WEBVTT

NOTE
This file was generated by Descript 

00:00:00.460 --> 00:00:02.440
Samantha: Hello, this is Samantha Shares.

00:00:03.140 --> 00:00:05.840
This episode covers the
Joint Statement on Banksâ

00:00:06.500 --> 00:00:10.690
Arrangements with Third Parties to
Deliver Bank Deposit Products and Services

00:00:11.374 --> 00:00:16.034
Note that N C U A is not part of this
issuance, however, it is still relevant

00:00:16.034 --> 00:00:18.424
to credit unions consideration of risks.

00:00:19.112 --> 00:00:22.352
This podcast is educational
and is not legal advice.

00:00:22.842 --> 00:00:26.882
We are sponsored by Credit Union
Exam Solutions Incorporated, whose

00:00:26.882 --> 00:00:29.942
team has over two hundred and
Forty years of National Credit

00:00:29.942 --> 00:00:31.862
Union  Administration experience.

00:00:32.312 --> 00:00:35.942
We assist our clients with N C
U A so they save time and money.

00:00:36.472 --> 00:00:40.392
If you are worried about a recent,
upcoming or in process N C U A

00:00:40.392 --> 00:00:44.842
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.

00:00:45.252 --> 00:00:49.602
Also check out our other podcast called
With Flying Colors where we provide tips

00:00:49.602 --> 00:00:52.142
on how to achieve success with N C U A.

00:00:52.903 --> 00:00:54.213
And now the joint statement.

00:00:54.948 --> 00:00:58.318
Joint Statement on Banksâ Arrangements
with Third Parties to Deliver

00:00:58.318 --> 00:01:00.448
Bank Deposit Products and Services

00:01:01.186 --> 00:01:04.676
The Board of Governors of the Federal
Reserve System (Board), the Federal

00:01:04.676 --> 00:01:08.776
Deposit Insurance Corporation (FDIC),
and the Office of the Comptroller of

00:01:08.776 --> 00:01:12.586
the Currency (OCC) (collectively, the
agencies) are issuing this statement

00:01:12.586 --> 00:01:16.356
to note potential risks related to
arrangements between banks and third

00:01:16.356 --> 00:01:21.736
parties1 to deliver bank deposit products
and services to end users.2 This statement

00:01:21.736 --> 00:01:26.466
highlights examples of risk management
practices by banks to manage such risks.

00:01:26.956 --> 00:01:31.496
This statement reemphasizes existing
guidance; it does not alter existing

00:01:31.496 --> 00:01:36.266
legal or regulatory requirements or
establish new supervisory expectations.

00:01:36.935 --> 00:01:41.085
The agencies support responsible
innovation and support banks in pursuing

00:01:41.085 --> 00:01:45.175
third-party arrangements in a manner
consistent with safe and sound practices

00:01:45.445 --> 00:01:49.665
and in compliance with applicable laws
and regulations, including, but not

00:01:49.665 --> 00:01:53.885
limited to, those designed to protect
consumers (such as fair lending laws

00:01:53.885 --> 00:01:58.385
and prohibitions against unfair,
deceptive, or abusive acts or practices)

00:01:58.665 --> 00:02:02.305
and those addressing financial crimes
(such as fraud and money laundering).

00:02:02.715 --> 00:02:05.695
Banks are neither prohibited
nor discouraged from providing

00:02:05.695 --> 00:02:09.925
banking services to customers of
any specific class or type, as

00:02:09.925 --> 00:02:11.905
permitted by law or regulation.

00:02:12.581 --> 00:02:16.531
Some banks have entered into arrangements
with third parties to deliver deposit

00:02:16.531 --> 00:02:20.521
products and services (such as checking
and savings accounts) to end users.

00:02:21.091 --> 00:02:25.141
Banks may do this in order to increase
revenue, raise deposits, expand

00:02:25.141 --> 00:02:29.481
geographic reach, or to achieve other
strategic objectives, including by

00:02:29.481 --> 00:02:33.621
leveraging new technology or offering
innovative products and services.

00:02:33.911 --> 00:02:37.431
In these arrangements, a third party,
rather than the bank, typically

00:02:37.431 --> 00:02:41.541
markets, distributes or otherwise
provides access to or facilitates the

00:02:41.541 --> 00:02:46.181
provision of the deposit product or
service directly to the end user.3 In

00:02:46.181 --> 00:02:50.161
some arrangements, banks rely on one
or multiple third parties to maintain

00:02:50.161 --> 00:02:54.631
the deposit and transaction system of
record; process payments (sometimes with

00:02:54.631 --> 00:02:58.401
the ability to directly submit payment
instructions to payment networks);

00:02:58.801 --> 00:03:03.551
perform regulatory compliance functions;
provide end-user facing technology

00:03:03.551 --> 00:03:08.841
applications; service accounts; perform
customer service; and perform complaint

00:03:08.841 --> 00:03:10.761
and dispute resolution functions.

