Third-Party Risk Management Strategies for Banks

The Office of the Comptroller of the Currency dropped Blue Ridge Bank's C&D today. And it is laser specific on the issues. A few comments, lessons learned, and questions below - 1) I'll say it on repeat for BaaS banks - if your #fintechs can't tell you how a criminal will exploit their rails for ML/TF (not just fraud), then you will have problems managing their transference of risk. 2) Pg. 7 the OCC states - "an assessment of BSA risk for each third-party relationship... money laundering, terrorist financing and sanctions risk, as well as each third-party relationship’s processes for mitigating such risks and complying with applicable laws and regulations...". Keywords being here - APPLICABLE. Most fintechs are unregulated or partially regulated. BaaS banks must lead with that. 3) The Board will now have to review and approve every new fintech relationship. That means that the Board must understand - or rather - the AMLO must make them understand the various threats within each fintech. 4) BaaS banks must have an exit strategy - that outlines the escalation of risks and the decision. (pg. 7) 5) Again - MSAs must be customized to your bank and your threats within the BaaS partner. If your attorneys are using standard MSAs, your bank will be exposed. Pg. 8. 6) KYCC or CCDD is here - that has always been implied. But it is actually written out - pg. 9 - "OCC the criteria it is using for end user accounts to be approved for each third-party fintech relationship, including fintech subpartners". And it doesn't delineate between direct and indirect BaaS clients. 7) Sanctions is found throughout - for the #fintechs out there... you need to screening, blocking, etc for sanctions. You cannot just rely on your bank partner. 8) Would be interesting to see a revised OCC MLR focused on BaaS/fintech customers and transactions. 9) #AML audits - I've said it many times before - a clean audit is NOT A GOOD AUDIT. Full stop. 10) As a recovering auditor, if audits are 'risk-based' then they must actually audit/test the Risk Assessment for effectiveness prior to scoping the 'risk-based audit'. Audit firms cannot pitch/price a 'risk-based audit' if they don't know what the risks are yet. 11) Staffing is a big item yet again. People. The right people. With the right authority. It will continue to be a theme in #consentorders until Boards get with it. AML and #sanctions compliance is not cheap. Either you pay now or pay a lot more later. 12) "Executive authority" - Yep. Executive. We've seen this a few times. If your AMLO is buried under a chief, then an SVP, they do not have executive authority. 13) An interesting statement on pg. 13 - it appears to be warning shot to all those #communitybanks that have the AML Officer wear many hats. Cut it out. "Board shall ensure the responsibilities...be limited to...BSA" Wow! Several more comments I'll post below and the pdf is attached. #ifollowdirtymoney

Regulators can often feel unfair and I’ve certainly seen cases where regulators have reached some truly odd conclusions. However, the smart reaction is to recognize that the primary source of information the regulators have is the bank’s own files. This is all the more important in areas like partner banking with high levels of regulatory scrutiny and limited regulatory understanding of the underlying business. Here are four mistakes I’ve seen banks make: 1️⃣ Partner due diligence that doesn’t paint the big picture. There’s lots of specifics that need to be covered in partner diligence. But the single best starting place is a clear, plain-language description of what the partner’s program will do and what the risks are. Bonus points if this can be done in language that relates the nature of the activity to more traditional banking, helping demystify the business for bank staff and examiners alike. 2️⃣ Failure to describe roles and responsibilities clearly. Partner documentation needs to be crystal clear about the respective roles and responsibilities of the bank, the partner, and other third parties. Regulators want to see that everything needed to control the program is assigned - and that the bank has effective oversight in place for the things it is not doing. 3️⃣ Risk assessments that understate partner risk. Calling a BaaS client low risk is one of the easiest ways to get a regulator to dig in and look for issues. And it's hard to justify given the inherent third-party risks in the business. If a bank has a customer risk rating habitually rates BaaS clients as low risk, it’s effectively placing a “Kick Me” sign on its rear end. 4️⃣ Lack of documented evidence for determining partner controls are effective. A policy is just words on a piece of paper, not evidence that controls work. If a bank doesn’t document outcomes-based evidence (e.g. testing results, data analytics) every time it determines a client has effective controls, it risks its regulators thinking it lacks evidence. When you have the power to control the narrative, take advantage of it.

The Basel Committee on Banking Supervision has released a consultation document outlining proposed guidelines for managing CRR. The guidelines are aimed at replacing outdated practices from 1999 and addressing longstanding weaknesses in CCR management within the industry. Key aspects include thorough due diligence of counterparties during onboarding and continuously, developing effective credit risk mitigation strategies, employing diverse metrics to measure and control CCR, and establishing robust governance frameworks. The guidelines are meant to apply broadly to manage CCR exposures across all types of counterparties, with a particular focus on high-risk exposures such as those involving NBFIs. Both banks and supervisors are urged to adopt a risk-based and proportional approach in implementing these guidelines, considering factors such as the nature of the bank's activities and the complexity of CCR exposures. Feedback on the proposed guidelines is invited until August 28, 2024.

Attend any #banking conference or scroll your LinkedIn feed in the financial space, and you're likely to find (especially given recent events), ongoing dialogue about the complexity of bank-fintech partnerships. Within the industry, the conversation is much more likely to bubble up about the things that go wrong over those that go right. In catching a recent Bank Director article about compliance struggles in these relationships, it got me thinking - what if we talked about we're doing to try to get things right more often, and created more space to collaborate together as a #fintech community? Sharing the article below and borrowing from a few of the themes, here's some specifics in greater detail about what we do at Nymbus as a fintech trying to make fintech compliance easier for our banking partners, and we'd love to collaborate on how we can all do so better: 📰 Clear-cut brand guidelines of what you expect your partners to do when they're representing your bank. ✅ At Nymbus, we have our own internal marketing compliance playbook that is used by our Labs team when creating content for our partners. Before a client gets any Nymbus-created content, our in-house compliance team reviews all marketing content for compliance with consumer regulations. This review isn't intended to replace the needed work of our client's compliance teams, but to make it much easier. 🗒 Banks' third-party risk management must keep up with the speed and scale of programs and it might be unclear how to share and delegate compliance duties. ✅ We publish a Managed Services Roles & Responsibilities document that outlines what role Nymbus plays in the services offered, and what our #bank or #creditunion partner should expect to provide support and oversight for. We create a partner-specific operating guide to be used as the rule book for our combined teams when bringing a digital brand to life and operating it day-to-day. 🤝 Fintech investment in #compliance capabilities to be better partners for banks, instead of focusing solely on #sales, #marketing, and customer acquisition. ✅ Our #risk and #compliance team of 10 comes from a background working within financial institutions ourselves, as well as for #advisory and #audit firms and as former regulators. Our compliance team is engaged from pre-sales to implementation and ongoing support, and we pride ourselves on providing direct access to our banking partners to our compliance teams. ⚖ Checks and balances (on both sides) ✅ Nymbus' risk management program and CMS was developed based on banking regulatory guidance - including that of the FDIC, OCC, Fed and NCUA, alongside the CFPB. It's inclusive of quality assurance, regulatory change management, internal compliance reviews and risk assessments, and the maintenance of a risk log to address ongoing enhancements and ways to improve our products and services. https://lnkd.in/ecPmiCdU