1
February 2020
CONDUCTING
BUSINESS WITH BANKS
A GUIDE FOR FINTECHS AND THIRD PARTIES
The FDIC’s technology lab, FDiTech,
partners with banks, private companies,
regulators and others to bring about
new technologies that enhance the
operations of financial institutions and
encourage innovation that meets
consumer demand. This Guide is the
first in a series of new resources from
FDiTech to help fintechs and third
parties partner with banks.
Insured banks are examined for safety and soundness,
consumer protection, and compliance with laws and
regulations. The FDIC is the primary federal banking
regulator for more than 3,400 state-chartered banks
and conducts regular examinations of these banks
every 12 to 18 months. These examinations include an
assessment of how a bank manages the risks presented
by its relationships with third parties.
Businesses from outside the banking industry can bring
innovation and new insights into the highly regulated
business of banking. Understanding the environment in
which banks operate will help innovators navigate the
regulatory requirements unique to banking.
February 2020
CONDUCTING
BUSINESS WITH BANKS
A GUIDE FOR FINTECHS AND THIRD PARTIES
The FDIC’s technology lab, FDiTech,
partners with banks, private companies,
regulators and others to bring about
new technologies that enhance the
operations of financial institutions and
encourage innovation that meets
consumer demand. This Guide is the
first in a series of new resources from
FDiTech to help fintechs and third
parties partner with banks.
Insured banks are examined for safety and soundness,
consumer protection, and compliance with laws and
regulations. The FDIC is the primary federal banking
regulator for more than 3,400 state-chartered banks
and conducts regular examinations of these banks
every 12 to 18 months. These examinations include an
assessment of how a bank manages the risks presented
by its relationships with third parties.
Businesses from outside the banking industry can bring
innovation and new insights into the highly regulated
business of banking. Understanding the environment in
which banks operate will help innovators navigate the
regulatory requirements unique to banking.
2
HOW DO BANKS DECIDE WHICH THIRD
PARTIES TO USE?
Banks use third parties for many different aspects of
their operations. Bank management remains ultimately
responsible for identifying and controlling risks and
activities conducted by or through their bank, whether
these risks and activities arise directly or through an
outside party.
Banks establish risk management programs to
manage the risks associated with third-party
relationships. While each bank is unique, third-party
risk management programs generally address four
basic elements:
• Assessing the risk associated with the activity
being conducted.
• Conducting due diligence in selecting a third party.
• Structuring contracts and reviewing those contracts
at appropriate levels at the bank.
• Overseeing and managing the third-party
relationship on an ongoing basis.
Banks tailor their third-party risk management
program to their specific risk profile and product
offerings. However, risk assessment and due diligence
considerations generally include the following:
Compliance with applicable laws and
regulations by considering whether:
• The activity to be conducted is permitted by
applicable laws and regulations;
• The third party has the appropriate license, charter,
or registration to conduct the activity;
• The third party has familiarity with regulated financial
institutions, and can demonstrate compliance with
applicable laws and regulations; and
• There are complaints, litigation, or regulatory
actions against the third party.
Financial condition of the third party
by assessing:
• Available financial information on the third party;
• The impact of the proposed contract on the third
party’s financial condition;
• Insurance coverage; and
• The third party’s current capital, projected earnings,
and funding sources to ensure long-term viability.
(Sources of future funding may be particularly
helpful in the case of a startup third party.)
Ownership and management structure
by reviewing:
• The ownership structure and the qualifications and
experience of the third party in implementing and
monitoring the proposed activity;
• The third party’s organizational structure,
business resumption strategy and contingency and
management succession plans; and
• The third party’s strategies and goals, including
service philosophy, quality initiatives, efficiency
improvements, and employment policies.
HOW DO BANKS DECIDE WHICH THIRD
PARTIES TO USE?
Banks use third parties for many different aspects of
their operations. Bank management remains ultimately
responsible for identifying and controlling risks and
activities conducted by or through their bank, whether
these risks and activities arise directly or through an
outside party.
Banks establish risk management programs to
manage the risks associated with third-party
relationships. While each bank is unique, third-party
risk management programs generally address four
basic elements:
• Assessing the risk associated with the activity
being conducted.
• Conducting due diligence in selecting a third party.
• Structuring contracts and reviewing those contracts
at appropriate levels at the bank.
• Overseeing and managing the third-party
relationship on an ongoing basis.
Banks tailor their third-party risk management
program to their specific risk profile and product
offerings. However, risk assessment and due diligence
considerations generally include the following:
Compliance with applicable laws and
regulations by considering whether:
• The activity to be conducted is permitted by
applicable laws and regulations;
• The third party has the appropriate license, charter,
or registration to conduct the activity;
• The third party has familiarity with regulated financial
institutions, and can demonstrate compliance with
applicable laws and regulations; and
• There are complaints, litigation, or regulatory
actions against the third party.
Financial condition of the third party
by assessing:
• Available financial information on the third party;
• The impact of the proposed contract on the third
party’s financial condition;
• Insurance coverage; and
• The third party’s current capital, projected earnings,
and funding sources to ensure long-term viability.
(Sources of future funding may be particularly
helpful in the case of a startup third party.)
Ownership and management structure
by reviewing:
• The ownership structure and the qualifications and
experience of the third party in implementing and
monitoring the proposed activity;
• The third party’s organizational structure,
business resumption strategy and contingency and
management succession plans; and
• The third party’s strategies and goals, including
service philosophy, quality initiatives, efficiency
improvements, and employment policies.