00:03:11.321 --> 00:03:14.271
These third parties are sometimes
referred to as intermediate

00:03:14.271 --> 00:03:18.481
platform providers, processors,
middleware providers, aggregation

00:03:18.481 --> 00:03:20.561
layers, and/or program managers.

00:03:21.001 --> 00:03:25.091
A bankâs use of third parties to perform
certain activities does not diminish

00:03:25.091 --> 00:03:29.151
its responsibility to comply with
all applicable laws and regulations.

00:03:29.892 --> 00:03:33.692
1 These sometimes include non-bank
companies, such as, but not

00:03:33.692 --> 00:03:37.272
limited to, certain financial
technology (or fintech) companies.

00:03:37.999 --> 00:03:42.139
2 For purposes of this statement,
an âend userâ includes consumers

00:03:42.139 --> 00:03:45.679
and businesses accessing deposit
products and services through the

00:03:45.679 --> 00:03:47.579
arrangements described in this statement.

00:03:48.359 --> 00:03:52.319
3 These arrangements are sometimes
referred to as âbanking-as-a-serviceâ

00:03:52.419 --> 00:03:55.649
or âembedded financeâ depending
on the structure and parties

00:03:55.649 --> 00:03:57.009
involved in the arrangement.

00:03:57.664 --> 00:04:01.674
Similar structures have been utilized for
certain activities in the banking industry

00:04:01.674 --> 00:04:05.904
for many years, such as activities
related to prepaid card programs.

00:04:06.464 --> 00:04:10.014
However, the agencies have observed
an evolution and expansion of

00:04:10.014 --> 00:04:13.594
these arrangements to include more
complex arrangements that involve

00:04:13.594 --> 00:04:17.554
the reliance on third parties to
deliver deposit products and services.

00:04:18.310 --> 00:04:19.330
POTENTIAL RISKS

00:04:19.974 --> 00:04:22.834
Depending on the structure,
third-party arrangements for the

00:04:22.834 --> 00:04:26.954
delivery of deposit products and
services can involve elevated risks.

00:04:27.544 --> 00:04:30.834
The agencies have observed that
risks may be elevated in certain

00:04:30.834 --> 00:04:33.414
circumstances, such as the examples below.

00:04:34.200 --> 00:04:35.830
Operational and Compliance

00:04:36.442 --> 00:04:41.072
â¢	Significant operations performed by a
third party: Substantially relying on

00:04:41.072 --> 00:04:45.322
third parties to manage a bankâs deposit
operations can eliminate or reduce a

00:04:45.322 --> 00:04:49.562
bankâs crucial existing controls over
and management of the deposit function.

00:04:50.062 --> 00:04:53.552
Without adequate initial due
diligence and ongoing monitoring,

00:04:53.722 --> 00:04:57.112
risks to the integrity of a bankâs
deposit function are heightened.4

00:04:58.653 --> 00:05:03.413
â¢	Fragmented operations: Fragmented
operational functions for deposit products

00:05:03.413 --> 00:05:07.593
and services among multiple third parties
may make it more difficult for the bank

00:05:07.593 --> 00:05:11.943
to effectively assess risks and assess
whether all third parties can and do

00:05:11.943 --> 00:05:14.203
perform assigned functions as intended.

00:05:14.932 --> 00:05:19.602
â¢	Lack of access to records: A potential
lack of sufficient access by a bank to

00:05:19.602 --> 00:05:23.782
the deposit and transaction system of
record and other crucial information

00:05:23.842 --> 00:05:27.112
and data maintained by the third
party can impair the bankâs ability

00:05:27.112 --> 00:05:29.352
to determine its deposit obligations.

00:05:30.052 --> 00:05:34.092
In some circumstances, such uncertainty
can lead to delays in end-usersâ

00:05:34.092 --> 00:05:37.822
access to their deposits, which
in turn can expose the bank to

00:05:37.822 --> 00:05:40.082
additional legal and compliance risks.

00:05:40.760 --> 00:05:45.090
â¢	Third parties performing compliance
functions: Reliance on third parties to

00:05:45.090 --> 00:05:49.480
perform regulatory compliance functions
may increase the risk of the bank not

00:05:49.480 --> 00:05:51.410
meeting its regulatory requirements.

