In the rapidly evolving financial ecosystem, financial institutions (FIs) increasingly rely on third parties, including Fintech companies, Banking-as-a-Service (BaaS) providers, and other financial service entities—to expand their capabilities and improve customer experiences. However, such partnerships introduce complex risks that require a structured approach to compliance and governance. Two key regulatory documents provide a roadmap for managing these risks:
- The 2023 Interagency Guidance on Third-Party Relationships: Risk Management
- The 2024 Joint Agency Third-Party Risk Management (TPRM) Guide for Community Banks
Together, these guides offer a comprehensive framework for both financial institutions and their third-party partners to ensure compliance, mitigate risks, and foster sustainable partnerships. Additionally, recent regulatory enforcement actions illustrate the consequences of poor third-party risk management, offering critical lessons for the industry.
This roadmap is not only crucial for financial institutions seeking to maintain compliance but also for third parties, including Fintechs, BaaS providers, and other financial services, to effectively support their banking partners and align with regulatory expectations.
Understanding the Regulatory Landscape
The 2023 Interagency Guidance sets the foundation for third-party risk management by outlining best practices for risk assessment, due diligence, ongoing monitoring, and governance. This applies broadly across all banking organizations and their third-party relationships. Meanwhile, the 2024 Joint Agency TPRM Guide tailors these principles specifically for community banks, offering practical implementation strategies and considerations for smaller institutions with limited resources.
For both banks and third parties, understanding and adhering to this framework is critical. The guidance emphasizes that third-party relationships do not absolve banks of their compliance responsibilities, meaning that banks must manage and oversee these partnerships as if the activities were conducted in-house. Several recent enforcement actions demonstrate what happens when financial institutions fail to do so.
The Third-Party Relationship Lifecycle
Both documents establish a structured third-party relationship lifecycle, which serves as a roadmap for compliance and risk management.
Planning: Before entering a third-party relationship, financial institutions must assess the strategic benefits and risks of engagement and ensure compliance, security, and financial considerations are thoroughly analyzed. For example, a regional bank considering a partnership with a Fintech company for mobile payment processing should evaluate how the service aligns with its strategic goals, regulatory obligations, and cybersecurity infrastructure. Third parties should be prepared to demonstrate alignment with the financial institution’s regulatory and operational expectations, providing clear justifications for their role in the partnership.
Due Diligence & Third-Party Selection: Financial institutions must conduct rigorous evaluations of potential third parties, assessing their legal standing, financial health, risk management controls, and compliance history with regulations including, but not limited to, fair lending and anti-money laundering laws. For instance, a bank engaging a cloud service provider must verify the provider's cybersecurity protocols, data protection measures, and regulatory compliance to mitigate operational risks. Third parties, in turn, should proactively provide comprehensive documentation of their risk management frameworks, security policies, and regulatory adherence to streamline the due diligence process and establish trust.
Contract Negotiation: Contracts should clearly define responsibilities, performance metrics, audit rights, data security provisions, and termination clauses. For example, a community bank outsourcing loan processing to a third-party vendor must ensure that the contract includes clear service-level agreements (SLAs) outlining response times, compliance requirements, and data access rights. Financial institutions must ensure that contracts facilitate effective risk management and compliance oversight. Third parties should negotiate contracts that align with their operational capabilities while also meeting the stringent regulatory requirements imposed by banking partners.
Ongoing Monitoring: Once a third-party relationship is established, continuous monitoring is essential to verify that performance meets contractual obligations and regulatory requirements. For example, a bank using an external customer service platform should regularly assess whether the provider meets customer service standards, complies with consumer protection laws, and safeguards sensitive customer data. Financial institutions must regularly audit third-party activities, review compliance documentation, and assess risk exposure. Third parties should maintain transparency by providing timely reports and proactively addressing any concerns raised by their banking partners.
Termination & Exit Strategy: A well-defined termination and exit strategy is critical to ensure minimal disruption in case a third-party relationship needs to be discontinued. If a bank decides to sever ties with a payment processing provider due to performance issues, it must have a clear transition plan to migrate customer transactions seamlessly to another provider or bring the function in-house. Financial institutions must develop contingency plans that allow for a smooth transition of services, safeguarding operational stability. Third parties should cooperate with their banking partners in this process by ensuring that all necessary data, records, and processes are transferred securely and in compliance with regulatory requirements.
