Underwrite Third Party Risk More Carefully than Credit Risk by Stephen Curry

Fintech, Non-Bank FI and Vendor Risk Should Be Evaluated with Greater Rigor than Credit Risk

On September 20th, FDIC Chairman Marty Gruenberg addressed the often overlooked but critically important issue of Financial Stability Risks posed by Nonbank Financial Institutions within the financial sector. These entities provide bank like financing services but do not hold a banking license, are not subject to banking regulations and oversight as are banks. Some examples include money market funds, private equity, mortgage lenders, fintechs, P2P lenders and insurance companies. In his speech he stated that assets of U.S. nonbank financial institutions totaled roughly $20.5 trillion in 2021, compared to $23.7 trillion in assets held by U.S. insured depository institutions.

Some of the most substantial risks in the financial system arise from non-bank financial institutions. Governance and culture play a crucial role in this context. Banks tend to underestimate these often-critical factors when assessing non-bank relationships. Non-bank financial institutions, including fintechs and technology vendors, frequently lack robust controls and effective enterprise risk management practices, have volatile funding, opaque operations, and operate with excessive leverage. They may take shortcuts that would raise concerns among traditional banks, auditors, and regulators. Since there is normally a bank in the end-to-end process used in the specific financial service provided by such non-banks, an assumption is often made by non-banks that the chartered bank will take care of the formal, or “bank-grade” risk management requirements, often placing more unacknowledged burden on the bank.

The rapid failures of entities like FTX, SVB, and Signature Bank served as stark reminders to customers, creditors, regulators, and shareholders of the critical risks present in these sectors. In the most recent examination cycle, many banks received Regulatory Findings and Orders mandating the implementation of Enterprise Risk Management, as well as requiring upgrades to internal audit and Third-Party Risk Management specific to how they decision and manage relationships with FinTechs, NBFIs and vendors.

Banks should approach their assessments of third-party risks with even greater diligence than they do when assessing bank counterparty or typical credit risk. This is because the operational, regulatory, market and liquidity risks associated with non-bank partners can at times surpass the credit risk inherent in many loans. Furthermore, banks must acknowledge that most non-bank entities, especially small fintech companies, have not undergone the same level of scrutiny as major technology providers. As a result, their solutions carry a vendor and operational risk dimension that can be extremely high. In the world of banking, we want to trust our partners, but it is crucial to conduct thorough verification and ongoing diligence. We cannot assume that non-banks possess the same level of internal controls as banks because, in reality, they generally do not.

Another significant concern when dealing with non-banks is the availability of liquidity to meet customer redemptions. Whether it's a fintech, money market fund, or hedge fund, money moves faster than ever before. Few non-bank financial institutions maintain adequate liquidity to handle peak flow requirements. During times of stress, selling investments with unrealized losses, offloading loans, or unwinding hedged positions can become challenging. Similar situations have occurred in banks, as well as in the crypto market during FTX's crisis, and even in investment funds, such as BlackRock's Commercial Real Estate fund. Money market funds, for instance, have seen inflows of over $800 billion in the past year. If these flows shift rapidly, fund failures and market disruptions could ensue, and be amplified when leverage is involved.

Here are some fundamental diligence considerations based on our learnings working with banks and non-banks. These steps are supplemental to the guidance provided by regulators. We believe it is vital to analyze and understand the following for NBFIs, FinTech’s and vendors:

Assess Key Control Roles: Evaluate the qualifications and experience of key control roles, including the CFO, CRO, CIO, and operations management.

Board-Level Control: Determine if there is a governance structure at the board level that ensures appropriate oversight, control procedures and due process in decision-making.

Cash Flow and Funding Plans: Analyze and understand cash flow requirements funding to finance operations and growth. Assess their ability to secure capital especially in the current economic climate.

Risk Management Framework: Review the risk management framework, paying special attention to areas that contributed to incidents like FTX's collapse. Evaluate its approach to managing market risk, custody risk, technology/cyber risk, reputational risk, model risk and credit risk.

Segregation of Funds: Ensure that customer funds are properly segmented from company funds and regular monitoring of this segregation conducted. If subledgers are involved, request regular audits and daily balancing reports.

Cash Management Processes: Scrutinize the cash management processes to ensure transparency and control over operational funds.