00:05:51.930 --> 00:05:55.870
Specifically, the third party may
perform certain regulatory compliance

00:05:55.870 --> 00:05:59.470
functions such as monitoring and
reporting suspicious activity,

00:05:59.690 --> 00:06:04.000
customer identification programs,
customer due diligence, and sanctions

00:06:04.000 --> 00:06:05.760
compliance on behalf of the bank.

00:06:06.200 --> 00:06:09.290
Regardless of whether the functions
are shared between the bank and

00:06:09.290 --> 00:06:13.280
the third party, the bank remains
responsible for failure to comply

00:06:13.280 --> 00:06:14.840
with applicable requirements.

00:06:15.501 --> 00:06:19.291
â¢	Insufficient risk management to meet
consumer protection obligations:

00:06:19.681 --> 00:06:22.931
Insufficient oversight of these
arrangements may impact a bankâs

00:06:22.931 --> 00:06:27.571
compliance with consumer protection laws
and regulations, such as requirements

00:06:27.571 --> 00:06:31.351
under Regulation E (implementing
the Electronic Fund Transfer Act)

00:06:31.351 --> 00:06:35.071
to investigate and resolve certain
payment disputes within required

00:06:35.880 --> 00:06:39.360
4 Depending on the structure, such
arrangements may also introduce

00:06:39.360 --> 00:06:43.110
security vulnerabilities, including
by providing another access

00:06:43.110 --> 00:06:44.670
point into the bankâs systems.

00:06:45.300 --> 00:06:50.340
Integration may amplify operational
risks, such as fraud, cybersecurity, and

00:06:50.340 --> 00:06:54.270
data privacy incidents occurring at the
third party that then affect the bank.

00:06:55.007 --> 00:06:58.997
timeframes, and under Regulation DD
(implementing the Truth in Savings

00:06:58.997 --> 00:07:02.817
Act) to provide certain disclosures
regarding consumer deposit accounts.

00:07:03.397 --> 00:07:07.227
Presenting insufficient or misleading
information to end users also may

00:07:07.227 --> 00:07:11.117
result in violations of laws and
regulations, including consumer

00:07:11.117 --> 00:07:15.877
protection requirements.5 In addition,
inadequate complaint administration

00:07:15.877 --> 00:07:19.967
and error resolution processes may
limit a bankâs ability to effectively

00:07:19.967 --> 00:07:24.337
identify and address issues impacting
end users of the deposit accounts and

00:07:24.337 --> 00:07:26.337
result in potential consumer harm.

00:07:27.054 --> 00:07:31.094
â¢	Lack of contracts: Multiple levels
of third-party and subcontractor

00:07:31.094 --> 00:07:34.394
relationships, where the bank
does not have direct contracts

00:07:34.394 --> 00:07:38.154
with entities that perform crucial
functions may pose challenges to the

00:07:38.154 --> 00:07:42.954
bankâs ability to identify, assess,
monitor, and control various risks.

00:07:43.633 --> 00:07:48.103
â¢	Lack of experience with new methods:
Arrangements leveraging new technologies

00:07:48.103 --> 00:07:52.173
or new methods of facilitating deposit
products and services with which bank

00:07:52.173 --> 00:07:56.183
management and staff do not have prior
experience may result in inadequate

00:07:56.183 --> 00:08:00.223
risk and compliance management
practices to manage or oversee these

00:08:00.223 --> 00:08:02.233
arrangements and associated risks.

00:08:02.955 --> 00:08:07.435
â¢	Weak audit coverage: Lack of sufficient
audit scope and coverage, follow-up

00:08:07.435 --> 00:08:11.225
processes, and remediation may
result in inadequate oversight of

00:08:11.225 --> 00:08:14.795
these arrangements and reduce the
effectiveness of the audit function.

00:08:15.497 --> 00:08:15.787
Growth

00:08:16.575 --> 00:08:21.055
â¢	Misaligned incentives: A third partyâs
incentives may not be aligned with those

00:08:21.055 --> 00:08:25.145
of the bank, such as when a third party
may be incentivized to promote growth

00:08:25.145 --> 00:08:29.655
in a manner that is not aligned with the
bankâs regulatory obligations, resulting

00:08:29.655 --> 00:08:33.655
in insufficient attention to risk
management and compliance obligations.

00:08:34.364 --> 00:08:38.724
â¢	Operational capabilities lag growth:
Rapid growth as a result of these

00:08:38.724 --> 00:08:42.514
arrangements (either in the overall
number of arrangements or in the size

00:08:42.514 --> 00:08:46.464
of specific arrangements) may result
in risk management and operational

00:08:46.464 --> 00:08:48.514
processes struggling to keep pace.

