2025 Risk Series:  Third-Party & FinTech Partnership Risks

The Regulatory Risks

As community banks seek to expand digital services and improve efficiency, many are partnering with fintech companies and third-party vendors. While these partnerships offer innovation and competitive advantages, they also introduce significant regulatory risks. Examiners from the OCC, FDIC, and FRB are scrutinizing these relationships more closely than ever, ensuring that banks maintain strong oversight, risk management, and compliance controls.

The risks go beyond operational concerns—regulators expect community banks to own full responsibility for their third-party relationships. Weak oversight, inadequate due diligence, or compliance failures can lead to enforcement actions, fines, and reputational damage.

Example Enforcement Actions

Regulatory agencies have issued enforcement actions against banks for failing to properly manage these relationships, including:

• USAA Federal Savings Bank (2024):  Issued a cease-and-desist order by the OCC due in part to deficiencies in third-party risk management, compliance risk management, and governance over shared services.

• Blue Ridge Bank (2023):  Entered into a Consent Order with the OCC for failing to establish effective risk management controls over fintech partnerships, particularly in compliance with BSA/AML regulations, and to align third-party risk management processes to the June 6, 2023 Interagency Third-Party Risk Management Guidance.

• Metropolitan Commercial Bank (2022):  Fined $14.5 million by the FRB for deficiencies in third-party risk management and CDD, specifically related to prepaid card and payment processing partners.

• Cross River Bank (2021):  Entered into a Consent Order with the FDIC agreeing to take immediate corrective actions related to its fintech partnerships, with a focus on fair lending compliance and consumer protection risks.

Key Risks to Address Now

• Inadequate Due Diligence on Fintech & Third-Party Vendors – Banks are expected to thoroughly vet third-party providers before entering into relationships. This includes reviewing financial stability, compliance history, security practices, and regulatory risks. Failure to conduct comprehensive due diligence can expose banks to legal and financial penalties.

• Weak Contractual & Compliance Controls – Examiners expect banks to have detailed contracts with vendors that clearly outline compliance responsibilities, security measures, and performance expectations. Insufficient contractual safeguards can leave banks vulnerable to regulatory violations and operational disruptions.

• Failure to Monitor Ongoing Performance & Compliance – Simply vetting a third-party vendor is not enough. Regulators require continuous monitoring of vendors, including regular compliance audits, risk assessments, and periodic performance reviews. Lack of ongoing oversight can lead to compliance failures and regulatory actions.

• BSA/AML & Consumer Protection Concerns – Fintech partnerships often involve new payment models, digital banking services, and expanded financial access, increasing exposure to fraud, money laundering, and fair lending risks. Banks must ensure robust transaction monitoring, consumer protection policies, and compliance frameworks to meet regulatory scrutiny.

• Lack of Board & Senior Management Oversight – Regulators emphasize that banks and not their vendors bear ultimate responsibility for compliance failures. The Board and senior management must be actively engaged in third-party risk governance, ensuring alignment with regulatory expectations.

Strategies to Strengthen Third-Party Risk Management

• Conduct Rigorous Due Diligence

  • Develop a comprehensive vendor risk assessment framework for onboarding third parties.

  • Require vendors to provide third-party risk management documentation and past audit reports.

  • Conduct appropriate background checks and regulatory history reviews of all fintech partners.

• Strengthen Contracts & Compliance Agreements

  • Include specific compliance obligations and security requirements in vendor agreements.

  • Ensure contracts define performance expectations, breach protocols, and regulatory responsibilities.

  • Require vendors to comply with financial and operational reporting mandates.

• Implement Ongoing Monitoring & Audits

  • Establish a continuous risk monitoring program to identify and remediate vendor compliance gaps before they become issues.

  • Require routine internal audits and third-party risk assessments to evaluate vendor adherence.

  • Enforce corrective action plans for vendors that fail to meet compliance standards.

• Enhance BSA/AML Controls for Fintech Partnerships

  • Require fintech partners to use enhanced customer due diligence measures consistent with regulatory requirements.

  • Ensure suspicious activity reporting protocols align with regulatory expectations.

  • Implement fraud detection and transaction monitoring technologies tailored for fintech-related risks.

• Engage the Board & Senior Management in Oversight

  • Conduct regular board briefings on third-party risk exposure and regulatory updates.

  • Assign a dedicated executive team to oversee fintech and third-party compliance management.

  • Require periodic independent assessments of vendor risk management programs.

Take Action Now

Regulators have made it clear: banks are fully responsible for the compliance risks of their third-party and fintech partners. Weak oversight can lead to enforcement actions, fines, and reputational damage.

Now is the time to assess your vendor risk management program and ensure compliance with regulatory expectations. Schedule your free consultation today: Click here!

To ensure you don't miss a post:  Subscribe here!

Stay tuned for the next edition in our blog series: "Cybersecurity & Operational Resilience."