The Role of Fintechs, BaaS, and Other Third Parties
For Fintechs, BaaS providers, and financial service firms, these guidelines serve as a comprehensive playbook for establishing strong, compliant relationships with financial institutions. To achieve regulatory readiness, third parties are required to maintain compliance frameworks that are not only strong but also closely aligned with federal banking regulations. This involves staying informed about regulatory changes and ensuring that their operational practices meet the stringent standards imposed by the financial sector.
Risk transparency is another critical factor, necessitating that third parties provide clear and comprehensive assessments, audit results, and compliance documentation to their banking partners. This transparency helps build trust and facilitates smoother interactions, as banks can readily verify that their partners are adhering to necessary compliance standards.
Operational resilience is equally important, ensuring that business continuity plans, cybersecurity measures, and risk mitigation strategies are meticulously documented and regularly updated. This preparation is crucial for minimizing disruptions in service and maintaining security, particularly in the face of unforeseen challenges or cyber threats.
Additionally, contractual clarity is necessary to define compliance responsibilities and expectations clearly, thereby mitigating risks and fostering long-term partnerships. Contracts should explicitly outline the roles, responsibilities, and compliance obligations of each party, reducing the likelihood of disputes and ensuring that all parties are aligned in their objectives and practices. When “boilerplate” language is included, it is critical that service providers clarify with their banking partners how each contract provision applies to establish realistic expectations. For example, if a contract stipulates that a service provider is responsible for complying with consumer protection laws, but the provider only facilitates business-to-business (B2B) payments, the service provider should confirm whether the bank expects the provider to develop and implement consumer protection policies. By adhering to these guidelines and establishing expectations up front, Fintechs and other third parties can effectively support their banking partners, aligning with regulatory requirements and contributing to stable, productive partnerships.
Lessons from Regulatory Enforcement Actions
The 2023 Interagency Guidance and the 2024 Joint Agency TPRM Guide provide a structured framework for financial institutions and their third-party partners to manage risk effectively and ensure compliance. These documents outline best practices for assessing, engaging, and overseeing third-party relationships, emphasizing the importance of due diligence, ongoing monitoring, and governance. However, the practical application of these principles is critical, as evidenced by recent regulatory enforcement actions. These actions highlight the real-world consequences of inadequate third-party risk management and serve as a stark reminder of the potential pitfalls that financial institutions can face without proper oversight and compliance measures in place. By examining these enforcement cases, financial institutions can glean valuable lessons on the importance of rigorous TPRM practices, thus enhancing their own strategies and safeguarding against similar issues in the future. Financial institutions that do not implement strong TPRM frameworks risk regulatory penalties, reputational damage, and operational disruptions. The following recent enforcement actions highlight critical failures in third-party risk management and the lessons learned:
Blue Ridge Bank (2022) – Insufficient Due Diligence and BSA Compliance Gaps
The OCC’s enforcement action against Blue Ridge Bank revealed serious deficiencies in its third-party risk management framework. The bank engaged in partnerships with Fintech firms without establishing adequate oversight mechanisms. As a result, there were failures in transaction monitoring, leading to significant Bank Secrecy Act / Anti-Money Laundering (BSA/AML) non-compliance and increased exposure to illicit activities. Furthermore, regulators found that the bank’s risk assessment processes were inadequate, with missing or incomplete documentation on how Fintech partners adhered to compliance requirements.
Lesson Learned: Banks must conduct rigorous pre-engagement due diligence and establish continuous monitoring protocols to identify emerging risks in third-party relationships. A structured TPRM framework should include automated compliance checks, periodic audits, and strong internal controls.
Cross River Bank (2023) – Consumer Protection Failures in Fintech Lending
The FDIC’s consent order against Cross River Bank cited unsafe and unsound banking practices related to third-party credit underwriting and fair lending compliance. The bank had an aggressive Fintech lending strategy, which led to inadequate oversight of third-party credit products. Regulators found that the bank lacked effective risk controls for loan origination, underwriting practices, and consumer disclosures, leading to potential violations of the Equal Credit Opportunity Act (ECOA) and the Truth in Lending Act (TILA). Additionally, the bank’s compliance management system failed to identify and correct unfair lending practices, raising concerns over fair lending violations and potential consumer harm.
Lesson Learned: Financial institutions must enforce clear compliance obligations on Fintech partners and integrate automated monitoring systems to track adherence to fair lending laws. Establishing strong credit underwriting guidelines and internal auditing processes can prevent regulatory violations.