00:08:49.282 --> 00:08:53.322
â¢	Financial risks from funding
concentrations: Arrangements may result

00:08:53.322 --> 00:08:57.732
in significant and rapidly increasing
funding concentrations, which may make

00:08:57.732 --> 00:09:01.462
it more challenging for the bank to
manage and mitigate liquidity and funding

00:09:01.462 --> 00:09:06.472
risks, particularly when funding is
deployed in illiquid or long-term assets.

00:09:07.075 --> 00:09:11.675
â¢	Inability to manage emerging liquidity
risks: Arrangements where a significant

00:09:11.675 --> 00:09:16.365
proportion of a bankâs deposits or revenue
are associated with a third party may pose

00:09:16.365 --> 00:09:20.955
liquidity risks, such that the bank may
be reluctant to make decisions necessary

00:09:20.955 --> 00:09:25.595
to manage those risks, including, if
necessary, to terminate the arrangement.

00:09:26.418 --> 00:09:31.308
5 Such laws and regulations include (among
others) the prohibition against unfair or

00:09:31.308 --> 00:09:36.428
deceptive acts or practices under Section
5 of the Federal Trade Commission Act, and

00:09:36.428 --> 00:09:41.428
the prohibition against unfair, deceptive,
or abusive acts or practices under Title

00:09:41.468 --> 00:09:46.638
X of the Dodd-Frank Wall Street Reform and
Consumer Protection Act (Dodd-Frank Act).

00:09:47.354 --> 00:09:52.214
â¢	Pressure on capital levels: Arrangements
may result in material and rapid balance

00:09:52.214 --> 00:09:56.134
sheet growth (including significant
intraday balance sheet levels) without

00:09:56.134 --> 00:09:57.854
commensurate capital formation.

00:09:58.549 --> 00:10:02.699
End User Confusion and Misrepresentation
of Deposit Insurance Coverage

00:10:03.384 --> 00:10:07.324
â¢	Potentially misleading statements and
marketing: Third-party arrangements

00:10:07.324 --> 00:10:11.194
for the delivery of deposit products
and services can pose risks of end

00:10:11.194 --> 00:10:15.404
user confusion related to deposit
insurance, which may be exacerbated

00:10:15.404 --> 00:10:19.204
by marketing materials or other
statements by nonbank third parties.

00:10:19.844 --> 00:10:23.454
Some nonbank third parties could be
reasonably mistaken for an insured

00:10:23.454 --> 00:10:27.854
depository institution (IDI) by end
users, particularly when they refer

00:10:27.854 --> 00:10:32.234
to FDIC deposit insurance in marketing
and other public-facing materials.

00:10:32.724 --> 00:10:36.734
End users may not be aware that access
to their funds may depend on the third

00:10:36.734 --> 00:10:41.074
party and that deposit insurance does
not protect against losses resulting

00:10:41.074 --> 00:10:42.774
from the failure of the third party.

00:10:43.531 --> 00:10:48.061
â¢	Regulatory violations: Inaccurate
or misleading information regarding

00:10:48.061 --> 00:10:51.531
the extent or manner under which
deposit insurance coverage is

00:10:51.531 --> 00:10:56.991
available could constitute a
violation under Part 328, Subpart B.6

00:10:57.772 --> 00:11:02.072
o	Omissions of material information
also may constitute misrepresentations

00:11:02.142 --> 00:11:03.282
under the FDICâs rule.

00:11:03.852 --> 00:11:08.452
Such deposit insurance misrepresentations
may occur, for example, when nonbank

00:11:08.452 --> 00:11:12.052
third parties have communicated to
end users that their funds are FDIC

00:11:12.052 --> 00:11:16.342
insured, without disclosing that FDIC
insurance protects only against the

00:11:16.342 --> 00:11:20.232
failure of an IDI, and not against
the failure of the nonbank entity.

00:11:21.002 --> 00:11:26.102
o	Deposit insurance misrepresentations
under Part 328 may also occur

00:11:26.102 --> 00:11:29.432
when parties to these arrangements
communicate to end users that their

00:11:29.432 --> 00:11:33.662
funds are insured by the FDIC on a
pass-through basis without disclosing

00:11:33.662 --> 00:11:37.702
that certain regulatory requirements7
must be satisfied for pass-through

00:11:37.702 --> 00:11:39.882
deposit insurance coverage to apply.8

00:11:40.905 --> 00:11:42.905
RISK MANAGEMENT AND
GOVERNANCE CONSIDERATIONS

00:11:43.355 --> 00:11:47.505
Banks are expected to operate in a
safe and sound manner and in compliance

00:11:47.505 --> 00:11:51.625
with applicable laws and regulations,
including those related to safety

00:11:51.625 --> 00:11:55.735
and soundness, consumer protection,
and anti-money laundering/countering

00:11:55.735 --> 00:11:57.695
the financing of terrorism (AML/CFT).

