News

Legal Brief: Navigating Third-Party Relationships

On April 8, the U.S. Office of the Comptroller of the Currency ordered Ann Arbor, Michigan-headquartered Comerica Bank & Trust to assign “clear roles and responsibilities” for managing third-party relationships and the risks arising from them.

Three months later, on July 8, the Federal Deposit Insurance Corp. directed State Exchange Bank in Lamont, Oklahoma, to “provide for sufficient due diligence and ongoing monitoring of third parties who complete AML/CFT [anti-money laundering and combating-the-financing of terrorism] responsibilities” on its behalf.

The OCC’s formal agreement with Comerica and the FDIC’s consent order against State Exchange Bank align with a broader trend of enforcement in which federal regulators have censured lenders for disregarding the money laundering- and terrorist financing-related threats posed by their relationships with fintechs and other third parties.

Axiom Bank, the second-largest community bank in Florida, then penned a formal agreement with the OCC on Oct. 3 that requires the 24-branch lender “to effectively assess and manage” the risks posed by prepaid-card providers and merchant payment processors and rescreen entire batches of their transactions for AML purposes.

The OCC, Federal Reserve and FDIC have sought to counter the proliferation of third-party pitfalls across the U.S. financial system not only with enforcement, but also through guidance.

On June 6, 2023, the three agencies jointly, formally advised banks to fully assess the risks presented by their contracts, partnerships and other business arrangements with fintechs and explicitly warned that responsibility for complying with all “applicable laws and regulations, including … those addressing financial crimes” ultimately laid with them.

The agencies issued guidance specifically for community banks on May 4 of this year, and followed with a joint statement on July 26 that they had “observed an evolution and expansion” of third-party arrangements to encompass depository services and other core banking activities.

The progression of such relationships towards complexity and systemic importance has raised concerns outside the U.S. as well, including in Canada, where the Office of the Superintendent of Financial Institutions instructed banks in April of last year to consider a third party’s reputation, jurisdictional footprint and subcontractors when conducting due diligence and measuring risk.

In December, Switzerland’s Financial Stability Board issued guidance tailored to banks now outsourcing services they traditionally provided themselves and “whose disruption could significantly compromise” their operations.

On July 9, the Basel Committee on Banking Supervision solicited input from banks on vetting and monitoring fintechs and other third parties, limiting the types of services they outsource to them and exiting such relationships when necessary.

Purely AML-related third-party arrangements have also drawn notice.

On Sept. 6, the Australian Transaction Reports and Analysis Centre advised financial institutions to ensure that the external vendors to whom they outsource their transaction-screening responsibilities and other aspects of their compliance programs take their unique risks and models of business into account instead of using a generic, one-size-fits-all template.

Contact Larissa Bernardes at lbernardes@acams.org

Topics : Anti-money laundering , Know Your Customer
Source: U.S.: FDIC , U.S.: OCC , U.S.: Federal Reserve Board , Financial Stability Board , Canada , Australia: AUSTRAC
Document Date: October 29, 2024