In 2024, the importance of third party risk management (TPRM) has risen to the top for sponsor banks for three reasons:

1. Increased regulatory scrutiny of sponsor banks irrespective of asset size
2. 70% of banks consider FinTech partnerships as a growth driver for their business
3. Third party technologies or establishing partnerships has become essential for reducing the digital divide

To quote Federal Reserve Governor Michelle Bowman, “Banks also increasingly rely on important relationships with third parties, including service providers and partners who provide services to customers through “banking-as-a-service” arrangements. As third party relationships continue to play an increasingly critical role in the banking system, they present another new avenue for risks that need to be managed”.

Regulators have released several guidance materials on Third Party Risk Management (TPRM). These originating documents date as far back as 2008. However, as recently as May 2024, interagency guidance on managing risks with third party relationships from regulators has attempted to align previously provided materials into a more cohesive message on managing vendors, third parties, and partnerships tied to banks. Although TPRM is not a novel concept, it often raises questions and feelings of apprehension. This post aims to help sponsor bank executives navigate TPRM complexities and help provide further light on fourth party risk management (FPRM) and the unique responsibilities involved in supporting banking-as-a-service (BaaS) and acting as a sponsor bank to FinTech relationships. 

‍

Different Terms, Same Mission 

This post uses various terms: partner, vendor, supplier, service provider, third party service provider, contractor, subcontractor, applications, services, systems, and tools. Although this list is not comprehensive, all of these terms describe third party relationships. These terms describe all relationships beyond those involving internal employees, internally developed applications and internally performed functions. These terms are interchangeably used for the sake of this post.

‍

What is Third Party Risk Management (TPRM)?

Third party risk management (TPRM) is tied to an organization assessing and identifying potential gaps and risks associated with direct external relationships upon which the organization relies. In these scenarios, the sponsor bank, the FinTech, and the BaaS provider each will have direct contractual relationships or utilize vendor services directly.

The services include solutions such as applications, services, systems, and tools, even when a traditional long-term contract isn’t signed (e.g., a month-to-month service fee) or solutions that are free to use (e.g., open-source and freeware). Regardless of the associated expense (if any), these events trigger the need for TPRM tracking, management, and oversight. 

‍

What is Fourth Party Risk Management through Marriage and Divorce?

In its simplest form, Fourth Party Risk Management (“FPRM”) involves an organization overseeing its vendors’ vendors. For sponsor banks, this involves the sponsor bank overseeing the FinTech’s vendors. It is essentially one relationship removed from the contract. Think of it as your relationship with your son-in-law or daughter-in-law. Although they may not be directly related to you by blood, they hold significance in your family, and you want to ensure you are aware of their safety and well-being.

At the 2023 D.C. Fintech Week, the OCC Comptroller discussed fourth party risk management with a Bloomberg Reporter. 

“We (Regulators) need to ensure the bank-fintech relationships are in service to their customers. There is a nexus between banks and fintechs. It is not just a third party anymore; it is the whole supply chain. The third party has a third party, then a fourth party, and there are ‘n’ number of parties. We need to pay attention to the risks these external third parties introduce in the banking system. On the one hand, you get innovation, efficiency, and inclusion; on the other hand, you have a huge diffusion of responsibilities”. 

While fourth party risk management doesn’t require the sponsor bank to perform due diligence directly, it remains crucial for the sponsor bank to understand the FinTech and its external vendor relationships. In the presented scenario, the sponsor bank, like a parent, oversees the FinTech and its ‘children’ (the FinTech’s products and their end customers). The FinTech must manage its relationships with external partners (son-in-law or daughter-in-law) responsibly, ensuring due diligence before entering ‘marrying’ contracts. As the relationship evolves, the sponsor bank may provide oversight, guidance, and support, akin to a parent assisting their child in navigating important decisions such as ‘expanding their families’ or terminating ‘divorcing’ relationships. 

In this process the BaaS provider serves as an ally and advisor, much like a cherished family confidant, offering insights and expert guidance, helping fortify the relationship between the sponsor bank and FinTech. Similar to a trusted family friend, the BaaS provider may lean towards one perspective over another based on the particular circumstances yet remains impartial, acting as a trusted advisor to both the Bank and FinTech.

‍

TPRM and FPRM Related to BaaS, Sponsor Banks, and FinTech Services? 

In the scenario described above, TPRM is viewed through two lenses: the sponsor bank’s oversight of the FinTech and the FinTech’s oversight of its vendor relationships. Fourth-party risk management is tied to the sponsor bank’s oversight of FinTech’s third-party risk management programs. 