Liquidity Management: Assess liquidity management practices and identify vulnerabilities that could lead to bank-style runs.

Information Security: Review how the company handles sensitive data – look for evidence of security, encryption, and compliance with data protection and privacy regulations.

Technology Performance Tracking: Evaluate the company's technology performance tracking reports and review its business continuity plan, incident response plan, disaster recovery plan, and related testing.

Proof of Reserves and Liabilities: Require the company to provide evidence of its reserves for each banking relationship and proof of liabilities, with external audits conducted by reputable firms.

Regulatory Compliance: Review documentation demonstrating the fintech's adherence to relevant regulations and industry standards. Ensure active internal monitoring of compliance through audits and assessments.

Legal Agreements: Verify that legal agreements establish clear service level requirements, remediation procedures, termination rights for the bank, and parameters for disengagement.

By considering these essential diligence considerations, banks can conduct more comprehensive assessments of non-bank fintech partners, mitigate risks effectively, and ensure compliance with regulatory expectations.

Here are some actions banks should take internally related to their non-bank partners:

  • Ensure board-level involvement in third-party risk management, including setting risk appetite, receiving regular updates, and making critical decisions.
  • Disciplined Board review and approval of new products and new NBFI, Fintech and Vendor relationships.
  • Robust Third-Party Risk Management policy with dedicated team.
  • Develop criteria for Banking as a Service (BaaS) partners, which take into account partner’s license status and clearly imposes appropriate risk management requirements.
  • Continuously monitor third-party performance and compliance with agreed-upon terms, assessing any changes in risk profiles and addressing emerging issues promptly.
  • Develop exit strategies for ending relationships with third parties, including contingency plans for transitioning services smoothly if necessary.
  • Develop stress tests and continuity plans for a non-bank failure; consider how this would impact bank operations, and how the bank would manage the event (considerations similar to a credit workout and foreclosures). Incorporate protections into non-bank contracts.
  • Periodically validate the effectiveness of third-party risk management processes through audits, assessments, and independent reviews.
  • Diversify FinTech and Vendor relationships. Do not take excessive risk on high concentrations of services and revenue.
  • Establish an Internal Security Operations Center (SOC) to address the remediation of ineffective internal routines, controls, and Suspicious Activity reporting.
  • Implement an Incident Response Escalation process for all partners, including non-banks and third-party vendors, as part of the bank's risk and contingency management practices.

In conclusion, as the financial landscape continues to transform with the increasing involvement of non-bank financial institutions, it is imperative that banks recognize and manage the significant risks associated with these partnerships, and treat them with a higher level of diligence and scrutiny then they apply to credit risk management.

This presentation is being furnished on a confidential basis to provide preliminary summary information. The information, tools and material (collectively, information) contained herein is not directed to or intended for distribution or use by any person or entity who is a citizen or resident of or located in any jurisdiction where such distribution, publication, availability or use would be contrary to law or regulation or which would subject Endurance Advisory Partners, LLC, to any registration or licensing requirement within such jurisdiction.

The information presented herein is provided for informational purposes only and is not to be used or considered as an offer to sell, or buy securities or other financial instruments, or any advice or recommendation with respect to such securities or other financial instruments. The information may not be reproduced in whole or in part or otherwise made available without the prior written consent of Endurance Advisory Partners, LLC. Information and opinions presented have been obtained or derived from sources believed to be reliable, but Endurance Advisory Partners, LLC makes no representation as to their accuracy or completeness. Endurance Advisory Partners, LLC, accepts no liability for any loss arising from the use of the information contained herein.

This information is subject to periodic update and revision. Materials should only be considered current as of the date of the initial publication, without regard to the date on which you may access the information. Endurance Advisory Partners, LLC, maintains the right to delete or modify the information without prior notice.

Under no circumstances and under no theory of law, tort, contract, strict liability or otherwise, shall Endurance Advisory Partners, LLC be liable to anyone for any damages resulting from access or use of, or inability to access or use, this information regardless of whether they are dire, indirect, special, incidental, or consequential damages of any character, including damages for trading losses or lost profits, or for any claim or demand by any third party, even if Endurance Advisory Partners, LLC knew or had reason to know of the possibility of such damages, claim or demand.