputational damage in the marketplace, all of which can be evidenced in consent orders for community banks over the past six months. Even when consent orders don’t have a specific TPRM section, third parties are usually mentioned in the AML sections.

What’s a Community Bank Risk Manager to do?

1)  If a community bank is engaging in BaaS relationships, and the Risk Manager hasn’t stratified the TPRM Program to reflect the BaaS Relationship echelon, that should be the first step. Considering BaaS relationships to be just another third party could mask some risk. Recent consent orders remind us that BaaS relationships definitely come under the TPRM umbrella, and a February 2024 consent order specifically requires that “risk is effectively controlled for each of the Bank’s existing third-party fintech relationships and subpartners.”  If a regulator is calling out a bank’s BaaS activities, so should the bank.

2)  Next, Risk Managers should focus on the steps in the Due Diligence and Monitoring section of last week’s guidance, as noted below.

• Due Diligence
  • Initially, this section appears to be aligned to a standard service provider; however, there are two bullet items on page 10 that appear to refer to BaaS relationships. These bullet items describe the need to review information on the third party in media and internet searches. While this is always a good step for all third parties showing high (or greater) risk, these steps are especially important for community banks with BaaS relationships. It would be difficult to justify engaging with a Fintech that not only has negative news on its own operations, but was also involved in another BaaS bank being placed under a consent order. That would make for an interesting conversation with an examiner. If any type of negative news is found, and the community bank decides to move forward, there should be evidence of executive review of the negative news, and a justification included in the approval.
• Monitoring
  • Similar language appears in the Monitoring Section, especially on page 15, regarding the need to review public filings, news articles, social media, and customer feedback regarding the BaaS relationship. Monitoring is important in three key areas:
    • Financial Crimes, including BSA/AML (including CIP/CDD), OFAC, and Fraud.
    • Consumer Regulatory Compliance, including the entire alphabet soup of regulations, plus UDAAP. (Remember, the Fintech can be in compliance with the alphabet soup regulations, and still have a UDAAP.)  Monitoring consumer complaints would provide much insight into consumer regulatory compliance.
    • Information Security. The Fintech’s breach will likely be considered the community bank’s breach.
  • The community bank Risk Manager should ensure that a written BaaS monitoring program is implemented in the second line of defense and managed by a professional who is qualified and competent to manage such a program. Those performing the monitoring and testing should be adept at providing credible challenge to the BaaS program. And, as always, the second line monitoring and testing program should be reviewing the results of the QC and QA functions taking place in the first line of defense on BaaS relationship activities.

3)  Lastly, although the June 2023 guidance and the guidance from last week specifically indicate that the guidance shouldn’t be considered a checklist, community bank Risk Managers should nonetheless review their TPRM Program against the items in the guidance, evaluate how the bank addresses each item, and document the results with support. If something is not applicable to the bank, simply explain why that is, instead of making it “N/A.”  This is a proactive risk approach when guidance comes out – it shows that the Risk Manager views the guidance document as a true resource.

What to Expect Over the Next Year

For the remainder of 2024, Risk Managers in community banks offering BaaS services, should:

• Be prepared for heightened supervisory focus on third-party risk management, and high expectations among regulators over the management of BaaS relationships in community banks.
• Ensure that bank staff fully understand:
  • How the BaaS relationship functions, meaning, ensure they understand the Fintech’s products and services work. This includes understanding the flow of funds into and out of the bank, and understanding the end relationship with customers and borrowers.
  • How the Fintech markets and advertises the product or service.
  • How the Fintech handles customer/borrower complaints and disputes, and responds to assertions of fraud.
  • How the Fintech performs CIP, CDD, and OFAC screenings.
  • How the Fintech performs underwriting, if a lender.
• Understand who the Fintech’s contractors (or subpartners) are, and what the Fintech’s TPRM is structured. This is an area where documentation and support is crucial to the Risk Manager’s understanding. Although there is no requirement, yet, for Fourth Party Risk Management, reference has been made to a Fintech’s “subpartners” in at least one recent consent order when discussing third parties.
• Press for stricter language in BaaS relationship contracts regarding TPRM. Learn from past BaaS relationships where additional contract language would have been helpful… then ensure that language gets added to future contracts.

Summary

Fintechs and BaaS relationships are here to stay in community banking, and the success of BaaS relationships depends on the management of third party risks. The TPRM guidance being published by the agencies is intended to be a resource to banks. Risk Managers in community banks should use this guidance, along with the messaging in recent community bank consent orders, to improve their bank’s TPRM program and lower risk.

 

*For a compilation of TPRM resources from the FDIC, see their resource page at https://www.fdic.gov/resources/bankers/third-party-relationships/

 

Bates Group offers ongoing advisory services to a wide range of financial institutions and Fintechs. We offer Independent Reviews and Risk Assessments, Compliance Program Support, and Custom Compliance Training.

Contact Bates Group today to learn more.