The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) just released a guide for community banks on the “third-party relationships life cycle.” The guidance is especially important for community banks that enter partnerships with fintechs and other third-party distributors of a bank’s regulated services. Complex risks associated with these relationships apply disproportionately to community banks because they’re overrepresented among Banking-as-a-Service (BaaS) sponsor banks. According to CCG’s proprietary research, about 30% of BaaS banks have assets under $1 billion, and about 60% have assets under $5 billion.

BaaS partnerships are subject to the same risk management considerations as any relationship with a third party. But certain factors increase risk levels, such as a third party managing customer relationships, demanding more due diligence to start with. As a BaaS business grows, so does the magnitude of third-party risk and the compliance resources the bank needs to provide. As the guidance notes, banks need to adjust third-party risk management practices to be commensurate with size, complexity, and risk profile by periodically analyzing the risks associated with each relationship.

Risks and dependencies for BaaS can quickly get unwieldy. Running a BaaS program depends on a web of third parties, some of which may be a step removed from the bank itself and managed by another third party. The third parties in the mix include vendors that work directly with the bank, intermediaries that handle some infrastructure and program management, other service providers that sit between a bank and its BaaS partners, and the partners themselves that serve end customers. Community banks’ ability to handle the risks that increase with the size of a program could put them in a perilous position.

Because of their size, community banks might not have the in-house resources or depth of talent to handle compliance for a line of business that fundamentally depends on partners. As we’ve written, the buck stops at the bank for risk and compliance issues, and it’s a warning sign about the commitment needed to build a BaaS business in the first place. A bank can’t blindly accept the help of partners to handle compliance on its behalf — regulators are wary of allowing third parties to evaluate the risk of other third parties, and it introduces another layer of potential violations.

“…the bank cannot abrogate its responsibility to employ effective risk-management practices, including when using a third party to conduct third-party risk management on behalf of the bank.” — Third-Party Relationships: A Guide for Community Banks

A lengthy list of strategic considerations is the starting point for any third-party relationship. The guidance implies that starting a fintech partner program is no less complicated from a compliance perspective than working with a traditional core provider or other established vendor. Bankers need to work through the same planning, due diligence, governance frameworks, and monitoring appropriate to the risks that come with serving end customers that the bank does not have a relationship with.

The board of directors is ultimately responsible for setting and overseeing third-party risk management, and management is responsible for rolling out appropriate policies, procedures, and practices. A sponsor bank’s leadership needs to evaluate and consistently revisit organization-wide issues related to maintaining third-party relationships — ensuring that a third party’s activities align with the bank’s risk appetite, policies, and business objectives; that staff have the expertise and bandwidth to manage the relationships; and that technology and staff are in place to handle integrations.