00:11:58.075 --> 00:11:59.645
Effective board and

00:12:00.070 --> 00:12:03.680
6 See 12 CFR 328, Subpart B.

00:12:04.354 --> 00:12:09.534
7 See 12 CFR 330.5, 330.7.

00:12:10.054 --> 00:12:14.064
For pass-through deposit insurance
to apply, a consumerâs funds must

00:12:14.064 --> 00:12:15.924
first be on deposit at an IDI.

00:12:16.404 --> 00:12:20.354
In addition: (1) the deposit account
records of the IDI must disclose a

00:12:20.354 --> 00:12:24.984
basis for pass-through coverage, such
as a custodial or agency relationship;

00:12:25.624 --> 00:12:29.124
(2) the identities and interests of
the actual owners of the funds must be

00:12:29.124 --> 00:12:32.924
ascertainable either from the records
of the IDI or records maintained in

00:12:32.924 --> 00:12:37.324
good faith and in the regular course of
business by another party; and (3) the

00:12:37.324 --> 00:12:41.404
relationship that provides the basis for
pass-through deposit insurance coverage

00:12:41.404 --> 00:12:45.874
must be genuine, with the deposited
funds actually owned by the named owners.

00:12:46.618 --> 00:12:49.588
Additional requirements apply
to arrangements involving

00:12:49.588 --> 00:12:51.458
multiple levels of relationships.

00:12:52.090 --> 00:12:56.220
8 See 12 CFR 328.102(b)(5).

00:12:57.004 --> 00:13:01.754
senior management oversight is crucial to
ensure a bankâs risk management practices

00:13:01.754 --> 00:13:06.244
are commensurate with the complexity,
risk, size, and nature of the activity and

00:13:06.244 --> 00:13:10.894
relationship, both when the relationship
commences and as it evolves over time.

00:13:11.354 --> 00:13:14.854
In this regard, banks should ensure
practices are consistent with the

00:13:14.854 --> 00:13:19.644
Interagency Guidelines Establishing
Standards for Safety and Soundness,9 and

00:13:19.644 --> 00:13:23.844
banks also are encouraged to review and
consider the risk management principles

00:13:23.844 --> 00:13:28.074
for third-party relationships set forth
in the Interagency Guidance on Third-Party

00:13:28.074 --> 00:13:32.724
Relationships: Risk Management.10
The list at the end of this document

00:13:32.724 --> 00:13:37.294
provides various existing resources,
including guidance, that may be helpful

00:13:37.294 --> 00:13:39.374
for banks managing such arrangements.

00:13:40.075 --> 00:13:44.135
The agencies have observed examples
of effective risk management practices

00:13:44.135 --> 00:13:47.815
that a bank may consider when managing
third-party arrangements for the

00:13:47.815 --> 00:13:53.045
delivery of deposit products and
services, including the examples below.11

00:13:53.817 --> 00:13:56.447
Governance and Third-Party
Risk Management12

00:13:57.190 --> 00:14:01.170
â¢	Developing and maintaining appropriate
policies and procedures that detail

00:14:01.200 --> 00:14:05.470
organizational structures, lines of
reporting and authorities, expertise

00:14:05.470 --> 00:14:09.340
and staffing, internal controls,
and audit functions to ensure that

00:14:09.340 --> 00:14:11.340
risks are understood and mitigated.

00:14:12.084 --> 00:14:16.614
â¢	Developing appropriate risk assessments
that identify and analyze risks specific

00:14:16.614 --> 00:14:18.164
to features of each arrangement.

00:14:18.824 --> 00:14:22.784
This practice is important to allow the
bank to assess whether proposed controls

00:14:22.784 --> 00:14:26.484
can appropriately mitigate risks in
keeping with the bankâs risk appetite.

00:14:27.074 --> 00:14:30.844
Effective risk assessments typically
involve expertise across relevant

00:14:30.844 --> 00:14:35.544
functional areas of the bank including
risk management and compliance, and also

00:14:35.544 --> 00:14:39.354
consider the activities and features
specific to an arrangement to assist

00:14:39.404 --> 00:14:41.394
in implementing effective controls.

00:14:42.074 --> 00:14:47.094
9 See Interagency Guidelines Establishing
Standards for Safety and Soundness 12

00:14:47.094 --> 00:14:53.954
CFR part 30, Appendix A (OCC); 12 CFR
part 208, Appendix D-1 (Board); and

00:14:53.954 --> 00:14:59.904
12 CFR part 364, Appendix A (FDIC)
(issued pursuant to section 39 of the

00:14:59.904 --> 00:15:03.504
Federal Deposit Insurance Act, 12 U.S.C.

