United States: Privacy Laws + Banks + FinTech = New U.S. Guidance On Risk Management For Third-Party Relationships

Three federal agencies jointly issued a guidance that banks are expected to monitor their financial technology partners to ensure compliance with privacy, fair lending, and anti-money laundering laws.

The "Interagency Guidance on Third-Party: Risk Management" was issued jointly by: (1) Board of the Federal Reserve System [OP-1752], (2) Department of the Treasury Office of the Comptroller of the Currency [OCC-2021-0011], and (3) Federal Deposit Insurance Corporation [RIN 3064-ZA26], with a final guidance date of June 6, 2023 ("Guidance"). The Guidance offers the three U.S. agencies' views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.

Prior guidance is rescinded and replaced by the Guidance

The Guidance rescinds and replaces the following previously issued guidance by the three federal agencies:

• Board's 2013 guidance: SR Letter 13-19/CA Letter 13-21, "Guidance on Managing Outsourcing Risk" (December 5, 2013, updated February 26, 2021)
• FDIC's 2008 guidance: FIL-44-2008, "Guidance for Managing Third-Party Risk" (June 6, 2008)
• OCC's 2013 Guidance and its 2020 frequently asked questions: OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance," and OCC Bulletin 2020-10, "Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29." Additionally, the OCC also issued foreign-based third-party guidance, OCC Bulletin 2002-16, "Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance," which is not being rescinded but instead supplements the final guidance.

The Guidance seeks to establish a consistent approach which puts the onus on banks to obtain information from and ensure compliance from its third-party fintech relationships. In other words, banks are responsible for knowing how their fintech partners: (1) are operating and (2) are complying with applicable federal law.

Obligations concerning privacy laws and cross-border flow of information

The Guidance discusses factors to consider when evaluating whether to enter into a relationship with a third party, including the compliance of privacy laws. Regarding contracts between a bank and a foreign-based third party, the Guidance notes the importance of:

• privacy laws
• cross-border flow of information
• choice-of law and jurisdictional provisions that provide dispute adjudication

In sum, the 68-page Guidance sets forth a bank's risk management obligations when contracting with third-party fintech. As privacy laws and cross-border flow of information continually increase, the Guidance sets forth the criteria to analyze within these contracts.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.