Lineage Bank (2024) – Inadequate Oversight of Banking-as-a-Service (BaaS) Relationships
The FDIC’s enforcement action against Lineage Bank marked a significant moment in BaaS regulation, with regulators citing poor governance, insufficient staffing, and lack of contingency planning in the bank’s Fintech partnerships. Lineage Bank partnered with multiple Fintech firms to offer banking services but failed to implement risk controls to oversee third-party activities. Examiners noted that the bank’s compliance and internal audit teams were understaffed, leading to delays in addressing regulatory concerns. Furthermore, the bank lacked a structured exit strategy, increasing risks in the event of a failed Fintech partnership.
Lesson Learned: Banks engaged in BaaS must establish dedicated governance structures and staff risk management teams to oversee Fintech partnerships effectively. A well-defined exit strategy ensures service continuity while minimizing operational disruptions.
Piermont Bank (2024) – Weak IT Risk Controls in Third-Party Management
Regulators issued a consent order against Piermont Bank after identifying deficiencies in IT security, compliance monitoring, and contractual risk oversight with Fintech partners. The bank engaged in high-risk third-party relationships without implementing sufficient cybersecurity protections, making it vulnerable to data breaches and operational failures. Examiners also found deficiencies in vendor contracts, particularly in defining clear security responsibilities and reporting requirements.
Lesson Learned: Banks must include cybersecurity risk assessments in their third-party due diligence and continuously monitor IT security controls to mitigate exposure. Establishing strong contractual agreements with Fintech partners that outline cybersecurity obligations, data protection measures, and audit rights is essential to reducing third-party risk.
Comerica Bank (2024) – Consumer Service Failures in a Third-Party Relationship
The CFPB lawsuit against Comerica Bank demonstrated how third-party mismanagement can directly harm consumers, many of whom were vulnerable seniors collecting much-needed social security benefits. The bank’s failure to oversee a government benefits card program led to customer service disruptions, unauthorized fees, and regulatory violations. Regulators found that Comerica’s third-party vendor disconnected millions of customer calls, failed to investigate fraud claims, and imposed illegal ATM fees on Social Security recipients.
Lesson Learned: Banks must not only ensure compliance in financial transactions but also in customer service delivery and dispute resolution mechanisms. Regular performance audits, consumer protection assessments, and third-party oversight frameworks are critical in maintaining regulatory compliance.
Key Takeaways
Recommendations for Banks: Strengthening Third-Party Risk Oversight
These enforcement actions reinforce the need for banks to align their third-party risk management strategies with regulatory expectations. To enhance compliance and operational effectiveness, banks should:
- Formalize Third-Party Risk Management Programs: Banks must ensure that due diligence, risk assessments, contract management, and ongoing monitoring are structured within a documented program. Board approval should be required for high-risk Fintech partnerships, with annual reviews of the effectiveness of third-party relationships.
- Enhance Fair Lending and Consumer Protection Measures: For banks that engage Fintechs who are involved in lending activity or who offer consumer-purpose products and services, compliance programs should include automated fair lending and consumer compliance risk assessments, independent audits, and proactive engagement with regulators. Clear procedures should be in place to address consumer complaints and ensure compliance with applicable consumer protection laws and regulations.
- Strengthen AML and OFAC Oversight: Banks must implement real-time transaction monitoring systems, Fintech-specific AML policies, and enhanced screening processes for high-risk partners. Third-party agreements should include clear escalation protocols for suspicious activity and regulatory reporting obligations.
- Develop Contingency and Exit Strategies: Banks should maintain clear termination protocols for Fintech partnerships, ensuring a seamless transition of customer accounts in the event of partner failure or regulatory non-compliance. Backup plans should include alternative service providers and contractual safeguards to prevent disruption to customers.
- Improve Data Governance and Reporting: Banks must ensure that data-sharing agreements with third parties meet regulatory expectations, including provisions for customer data privacy, audit rights, and compliance certifications. Reporting systems should enable real-time insights into Fintech-driven activities and risk exposure.
Recommendations for Third-Party Providers: Supporting Banking Partners
While banks bear the ultimate regulatory responsibility for third-party activities, Fintechs and payment providers must also take proactive steps to align with regulatory expectations and strengthen partnerships with banks.