00:15:03.504 --> 00:15:07.244
1831p- 1) (hereinafter âSafety
and Soundness Standardsâ).

00:15:07.960 --> 00:15:13.480
10 Interagency Guidance on Third-Party
Relationships: Risk Management, 88 Fed.

00:15:13.830 --> 00:15:14.150
Reg.

00:15:14.150 --> 00:15:19.680
37,920 (June 9, 2023)
(hereinafter âTPRMâ).

00:15:20.440 --> 00:15:24.740
11 These examples are not a complete list
of practices that could be considered in

00:15:24.740 --> 00:15:26.890
managing the risks of such arrangements.

00:15:27.602 --> 00:15:32.222
12 These risk management practices are
drawn from applicable statutes, rules,

00:15:32.312 --> 00:15:36.852
and enforceable guidelines including the
Safety and Soundness Standards, supra n.

00:15:37.102 --> 00:15:42.532
9, and Interagency Guidelines Establishing
Information Security Standards, 12 CFR

00:15:42.532 --> 00:15:49.642
part 30, Appendix B (OCC); 12 CFR part
208, Appendix D-2 (Board); and 12 CFR

00:15:49.642 --> 00:15:56.062
part 364, Appendix B (FDIC) (issued
pursuant to sections 501 and 505 of

00:15:56.062 --> 00:15:59.972
the Gramm-Leach-Bliley Act, 15 U.S.C.

00:15:59.972 --> 00:16:07.132
6801 and 6805, and section 39 of the
Federal Deposit Insurance Act, 12 U.S.C.

00:16:07.132 --> 00:16:11.142
1831p-1) (hereinafter âInformation
Security Standardsâ), as well as

00:16:11.142 --> 00:16:15.502
existing guidance and resources,
including TPRM, supra n.

00:16:15.942 --> 00:16:20.712
10; Conducting Due Diligence on
Financial Technology Companies: A Guide

00:16:20.712 --> 00:16:26.012
for Community Banks (August 27, 2021)
(hereinafter âCommunity Bank Guideâ);

00:16:26.492 --> 00:16:30.432
and FFIEC Information Technology
Examination Handbook (hereinafter

00:16:30.782 --> 00:16:32.672
âFFIEC IT Examination Handbookâ).

00:16:33.467 --> 00:16:36.677
â¢	Conducting and documenting due
diligence that is of sufficient

00:16:36.677 --> 00:16:40.417
scope and depth to determine whether
the bank can rely on third parties

00:16:40.417 --> 00:16:44.147
to perform the various necessary
roles to deliver deposit products

00:16:44.147 --> 00:16:45.977
and services on the bankâs behalf.

00:16:46.734 --> 00:16:50.264
â¢	Entering into contracts and agreements
that clearly define roles and

00:16:50.264 --> 00:16:54.524
responsibilities of banks and third
parties and enable banks to manage the

00:16:54.524 --> 00:16:56.484
risks of the arrangements effectively.

00:16:57.266 --> 00:17:00.956
â¢	Assessing potential risks when the
bank does not have a direct contractual

00:17:00.956 --> 00:17:04.716
relationship with all parties with
significant roles to determine whether

00:17:04.716 --> 00:17:08.586
and how such risks can be sufficiently
mitigated and remain consistent

00:17:08.586 --> 00:17:10.116
with the bankâs risk appetite.

00:17:10.924 --> 00:17:15.284
â¢	Establishing effective ongoing monitoring
processes, commensurate with the risk

00:17:15.284 --> 00:17:19.914
of each activity and relationship, and
sufficient to detect any issues so they

00:17:19.914 --> 00:17:21.754
can be addressed in a timely manner.

00:17:22.456 --> 00:17:25.766
Managing Operational and
Compliance Implications13

00:17:26.462 --> 00:17:30.952
â¢	Maintaining a clear understanding of any
management information system (MIS)14

00:17:30.952 --> 00:17:35.552
that will be used to support the activity,
including any obligations and contractual

00:17:35.552 --> 00:17:39.542
reporting requirements when the deposit
and transaction system of record is

00:17:39.542 --> 00:17:43.502
managed through the third party or
through a subcontractor to another party.

00:17:44.235 --> 00:17:48.165
â¢	Developing and maintaining risk-based
contingency plans, which address

00:17:48.165 --> 00:17:52.105
potential operational disruption or
business failure at the third party that

00:17:52.105 --> 00:17:56.745
may disrupt end usersâ access to funds,
including contractual provisions that

00:17:56.745 --> 00:17:59.105
facilitate the bankâs contingency plans.

