Observations on the FDIC’s Examination Guidance for Third-Party Lending

On July 29, 2016 the Federal Deposit Insurance Corporation (“FDIC”) released its proposed Examination Guidance for Third-Party Lending (“Proposal”). [1] The Proposal, which supplements the FDIC’s Guidance for Managing Third-Party Risk (“Third-Party Guidance”), [2] is directed primarily at banks whose primary federal regulator is the FDIC that maintain partnerships with third-party firms (e.g., marketplace lenders) in connection with their provision of credit products. The FDIC has stated that it will accept written comments on the Proposal until October 27, 2016. The Proposal is significant, both in terms of its regulatory policy and practical implementation implications. This post provides background context and select considerations for banking, specialty finance, and financial technology (“FinTech”) firms to consider as they grapple with the Proposal’s implications.

Background

Insufficient access to credit, particularly for small and medium-sized enterprises (“SMEs”) and individuals, following the Financial Crisis of 2007-08 has been a significant issue. The withdrawal of traditional financial institutions from SME and personal lending is well documented. [3] The rise of marketplace lending to fill in the gap from this significant credit shortfall has created a rich ecosystem of credit-oriented firms providing lending, brokerage, analysis, servicing, trading platform, and regulatory technology products and solutions. While many have speculated that these start-up firms will soon replace traditional financial institutions, particularly in the neglected SME and personal lending spaces, quite the opposite seems to have occurred. As these start-up firms have witnessed early success, they have sought to strategically partner with banks to leverage such banks’ capital, compliance infrastructures, preemption powers, customer distribution channels, and brand name recognition.

The emergence of the marketplace lending industry and its increasing interconnectedness with the banking industry has not gone unnoticed by the various financial, securities, and consumer protection regulatory authorities. At the federal level the Federal Trade Commission, Consumer Financial Protection Bureau, U.S. Department of the Treasury, Office of the Comptroller of the Currency (“OCC”), and FDIC have all publicly held forums, conducted studies, taken consumer complaints, or released forms of guidance. [4] Senior officials from the Board of Governors of the Federal Reserve System (“FRB”) and U.S. Securities and Exchange Commission have further scrutinized aspects of the industry. [5] The Congress has further inquired as to the nature of regulation within the space. [6] At the state level, both the California Department of Business Oversight and the New York Department of Financial Services have conducted studies of and commenced investigations into the activities of certain industry participants. [7] Other states have also been active in the space. All the while the marketplace lending industry has, within its short lifetime, witnessed, on the one hand, rapid business expansion, robust secondary market activity, and initial public offerings, and, on the other hand, scandal, layoffs, bankruptcies, lawsuits, and compliance failures.

In light of the above it is not surprising that the FDIC released its Proposal. Some of the most active banking partners of marketplace lenders are, in fact, banks and industrial loan companies that are primarily regulated by the FDIC. The Proposal is, however, surprising in that it raises numerous policy and implementation issues. While a detailed examination of the content of the Proposal goes beyond the scope of this piece, below are some observations of some of the most important issues raised by the Proposal.

Select Observations

Interagency Coordination and Regulatory Arbitrage. A particularly noteworthy aspect of the FDIC’s Proposal is that it was not released by the FDIC on a coordinated basis in conjunction with the other federal financial regulators. Rather, the FDIC released the Proposal acting alone. The Proposal would thus be applicable only to those banks that the FDIC is the primary federal regulator of, i.e., state-chartered non-member banks. Federally chartered banks and thrifts regulated by the OCC and state-chartered member banks whose primary federal regulator is the FRB would not be subject to the Proposal. Absent parallel guidance by the OCC and FRB, the FDIC will create a significant regulatory arbitrage in the industry that could have been avoided if the FDIC had worked through the Federal Financial Institutions Examination Council (“FFIEC”) on the Proposal. The FFIEC was established for the very purpose of serving as a “formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions … and to make recommendations to promote uniformity in the supervision of financial institutions.” [8]

The FDIC’s unilateral action here is particularly surprising given that staff of the OCC have already publicly stated that the OCC is seriously considering revising the OCC’s third-party risk management guidance in light of the evolving FinTech landscape. The FRB is also working on third-party risk management guidance. The FDIC’s posture suggests that there may be a significant lack of interagency coordination, a significant difference of opinion as to the appropriate manner of third-party risk management between the agencies, or perhaps both. While regulatory competition from a policy perspective may in fact be desirable, especially in a rapidly evolving area of regulatory law, the burgeoning disharmony in regulatory approach may become a serious issue for the industry.

Effective Date. Implementing the prescriptions called for by the Proposal would be a significant challenge for banks and their third-party partners that would take time. The Proposal, however, does not provide for explicitly any effective date nor does it discuss any gradual phase-in or grandfathering of current bank-third party relationships. Presumably the FDIC intends for the Proposal to apply by its terms in full force immediately upon its final release. Such immediate effect may be untenable for banks and their partners who may have in place a carefully negotiated partnership structure. Although the Proposal specifically contemplates that parties will consider the Proposal “prior to entering into” a relationship, the Proposal renders such consideration impossible for banks and third parties with already structured partnerships in place.

Indirect Regulation. A constant struggle for the banking regulators is the difficulty of asserting jurisdiction over entities that, while not banks, nevertheless have the ability to negatively impact banks and bank customers. A variety of jurisdictional authorities exist to reach counterparties that are connected to banks in some manner; however, the weaker the nexus an entity has with a bank the weaker is a bank regulator’s claim of jurisdiction. Third-party risk management has, in some ways, provided one solution, albeit at times sub-optimal and crude, to the jurisdiction issue for banking regulators. Through third-party risk management supervision the banking regulators impose severe regulatory pressure on banks who in turn impose severe requirements, generally contractually, on their non-bank counterparties. In this way banking regulators are able to indirectly regulate the affairs of a bank’s non-bank partners.

In this instance the FDIC’s Proposal is rather robust. It categorizes a broad swath of activities as “significant” and subjects banks engaged in such significant third-party relationships to various prescriptive requirements. Significant activities include, for instance, any new relationship or implementation of any new bank activity, third-party marketing of a bank’s products or services, and various types of analytic services including pricing, data collection, aggregation, and reporting. Examples of the prescriptive requirements, including those incorporated from the FDIC’s Third-Party Guidance, include requiring, contractually, that a bank’s third-party partner subject itself to banking agency inspections of its records and that through indemnification, representations, warranties and recourse terms the bank not be exposed to “substantial risk”; maintenance of insurance; routine reporting to the bank of the third party’s performance, audits, finances, security, and business resumption testing; and detailed monitoring by the bank of the third party’s audited financials, satisfaction of financial obligations, regulatory compliance, employee training, and the like. The approach would seem to motivate third parties to either enhance their relationship with their banking partners, and subject themselves to greater indirect regulation, or to diminish their relationship with their banking partners, to avoid any significant indirect regulation. Despite language in the Proposal concerning risk calibration to particular relationship facts, the Proposal seems to leave little room for the creation of a modest relationship that is risk-calibrated in which a banking partner does not dominate the third party through indirect regulatory contractual requirements.

* * *

The FDIC’s Proposal raises a series of significant policy and practical implementation issues. It remains to be seen how the FDIC, upon receipt of industry feedback, will incorporate such feedback into its Proposal. If past is prologue, however, the industry would be wise to seriously review its banking relationships and rationalize whether those relationship structures are prudent in light of the emerging regulatory arbitrage and indirect regulation that the FDIC may create. Those entities that work closely with banks outside of the credit space, such as payment processors, would be well advised to consider how this Proposal might impact the expectations placed on them or the prospect of similar guidance covering them in the future.