FDIC Highlights Third-Party Oversight Failures in Supervisory Report

Each year, the Federal Deposit Insurance Corporation (FDIC) performs a series of regulatory examinations to ensure supervised institutions are maintaining compliance programs and mitigating consumer risk. The results of these examinations are outlined in an annual report known as the Consumer Compliance Supervisory Highlights.  

Since the FDIC played a key role in developing the Interagency Guidance on Third-Party Relationships: Risk Management, it’s not surprising to discover that this year’s Supervisory Highlights include deficiencies in bank oversight of its third-party relationships. By understanding these deficiencies, your financial institution can more easily identify potential compliance areas requiring mitigation and strengthen its third-party risk management (TPRM) program.

Note: Text taken directly from the Supervisory Highlights is in italics.

FDIC Supervisory Highlights Identify Third-Party Compliance Issues

The FDIC performed almost 900 consumer compliance examinations in 2023 and identified many issues related to inefficient third-party risk management practices.

Here are some of the significant compliance issues the FDIC identified:

• Third-party issues – The report states that some compliance issues were caused by non-bank entities that provide products and services directly to a regulated bank’s customers. These third-party relationships created compliance issues through:
  
  • Misrepresentation – Some third parties created false or misleading representations about their products being FDIC-insured.
  • False advertising – The FDIC found issues related to false advertising on credit-building products. Third parties failed to conduct an analysis to support their claims and overstated their products’ abilities to perform as intended.
  • Mishandling disputes – Violations were issued because of a third party’s failures to investigate electronic fund transfers (EFTs) disputes, report the investigation to consumers, and correct issues. 
• Bank issues – The FDIC also recognized other compliance issues that were solely caused by financial institutions. Those issues include: 
  
  • Unreasonable payments – Some financial institutions didn’t have processes to determine whether payments to mortgage brokers were reasonably related to the value of the services provided.
  • Poor third-party oversight – An institution was found to have failed to establish and maintain internal controls with its third-party lenders, which led to unsafe or unsound banking practices.

6 Tips for Third-Party Compliance With the FDIC

Each of the FDIC’s findings in the Supervisory Highlights is accompanied by a list of suggested activities to mitigate risk. Many of these activities are generally considered best practices and are likely already implemented in your third-party risk management program. It’s important for financial institutions to remember that they hold responsibility for third-party compliance.

Some of the activities to implement into your program include: 

1. Board and senior management involvement – Financial institutions should ensure the board and senior management are involved throughout the entire third-party risk management lifecycle, specifically in relation to accepting a third party’s consumer compliance risk. 
2. Governance documentation – Policies and procedures should be formally documented to address third-party compliance risk and guide third-party risk management activities.
3. Risk assessments – Thorough and periodic risk assessments should identify and mitigate third-party risks, which may include legal and compliance considerations. 
4. Pre-contract due diligence – Comprehensive due diligence should be performed before entering the third-party relationship. If applicable, this should include verifying the third party’s advertising claims about its products or services. 
5. Contract management – Third-party contracts should be structured to address areas such as compliance requirements, consequences for noncompliance, the right to audit, and performance expectations.
6. Ongoing monitoring – Financial institutions should perform ongoing monitoring and oversight that is tailored to the level of risk in the relationship. This may include monitoring the third party’s performance, marketing activities, and compliance with consumer laws and regulations. 

Maintaining regulatory compliance in your third-party risk management program will continue to be an ongoing effort as new risks emerge and priorities evolve. Reading up on reports like the Supervisory Highlights can give you renewed focus on compliance issues that may impact your financial institution.