A new guide designed to aid community banks as they assess and manage risk in third-party relationships signals that regulators are aware of the importance of those tie-ups for smaller banks, industry experts said.

The Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. on Friday jointly released a guide for community banks on third-party risk management. Although regulators noted the guide doesn’t prescribe specific risk management practices, it’s intended to be a resource for community banks as they develop and implement third-party risk management programs and policies. 

“The very clear acknowledgment that community banks benefit from a variety of third-party relationships and partnerships is just a reflection of the world that community banks operate in,” said Michele Alt, a partner at financial services advisory and investment firm Klaros Group. “And that is a welcome sign.”

The document follows interagency guidance issued last June on how banks should approach third-party relationships, including partnerships with fintechs. Those relationships have faced more regulatory review of late, as regulators assess the oversight of such tie-ups and whether effective anti-money laundering and Bank Secrecy Act processes are in place, said Kristen Larson, who’s of counsel at law firm Ballard Spahr. 

Blue Ridge Bank, Cross River Bank and First Fed Bank have all faced penalties related to their fintech partnerships as regulators push for stricter oversight of the tie-ups. Tennessee-based Lineage Bank, New York-based Piermont Bank and Ohio-based Sutton Bank have also been hit with consent orders this year related to third-party relationships. 

The guide released last week covers all types of third-party relationships, as smaller banks, in particular, are more likely to outsource certain functions. Indeed, the guide acknowledged that community banks tap third parties to remain competitive amid a changing landscape, and such tie-ups can offer banks access to new technologies, tools, services and markets.

However, a community bank’s reliance on third parties “reduces its direct operational control over activities and may introduce new risks or increase existing risks, including, but not limited to, operational, compliance, financial, and strategic risks,” the guide noted.

That’s why it’s important that community banks “appropriately identify, assess, monitor and control these risks” and ensure activities are conducted in a safe and sound manner and in compliance with fair lending laws and prohibitions against unfair, deceptive or abusive acts or practices, as well as regulations around fraud and money laundering, the guide said.

Many community banks struggle to prioritize all the activities required to monitor third-party relationships, said John Soffronoff, partner and U.S. head of community banking at consulting firm Capco. The guide “provides a good roadmap for community banks to evaluate their third-party relationships throughout their entire lifecycle,” he said in an email. 

The guide outlines examples related to planning, due diligence, contract negotiation, ongoing monitoring and termination, and the questions community bankers should consider in certain scenarios, as well as governance practices surrounding third-party relationships. 

The Independent Community Bankers of America engaged with regulators over the past year, suggesting how to further assist community banks in internalizing the interagency guidance, said Michael Emancipator, senior vice president and senior regulatory counsel at ICBA.

“It’s almost a guide to how to read that guidance,” which was principles-based, Emancipator said. “Sometimes it is nice to have a little bit more meat and a little bit more specificity, in what lens [regulators are] looking at these activities.”

The specifics provided in the guide may put at ease the banks that have just dipped their toes in third-party relationship water, or haven’t yet, or may be worried about running afoul of regulators, Emancipator said.

The initial framing questions and hypothetical use cases can help bankers “get in the same mindset as the examination team” and might lead them to mull and ask next questions, Emancipator said. 

Still, to Matthew Bisanz, a partner at Mayer Brown, the guide suggests “the supervisory expectations for community banks to offer integrated products with third parties, such as fintechs, are extremely high,” he said in an email. “So high that the regulators doubt most community banks can handle it.”

Bisanz said he believes bank regulators are unhappy with the number of community banks partnering with fintechs to offer digital banking products, and pointed to high-profile enforcement actions that resulted in community banks ending partnership programs.

Alt, for her part, views the guide not as a “gotcha” or a scolding, but as a useful resource in helping banks manage the risks. Community banks should view the guide as a rough checklist, to apply to their own programs and to expect examiners to apply.

Alt also noted banks that don’t have a strategic plan in place should consider implementing one, if they engage in certain critical third-party risk relationships, given the guide’s mention of risk assessment aligning with a bank’s strategic plan.

The Financial Technology Association and the American Fintech Council applauded the guide, which provides clarity around bank-fintech partnerships, and “should help mitigate information asymmetries and provide clear expectations” around managing third-party relationship risks, according to a Sunday statement from AFC CEO Phil Goldfeder. 

But it’s also important that examiners make sure they’re properly assessing the risks posed by bank-fintech tie-ups, Goldfeder said, adding that there’s “a crisis of significant mismatch” between fintech services and regulatory mechanisms.

FTA CEO Penny Lee urged regulators “to ensure examiners are properly equipped to evaluate bank-fintech partnerships in a way that preserves access to valued financial tools and doesn’t stifle innovation,” according to a Monday statement.