00:17:59.755 --> 00:18:03.705
The contract might, for example, address
the transfer of the relevant accounts,

00:18:03.815 --> 00:18:08.445
data, or activities to another entity in
the event of the third partyâs bankruptcy,

00:18:08.675 --> 00:18:13.075
business failure, business interruption,
or failure to perform as expected.

00:18:13.794 --> 00:18:18.274
â¢	Implementing internal controls to mitigate
risks inherent in deposit functions.

00:18:18.824 --> 00:18:22.834
These could include, but are not limited
to, dual control and separation of

00:18:22.834 --> 00:18:26.974
duties, payment data verification,
and clear error processing and

00:18:26.974 --> 00:18:28.724
problem resolution procedures.

00:18:29.214 --> 00:18:32.744
When deposit- related functions
are performed by a third party, due

00:18:32.744 --> 00:18:36.514
diligence, contracts, and ongoing
monitoring can allow the bank to

00:18:36.514 --> 00:18:41.004
assess accuracy, reliability, and
timeliness of controls and records.

00:18:41.713 --> 00:18:45.803
â¢	Establishing adequate policies,
procedures, oversight, and controls

00:18:45.803 --> 00:18:50.373
to help ensure the bank complies with
applicable laws and regulations, including

00:18:50.373 --> 00:18:52.303
consumer protection requirements.

00:18:53.023 --> 00:18:57.613
13 These risk management practices are
drawn from applicable statutes, rules,

00:18:57.703 --> 00:19:02.203
and enforceable guidelines including the
Safety and Soundness Standards, supra n.

00:19:02.533 --> 00:19:05.753
9, and Information Security
Standards, supra n.

00:19:06.063 --> 00:19:11.453
12, as well as existing guidance and
resources, including TPRM, supra n.

00:19:11.903 --> 00:19:14.413
10; Community Bank Guide, supra n.

00:19:14.793 --> 00:19:18.283
12; FFIEC IT Examination
Handbook, supra n.

00:19:18.523 --> 00:19:24.703
12; and Interagency Guidance on Deposit
Reconciliation Practices (May 18, 2016).

00:19:25.471 --> 00:19:29.491
14 In arrangements where the third
party manages the MIS, a bank may

00:19:29.491 --> 00:19:33.391
consider potential risks to the bank
(such as consumer harm, business

00:19:33.391 --> 00:19:37.571
disruptions due to partner default,
and access to/receipt of MIS), any

00:19:37.571 --> 00:19:41.551
potential implications to compliance
with applicable laws and regulations,

00:19:41.791 --> 00:19:43.561
and appropriate mitigation measures.

00:19:44.181 --> 00:19:47.951
A bank may typically consider factors
such as the third partyâs ability

00:19:47.951 --> 00:19:52.111
to maintain the confidentiality,
availability, and integrity of the bankâs

00:19:52.111 --> 00:19:56.881
systems, information, and data, as well
as customer data, where applicable.

00:19:57.630 --> 00:20:01.300
Effective compliance management
includes conducting active oversight

00:20:01.300 --> 00:20:05.900
of third-party relationships; ensuring
effective complaint management, error

00:20:05.900 --> 00:20:10.450
investigation and resolution; maintaining
written policies and procedures;

00:20:10.840 --> 00:20:15.230
ensuring appropriate consumer protection-
related disclosures; and managing a

00:20:15.230 --> 00:20:16.960
potential disruption of service.15

00:20:18.965 --> 00:20:22.375
Anti-Money Laundering (AML)
/ Countering the Financing of Terrorism

00:20:22.375 --> 00:20:24.715
(CFT) / Sanctions Compliance16

00:20:25.469 --> 00:20:29.969
â¢	Having adequate policies, procedures,
oversight, and controls to help ensure

00:20:29.969 --> 00:20:34.919
the bank complies with applicable AML/CFT
requirements (e.g., monitoring for and

00:20:34.919 --> 00:20:39.759
reporting suspicious activity, customer
identification programs, and customer

00:20:39.759 --> 00:20:42.029
due diligence) and sanctions compliance.

00:20:42.634 --> 00:20:46.404
Managing Growth, Liquidity,
and Capital Implications17

00:20:47.069 --> 00:20:51.259
â¢	Establishing appropriate concentration
limits, diversification strategies,

00:20:51.339 --> 00:20:55.419
liquidity risk management strategies,
and exit strategies, as well as

00:20:55.419 --> 00:20:57.279
maintaining capital adequacy.

