Vendor Risk Requirements for Non-Bank Lenders

Read the financial news on any given day, and you’ll see story after story about non-bank lenders and fintech companies rapidly enlarging their piece of the lending pie. While alternative lending companies have existed for decades, they are now considered a viable option in the financial services market. Today, non-bank lenders are successfully competing against traditional banks and have even dominated specific product markets like mortgages. Interestingly, those same conventional financial institutions are relying on non-bank lenders to provide better and more tech-friendly offerings to their customers. More than ever, non-bank lenders are front and center.

Critics of the alt-lending sector will often contend that non-bank lenders’ regulations are minimal, giving them a distinct advantage. With fewer restrictions, one could assume the risks associated with alternative lenders are significant compared to those of a traditional bank. There are plenty of opinions related to this issue. However, for practical purposes, I’ll narrow my focus on the specific risks associated with non-bank lenders and third-party risk management.

Two Common Questions Related to the Issue

1. Are there any requirements for non-bank lenders to practice third-party risk management?

The answer to this first question is most definitely yes. Non-bank lenders and fintech firms may find themselves just beyond the OCC and FDIC’s direct supervision; however, they are still accountable for managing the risk associated with their third parties. But, who is holding them accountable and what are the requirements?

The answers lie in consumer protection laws. Alternative lenders seek to offer their products and services directly or indirectly to consumers, so they are held accountable by regulators such as the CFPB.

The Consumer Financial Protection Bureau (CFPB), the regulating body born out of the Dodd-Frank Act of 2010, is intended to protect consumers from risky or abusive financial products. The bureau is empowered to regulate companies that sell financial products to consumers and enforce laws against consumer finance discrimination.

The CFPB, a regulator of both bank and non-bank lenders, states, “Using outside vendors can pose additional risks. A service provider unfamiliar with consumer financial protection laws, or has weak internal controls, can harm consumers.”

While the CFPB’s guidance isn’t as detailed as the OCC’s, it still aligns with basic third-party risk management principles. Let’s take a look at the steps in the CFPB’s guidance:

• Due diligence: Verify that the service provider understands and is capable of complying with the law by requesting and reviewing the provider’s policies, procedures, internal controls and training materials; this also ensures that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.
• Compliance: Include clear expectations about compliance in the contract with the service provider, as well as appropriate and enforceable consequences  for violating any compliance-related responsibilities.
• Monitoring: Establish internal controls and ongoing monitoring to determine whether the service provider is complying with the law.
• Resolution: Taking prompt action to fully address any problems identified through the monitoring process.

While not mentioned explicitly in the concise guidance, it makes sense that a thorough assessment of the potential risk precedes and dictates any effective due diligence process. Identifying and assessing risk is the bedrock of any sound third-party risk management program.

2. Are non-bank lenders expected to manage third-party risks with the same rigor as a traditional bank?

In a roundabout way, yes. Reasonably prescriptive guidance from organizations such as the OCC and the FDIC serves as the foundation for many bank third-party risk management programs. Still, these organizations don’t necessarily govern the non-bank lending sector directly. However, traditional banking organizations must hold their partners and vendors to the same regulatory standards for which they are accountable. This would include their relationships with non-bank lenders and fintech firms. Per OCC Bulletin 2013-29: “The OCC generally has the authority to examine and to regulate the functions or operations performed or provided by third parties to the same extent as if they were performed by the bank itself, on its own premises.” Considering that the bank and the third party can be held liable for non-compliance, many banks now require their partners to have third-party risk management programs that would stand up to scrutiny from regulators such as the OCC and FDIC.

At a minimum, the non-bank lender is always responsible for ensuring that their vendor(s) understands and can comply with the law. This should be accomplished through the application of third-party risk management fundamentals such as:

• Risk Assessment
• Due Diligence
• Contracting
• Ongoing Monitoring

When a non-bank lender works directly with a regulated bank, either as a vendor or a partner, the alternative lender should attempt to comply with regulations governing traditional banks. So yes, non-bank lenders may need to demonstrate the same rigor in their third-party risk management programs as their bank partners.

As a closing thought, as non-bank lenders continue to grow their market share and enter new partnerships with traditional banking institutions, the potential to harm the consumer (or investor) also increases. And inevitably, so will regulatory attention, resulting perhaps in new regulatory requirements for how non-bank lenders and fintech firms must manage their third-party risk.

Are you meeting your regulators expectations for vendor management? Download the infographic.