On March 29, the Federal Deposit Insurance Corporation (FDIC) announced two more consent orders containing provisions relating to banks’ third-party risk management programs with respect to banking as a service (BaaS) partnerships.

The terms of the consent orders impose requirements on the banks which include:

  • Ensuring that the bank’s procedures, data, and systems related to third-party relationships and bank activities conducted through third-party relationships include clear lines of authority and responsibility for monitoring adherence to applicable bank procedures, effective risk assessment, timely and accurate reporting, and the development of procedures to ensure compliance with applicable laws and regulations, and satisfactory monitoring of implementation and adherence to bank procedures, applicable laws and regulations;
  • Requiring that the board ensure that the bank has reviewed and assessed whether the components of its third-party relationship program are appropriate for the size of the bank, and the nature, scope, complexity, and risk of the bank’s third-party relationships and related bank activities, and satisfactorily ensure that these bank activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations; and
  • Requiring the bank to complete a consumer compliance risk assessment for each third-party relationship conducting and/or performing a bank activity.

These consent orders are the latest in a series of FDIC enforcement actions dealing with third-party risk management programs and fintech partner issues. As discussed here, in February 2024 the FDIC announced a consent order with Tennessee-based Lineage Bank containing similar provisions. We regard this as further indication that the FDIC intends to continue to exert regulatory pressure on its regulated banks who enter into BaaS partnerships without adequate controls in place. As to such banks, we expect that pressure to translate into greater compliance assessment and monitoring requirements imposed by the FDIC, and in turn, their fintech partners.  In response, banks should consider whether their third-party risk management programs are sufficiently rigorous, particularly as they relate to their current BaaS programs and other fintech relationships.