News

Banks that partner with third-party fintechs to reach more customers and secure new streams of revenue still too often fail to address the illicit finance-related risks that arise from those relationships, federal anti-money laundering regulators warned Monday.

Amid a series of consent orders citing such failures, the Office of the Comptroller of the Currency, or OCC, joined with the Federal Deposit Insurance Corp., also known as the FDIC, and Federal Reserve to direct banks in guidance last year to keep complete inventories of their third-party fintech relationships and regularly assess the unique threats that each present.

The agencies issued the guidance after having already advised community banks specifically to focus their initial vetting of third-party partners on six aspects: namely, their financial health and business strategy; ability to secure data and stay operational during disruptions; and their controls for managing risk and complying with legal and regulatory obligations.

Problems from third-party partnerships frequently trace back to the contracts that govern them, Eric Ellis, director of Bank Secrecy Act and AML policy at the OCC, told attendees of The Assembly Las Vegas on Monday.

“This where we’re seeing the most pitfalls,” said Ellis. “Rushing into a relationship, not clearly defining roles and responsibilities, not understanding who owns that end-user customer, [with] one party assuming that the other party is doing something when no one is doing it.”

Banks must ensure that they include termination clauses in their contracts with third-party platforms to account for the possible scenarios of them breaching their contracts or becoming insolvent, Ellis said during the conference’s opening panel.

Separately, because not all third parties present the same level or same type of threat, banks must refrain from taking a one-size-fits-all approach towards risk assessment, and afterwards towards resource allocation.

“Where we’ve seen a lot of issues is failure to stratify the risks among fintechs, viewing them as ‘one risk,’ ” Koko Ives, Bank Secrecy Act and AML policy manager at the Federal Reserve Board, said during the panel. “A software product developer may have a very different risk than a … direct relationship with a non-bank third party that’s delivering deposit products for a bank.”

Partnering with middleware providers—and by extension the fintechs those middleware providers serve—presents an altogether different, potentially more-dangerous challenge.

“The end users are even further away from the bank,” said Ives, who noted that her agency has observed a “real breakdown” of lenders not fully apprising themselves of the services their direct client in these relationships—the middleware provider—offered, and in turn what services the provider’s clients—the fintechs—offered to end users.

Either way, recent enforcement actions against smaller banks in Illinois, Kentucky, North Dakota and Virginia, all of which exposed themselves to unmanageable risk by virtue of their third-party relationships, confirm where ultimate liability for AML breaches always falls.

“Even if it’s a third-party, or a fourth, or a middleware provider, the bank is obligated to meet their [AML] responsibilities,” Lisa Arquette, a senior regulator with the FDIC, told attendees. “That has been very complex to sort through, as many of you already know.”

Contact Chelsea Carrick at ccarrick@acams.org