PYMNTS MonitorEdge May 2024

Banking Regulators’ Guide to Third-Party Risk Management Spotlights Community Banks’ Vulnerabilities

The rise of open banking and FinTechs is changing the fabric of financial services.

Data sharing and pacts between traditional financial institutions and digital-only innovators promise to bring innovation to the masses, especially when consumer-permissioned data, held by community banks and larger enterprises, is shared with third parties.

The scope of third-party relationships is expanding. Consumers may have relationships with FinTechs, the FinTechs may have relationships with the banks. Or the banks’ customers may be interested in harnessing FinTechs offerings to add to the roster of financial services and products they access.

PYMNTS Intelligence found that 65% of banks and credit unions have entered into at least one FinTech partnership in the past three years, with 76% of banks viewing FinTech partnerships as necessary to meeting customer expectations. Ninety-five percent of banks are focused on using partnerships to enhance their own digital product offerings.

But for the banks, many new considerations must be grappled with, as well as a reckoning of the vulnerabilities not just inherent in the financial institutions themselves, but the vulnerabilities of what might be termed the “financial supply chain.”

The Guide

As of this month, a trio of banking regulators issued a guide to help community banks forge relationships with third-party vendors — and manage the risks and vulnerabilities that are inherent in those relationships.

In the publication, with the rather direct title, “Third-Party Risk Management: A Guide for Community Banks,” the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency noted, “Third-party relationships can offer community banks access to new technologies, risk-management tools, human capital, delivery channels, products, services and markets.”

But, they continued: “A community bank’s reliance on third parties, however, reduces its direct operational control over activities and may introduce new risks or increase existing risks, including, but not limited to, operational, compliance, financial and strategic risks.”

Among the key considerations, community banks must examine how they will integrate third-party technology with the bank’s existing systems and infrastructure — with examination of risk and costs. The banks must also delve into the physical and/or system access that would be granted to a third party.

And, in a nod to the risks that extend beyond the confines of the community bank itself, there must be information gathered on whether the third party’s information security program is consistent with the bank’s program “and expectations related to protecting the confidentiality, integrity, and availability of information,” the regulators wrote. The web is woven even more intricately if/when the third party relies on subcontractors, which in turn might pose additional risks to the bank.

Some Hesitancy Among the Banks?

There’s certainly some recognition of the risks, and certainly on the part of the banks themselves. PYMNTS Intelligence found that 46% of financial institutions said the risks of providing open banking solutions outweigh the benefits. Thirty-five percent of financial institutions said the benefits outweigh the risks.

Smaller financial institutions are more comfortable providing open banking, with nearly 2 in 5 noting the benefits outweigh the risks, which means that community banks would do well to set up comprehensive risk management frameworks that take a holistic approach to their external relationships.