There have been multiple consent orders issued recently which have made it clear that regulators are starting to enforce new third-party risk management guidance issued in the middle of 2023, especially when it comes to oversight of “banking as a service” (BaaS) relationships. Many of these consent orders also seem to target BSA compliance, so it can be reasonably assumed that the targeted banks did not properly identify or assess BSA risks in these new relationships.
Banking profitability often comes from innovation, and this innovation often pushes at the boundaries of what previous regulatory guidance was designed to address. In these cases, the decisions institutions make in the absence of updated guidance often needs to be adjusted once regulators do finally provide guidelines for the innovation. While it is impossible from the recent consent orders to determine exactly what made regulators nervous, it likely had to do with how BSA compliance was managed in the relationships. Some of the fintech partners used by the targeted banks claimed to take over responsibility for BSA activities from the bank, and the consent orders require the banks to review all transactions to ensure compliance for the BaaS transactions.
It is critical that any institution that wishes to enter a BaaS or any other innovative relationship with other parties have its third-party risk management program formalized and in place prior to entering the relationship. The Board needs to be involved at every stage of this process, as they are ultimately responsible for ensuring the strategy does not expose the institution to excessive risk. During negotiations, the due diligence program needs to truly understand the relationship, the transaction flows, what the potential risks are, and what the institution needs to do to control those risks to an acceptable level. After the agreements are signed, the due diligence program needs to identify the frequency and materials needed for ongoing monitoring. And any critical concerns found during due diligence need to be brought to the board for further consideration.
Circling back to the responsibility to manage BSA as an example, the initial due diligence should have included a risk that the third party would not adequately manage BSA risks and should have identified the controls needed to ensure that these risks were adequately mitigated. If adequate controls could not be identified, this should have been a red flag. The ongoing due diligence then should assess whether the controls are operating properly, with the board being notified if they are not. This would allow the institution to show that they proactively identify and address the problem.
Third-party risk management has gotten more complex since the recent guidance, and institutions might need to revisit their program to ensure compliance. If you need help doing this, please contact us at support@bedelsecurity.com!