00:20:57.899 --> 00:21:02.159
This may include contingency funding plans
that describe how the bank will respond to

00:21:02.159 --> 00:21:06.729
customersâ unexpected deposit withdrawals
and reasonable assumptions, such as

00:21:06.729 --> 00:21:09.149
non- maturity deposit customer behavior.

00:21:09.878 --> 00:21:13.578
â¢	Performing appropriate analysis to
determine whether parties involved in the

00:21:13.578 --> 00:21:18.758
placement of deposits meet the definition
of a deposit broker under 12 U.S.C.

00:21:18.758 --> 00:21:25.298
1831f and implementing regulations,
12 CFR 337.6, and appropriately

00:21:25.298 --> 00:21:30.148
reporting any such deposits as
brokered deposits in the Call Report.18

00:21:30.898 --> 00:21:34.838
15 For example, banks are generally
required to make funds available

00:21:34.838 --> 00:21:39.088
according to specific time schedules
and to disclose their funds availability

00:21:39.088 --> 00:21:40.748
policies to their customers.

00:21:41.428 --> 00:21:45.378
16 These risk management practices
are drawn from applicable law and

00:21:45.378 --> 00:21:58.888
regulations, including 31 CFR 1010.230,
1020.220; 12 CFR 21.11, 208.62, 353;

00:21:59.318 --> 00:22:02.998
and the Office of Foreign Assets
Control sanctions established under the

00:22:02.998 --> 00:22:05.128
Trading with the Enemy Act, 50 U.S.C.

00:22:05.128 --> 00:22:05.388
App.

00:22:06.078 --> 00:22:08.658
1-44, and other relevant authorities.

00:22:09.352 --> 00:22:14.252
17 These risk management practices are
drawn from applicable statute, rules, and

00:22:14.252 --> 00:22:17.582
enforceable guidelines including 12 U.S.C.

00:22:17.582 --> 00:22:24.652
1831f; 12 CFR 337.6; Safety and
Soundness Standards, supra n.

00:22:25.042 --> 00:22:29.752
9; as well as existing guidance and
resources, including Interagency

00:22:29.752 --> 00:22:34.082
Policy Statement on Funding and
Liquidity Risk Management, 75 Fed.

00:22:34.602 --> 00:22:34.872
Reg.

00:22:35.522 --> 00:22:40.952
13,656 (March 22, 2010) and
Joint Agency Policy Statement:

00:22:41.382 --> 00:22:43.582
Interest Rate Risk, 61 Fed.

00:22:43.952 --> 00:22:44.282
Reg.

00:22:44.952 --> 00:22:48.902
33,166 (June 26, 1996).

00:22:49.622 --> 00:22:54.112
18 Less than well capitalized institutions
under the respective Prompt Corrective

00:22:54.112 --> 00:22:58.062
Action provisions have restrictions
on their ability to accept, renew,

00:22:58.182 --> 00:23:00.102
or roll over brokered deposits.

00:23:00.532 --> 00:23:04.082
12 CFR 337.6(a)(3), (b).

00:23:04.850 --> 00:23:08.590
Addressing Misrepresentations
of Deposit Insurance Coverage19

00:23:09.311 --> 00:23:13.321
â¢	Establishing policies and procedures
and developing prudent risk management

00:23:13.321 --> 00:23:17.521
practices for certain deposit-related
arrangements to ensure compliance with

00:23:17.521 --> 00:23:23.841
12 CFR 328, Subpart B, which prohibits
misrepresentation of deposit insurance.20

00:23:25.527 --> 00:23:29.707
â¢	Ensuring such policies and procedures
include, as appropriate, provisions

00:23:29.707 --> 00:23:33.787
related to monitoring and evaluating
activities of persons that facilitate

00:23:33.787 --> 00:23:37.517
access to the bankâs deposit-
related services or products to other

00:23:37.517 --> 00:23:40.757
parties, as required under Part 328.

00:23:41.545 --> 00:23:47.425
19 See 12 CFR part 328, which applies
to IDIs (provisions effective on

00:23:47.485 --> 00:23:53.375
April 1, 2024, with an extended
compliance date of January 1, 2025).

00:23:54.179 --> 00:23:57.179
20 See 12 CFR 328.8.

00:23:57.948 --> 00:23:59.398
This concludes this item.

00:24:00.018 --> 00:24:04.198
If your Credit union could use assistance
with your exam, reach out to Mark Treichel

00:24:04.198 --> 00:24:06.938
on LinkedIn, or at mark Treichel dot com.

00:24:07.518 --> 00:24:10.218
This is Samantha Shares and
we Thank you for listening.