A sponsor bank or Banking-as-a-Service (BaaS) provider will request evidence of FinTech’s TPRM programs, including the assessments and the underlying documents that were reviewed as part of the assessment. However, the performance of the review, responsibility of direct oversight, and risk of choosing the right (or wrong) partner fall onto the FinTech. 

The sponsor bank will ultimately be responsible for ensuring that the FinTech and their vendors perform their services in a safe and sound manner and are in compliance with applicable banking laws and regulations (consistent with guidance in OCC Guidance 2023-17 and Fed Reserve Guidance SR 24-2)

For example, if a FinTech is performing international remittance through a service provider, and that service provider fails to properly screen the transactions, the vendor, the FinTech, the BaaS provider, and the sponsor bank share a portion of the responsibilities. All parties may face financial, regulatory, and reputational scrutiny in these scenarios. 

‍

How Can Sponsor Banks Manage this Process? 

There have been various approaches in the market tied to BaaS. The approaches fall under four primary themes. 

• Lean on B: All Risk on Bank - In this approach, the BaaS provider functions solely as a “technology solution.” The Bank manages risk and compliance support and oversight entirely, with minimal support from the FinTech and BaaS Provider.
• All About that BaaS: All Risk on BaaS—The BaaS provider handles all risk and compliance functions. Banks and FinTechs rely heavily on the BaaS provider for most of the risk and compliance support. This approach has seen scrutiny by Regulators, including commentary that the sponsor bank should have greater control over their FinTech programs. 
• Ride Like the Fin(tech): All Risk on FinTech—The Bank and BaaS provider provide minimal compliance support in this least common approach. This strategy is not widely adopted, given that Fintechs are often less versed in compliance and frequently require support in the compliance arena, making this approach the least favorable. Similar to the aforementioned approach, a FinTech-focused risk approach is also scrutinized by Regulators as Banks should have ownership and control over the programs they support. 
• Culture Club of Collaborative Compliance: A Shared Approach to Risk—This collaborative approach involves the Bank, BaaS, and FinTech provider sharing risk and compliance functional support responsibilities. It is a joint effort among the three partners rather than relying on a single entity. Along with this shared responsibility approach, the sponsor bank ultimately is responsible for the complete oversight of the risk management approaches and strategies. 

As you can see, the Shared Partnership approach is a combined responsibility of Risk and Compliance functions and oversight. It is often the most successful approach when looking at healthy relationships. Often, when looking at compliance risk, relying on a single point can result in a single point of failure. Although this process can increase some complexities, these three levels of compliance defense posture often resonate best with internal bank processes and regulatory support. Choosing the right partner to help facilitate these reviews and processes, including those tied to TPRM and FPRM oversight activities, is very important to a successful program overall. 

‍

How is this Process Effectively Managed?

Compliance with TPRM and FPRM processes is crucial for FinTechs, as they frequently incorporate additional products and solutions into their service offerings. Thus, ongoing monitoring, including quarterly check-ins, is imperative.

FinTechs can receive support in the due diligence process by selecting the right BaaS provider. This ensures that FinTechs conduct third party risk assessments promptly and keep up to standard. The FinTech’s vendor population is then shared with the sponsor bank for quarterly review. The sponsor bank review should focus on assessments conducted on net new service providers and ongoing oversight for existing vendors present in the FinTech ecosystem.

The oversight processes are not limited to just before a regulatory exam or annual check-ins. Instead, they ensure that the FinTech consistently tracks its third parties and associated assessments, adhering to the previous timelines and commitments. Being diligent with the oversight processes will help sponsor banks be regulatory compliant and save future headaches. 

‍

What Should be Included in TPRM and FPRM Risk Assessments? 

Vendor risk management goes beyond merely requesting a vendor’s SOC report. An effective TPRM strategy involves gathering, reviewing, and, most importantly, documenting the assessment. Beyond the mere collection of these documents, the following items need thorough review and understanding by both the FinTech and sponsor bank to ensure comprehensive insight into a vendor’s risk management programs, proactive oversight, protections, and risk reviews. This includes such as:

• Model Risk Management Assessments, Internal and Independent
• Independent Auditor Reports
• Industry Certifications 
• Certificates of Insurance (COI)
• Last Disaster Recovery (DR) Test with Results
• Vulnerability Scans and Penetration (Pen) Tests
• Business Incorporation and Registration Documents
• Legal and Financial Details 
• Alignment to Regulatory Controls, including Internal and External Audits

Comprehensive review and scrutiny of these elements ensures a more robust understanding of the vendor’s risk landscape and strengthens the overall risk management process.

‍

What Does this Look Like in Practice? 

