Back to Blog

Why the U.S. Regulators’ New Resource on BaaS Relationships is Disappointing

Why the U.S. Regulators’ New Resource on BaaS Relationships is Disappointing

BaaS-enabled banks have been operating in a regulatory minefield recently. Since late 2023, the U.S. FDIC and CFPB have issued multiple consent orders to banks, citing their BaaS relationships as the cause. From the perspective of an onlooker, it appeared that regulators were issuing the consent orders to make examples out of certain players in the industry, foregoing formal BaaS regulation.

This has been particularly troubling for community banks, which often rely on BaaS to adapt to modern consumer preferences by layering the newest fintech tools on top of their legacy core systems, without the need to build technology in-house or update old technology.

In response to this new stress placed on the country’s smallest financial institutions, three U.S. regulators– the Board of Governors of the Federal Reserve System, the FDIC, and the OCC– have published a new third party risk management guide for community banks. The guide is intended to supplement the Interagency Guidance on Third-Party Relationships: Risk Management document the agencies published in June of last year.

The agencies’ newly published document may disappoint, however. That’s because the new document does not provide formal Baas regulation by laying out rules by which community banks can abide in order to avoid consent orders. Instead, the new document lays out “potential considerations, potential sources of information, and examples” for risk management, due diligence, contract negotiation, ongoing monitoring, termination, and governance with third parties.

“This guide is intended to assist community banks when developing and implementing their third-party risk-management practices,” the new document states. “This guide is not a substitute for the TPRM Guidance. Rather, it is intended to be a resource for community banks to consider when managing the risk of third-party relationships. This guide is not a checklist and does not prescribe specific risk-management practices or establish any safe harbors for compliance with laws or regulations.”

Baas-enabled banks seeking to navigate third-party relationships may find the new resource frustrating, however. While some of the advice in the document is helpful, the agencies have built a lot of wiggle room for themselves into the document. Ultimately, however, the guidance is better than nothing.

Regardless of what it lacks, both community banks and even larger financial institutions will likely find it useful to compare the guide’s “potential considerations” to their current internal processes. And in the end, the guidance may help deter another tidal wave of consent orders.


Photo by Joshua Hoehne on Unsplash