- Enhance Compliance Transparency: Fintechs should provide banks with detailed compliance documentation, including independent audit reports, written policies and procedures, and risk assessments addressing all applicable regulatory requirements and expectations set by the bank. Banks require clear visibility into regulatory compliance efforts to meet supervisory expectations.
- Improve Risk Management Capabilities: Third-party providers must implement strong internal controls for transaction monitoring, cybersecurity, and fraud prevention. Banks need assurance that Fintechs have strong operational risk frameworks in place to detect and mitigate threats proactively.
- Facilitate Ongoing Regulatory Reporting: Fintechs should establish real-time data-sharing agreements with banks to support regulatory reporting obligations. This includes automated transaction tracking, customer risk assessments, and compliance dashboards that align with bank reporting structures.
- Collaborate on Consumer Protection Initiatives: Since banks remain liable for Fintech-related consumer complaints, third-party providers should develop clear customer dispute resolution processes, consumer education resources, and responsive compliance teams to address regulatory concerns.
- Prepare for Exit and Contingency Scenarios: Fintechs should maintain detailed wind-down plans and transition protocols to minimize disruption in case of contract termination or regulatory enforcement. This includes data portability measures, customer migration strategies, and clear exit agreements with banking partners.
Conclusion | A Compliance-First Approach to Third-Party Relationships
In conclusion, as financial institutions increasingly collaborate with Fintech companies and Banking-as-a-Service (BaaS) providers, it is critical to establish comprehensive third-party risk management frameworks in the financial services sector. The complexity of these partnerships necessitates a vigorous approach to managing risks, as outlined in the 2023 Interagency Guidance and the 2024 Joint Agency TPRM Guide, which emphasize regulatory compliance, thorough risk assessment, and operational resilience.
Recent enforcement actions against banks like Blue Ridge, Cross River, Lineage, Piermont, and Comerica underline the severe consequences of inadequate TPRM practices. These cases underscore the urgent need for financial institutions to maintain vigilant oversight of third-party relationships, ensuring compliance across all operational areas, including cybersecurity and consumer protection. The heightened regulatory scrutiny demands that both banks and their partners adopt a proactive, compliance-first approach to managing third-party engagements.
As financial institutions expand their Fintech partnerships, balancing innovation with compliance becomes paramount. By integrating detailed risk assessments, governance controls, and continuous monitoring, institutions and their third-party providers can leverage compliance as a strategic advantage, fostering secure and sustainable partnerships. Those that strengthen oversight, enhance due diligence, and maintain real-time risk visibility will thrive in this evolving regulatory environment, while those that fail to adapt risk becoming the next subject of enforcement actions.
Disclaimer and Source Documents
This article is based on publicly available regulatory enforcement actions, including consent orders and supervisory findings issued by the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Consumer Financial Protection Bureau (CFPB). Specific cases referenced include Blue Ridge Bank (2022), Cross River Bank (2023), Lineage Bank (2024), Comerica Bank (2024), and Piermont Bank (2024). The analysis reflects interpretations of regulatory trends and does not constitute legal advice.
How Ankura Can Help
Navigating the complexities of third-party risk management requires expertise in regulatory compliance, risk assessment, and operational resilience. Ankura works with financial institutions and Fintech companies to develop and implement comprehensive TPRM frameworks that align with regulatory expectations. By conducting thorough assessments, Ankura helps organizations identify gaps in governance, due diligence, and monitoring, ensuring that third-party relationships are managed effectively and in compliance with evolving regulations.
Ankura also supports financial institutions in strengthening their cybersecurity and IT risk management strategies, evaluating third-party IT security controls, and enhancing data protection frameworks. Additionally, Ankura assists in ensuring compliance with consumer protection and fair lending regulations, helping institutions mitigate risks related to ECOA, TILA, and Unfair, Deceptive, or Abusive Acts or Practices (UDAAP). Through collaborative engagement, Ankura enables financial institutions and Fintech providers to build resilient, compliant, and sustainable business relationships, while proactively addressing regulatory requirements and mitigating third-party risks. Navigating the complexities of third-party risk management requires expertise in regulatory compliance, risk assessment, and operational resilience. Ankura specializes in helping financial institutions and Fintech providers build robust compliance programs aligned with regulatory expectations.
Partnering with Ankura ensures that financial institutions and fintech companies can proactively address regulatory requirements, mitigate third-party risks, and build sustainable, compliant business relationships.
To stay up to date on the latest in financial regulatory compliance, financial crime prevention, and risk management, sign up for our newsletter: Compass
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