Tied to the responsibility and ownership of performing TPRM (or FPRM reviews, depending on who is leading the assessment), there is sometimes an approach where a single party bears the most responsibility for the review. In contrast, the other parties play minor roles, either gathering materials or reviewing the assessment’s final results. In several instances, these single-responsibility approaches result in ineffective third party and fourth party risk management activities, as one entity is solely responsible for the review without meaningful support from the other partners.

For example, if a FinTech were to partner with a cloud service provider (CSP) and the sponsor bank is responsible for reviewing the supporting documentation and materials from the CSP (Lean on B), the FinTech would be responsible for gathering the raw materials from the vendor, and the BaaS provider would share these materials from the CSP with the sponsor bank for review. This approach shifts the responsibility of vendor management to a party less familiar with the contract, application, or use. This approach also holds the FinTech less responsible for the management and ownership of their contractual relationships. 

Similar to the situation tied to the Lean on B scenario, if a FinTech were to heavily rely on the BaaS provider for supporting their third party risk management responsibilities for FinTech-managed contracts, this process would shift all vendor management activities, including those relationships managed and owned by the FinTech to their BaaS provider. This All About that BaaS approach is often only appropriate when the BaaS provider owns the contractual relationship and resells the products and services to its FinTech Partners. All About that BaaS approach fails to recognize that if a FinTech chooses to use off-BaaS provider services, the responsibility, and oversight of those relationships become the responsibility borne by the FinTech, as they hold the contract with that partner and the underlying risk. 

The approach of a Culture Club of Collaborative Compliance is often the most appropriate and successful approach, as every partner, including the sponsor bank, BaaS provider, and FinTech, provides their level of expertise. The FinTech is ultimately held responsible for the contracts they hold and manage but with expert guidance, review, and support from their BaaS provider and sponsor bank. In addition, the BaaS provider and sponsor bank also are held responsible for their direct contracts they hold and manage, including any TPRM assessments and activities. This approach allows all parties to thoroughly understand the risks presented within its ecosystem, enabling it to mitigate associated risks with its third party service providers.

‍

Don’t Forget About Internal Impacts When Considering TPRM and FPRM Responsibilities

One crucial aspect that warrants careful consideration is the vendor relationships’ impact on the sponsor bank’s internal processes. Take, for example, the adoption of cloud-based infrastructure from major providers like Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure (Azure), which can streamline the setup of localized environments for the FinTech. However, this shift also entails a heightened reliance on addressing business resilience risks within risk management frameworks beyond the TPRM assessments.

It’s imperative for the FinTech to retain accountability for its internal processes and procedures, especially for managing disruptions in services from critical partners. FinTechs must document business continuity, disaster recovery, and incident response processes with clear, step-by-step instructions for executing actions such as transitioning to alternative availability zones in the event of a disaster or outage.

Preserving instructions within FinTech policies and standards rather than solely relying on links to external instructional resources is just as crucial as preparedness. During outages, reliance on pre-documented steps and vendor instructional documents is essential to mitigate downtime, as associated links may become inaccessible due to high traffic. 

Sponsor banks, customers, and regulators are primarily concerned with lack of access to funds, application failures, or dropped transactions and payments during outages. While third party partnerships can help FinTechs operate efficiently and reduce oversight burdens, the FinTech must recognize the need for additional support to sustain business resilience and uphold service reliability and customer trust.

‍

Why is this Important? 

Sponsor banks are entering into third party relationships for various reasons, such as implementing new technologies to reduce operating costs, offering real-time payments, mobile and online digital account opening, and expanding small business lending to expand their market reach.  The escalating trend of engaging with third party service providers will persist in the coming years, heightening the need for robust TPRM and FPRM oversight management.

Regulators closely scrutinize the sponsor bank’s risk management practices for outsourcing services, utilizing supporting systems and tools and integrating emerging technologies such as machine learning and artificial intelligence. Regulators will expect to see evidence of effective TPRM and FPRM oversight management. Failure to implement effective risk management practices could result in regulatory fines, damage to the sponsor bank’s reputation, and loss of clients.

In conclusion, TPRM does not imply achieving zero defects or absolute risk elimination; instead, it emphasizes understanding, articulating, and mitigating risks. While it’s impossible to eliminate all risks, the proactive measures taken to prepare for potential events are invaluable in mitigating downstream impacts. These actions also aid in preparing groups to respond swiftly, minimizing adverse effects on clients.

Importantly, the involvement of third parties does not absolve FinTechs of their responsibility for proper oversight. Instead, it requires heightened reliance on internal business continuity and disaster recovery processes to ensure a robust and resilient framework for addressing unforeseen challenges.