US Regulators Finalize Interagency Third-Party Risk Management Guidance
On June 6, 2023, US banking regulators — the FDIC, OCC, and Federal Reserve — published final interagency guidance on third-party relationships and risk management in the Federal Register. The guidance consolidates and updates expectations for how banks should identify, assess, monitor, and manage risks arising from third-party relationships, including those with fintech partners and BaaS arrangements. It applies broadly to all banking organizations supervised by the three agencies and covers the full lifecycle of third-party relationships from planning through termination.
The finalized guidance was particularly significant for BaaS banks, many of which had already faced increased supervisory scrutiny including consent orders related to compliance deficiencies in their fintech partnerships. By establishing a unified interagency framework, the guidance aims to reduce regulatory fragmentation and provide clearer standards for banks engaged in embedded finance. The publication came alongside heightened enforcement actions against BaaS-model banks such as Cross River Bank, underscoring regulators' focus on this segment.
The guidance is expected to drive banks to invest more heavily in compliance infrastructure for managing fintech partnerships.
- Establishes a unified regulatory framework that raises the compliance bar for all BaaS bank-fintech partnerships in the US
- Expected to increase costs and complexity of BaaS arrangements, potentially favoring larger, better-capitalized sponsor banks
- May accelerate consolidation in the BaaS market as smaller banks struggle to meet heightened supervisory expectations