Skip to main content
3-1579.246

RISK MANAGEMENT—Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services

The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the agencies) are issuing this statement to note potential risks related to arrangements between banks and third parties1 to deliver bank deposit products and services to end users.2 This statement highlights examples of risk-management practices by banks to manage such risks. This statement reemphasizes existing guidance; it does not alter existing legal or regulatory requirements or establish new supervisory expectations.
The agencies support responsible innovation and support banks in pursuing third-party arrangements in a manner consistent with safe and sound practices and in compliance with applicable laws and regulations, including, but not limited to, those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering). Banks are neither prohibited nor discouraged from providing banking services to customers of any specific class or type, as permitted by law or regulation.
Some banks have entered into arrangements with third parties to deliver deposit products and services (such as checking and savings accounts) to end users. Banks may do this in order to increase revenue, raise deposits, expand geographic reach, or to achieve other strategic objectives, including by leveraging new technology or offering innovative products and services. In these arrangements, a third party, rather than the bank, typically markets, distributes or otherwise provides access to or facilitates the provision of the deposit product or service directly to the end user.3 In some arrangements, banks rely on one or multiple third parties to maintain the deposit and transaction system of record; process payments (sometimes with the ability to directly submit payment instructions to payment networks); perform regulatory compliance functions; provide end-user facing technology applications; service accounts; perform customer service; and perform complaint and dispute resolution functions. These third parties are sometimes referred to as intermediate platform providers, processors, middleware providers, aggregation layers, and/or program managers. A bank’s use of third parties to perform certain activities does not diminish its responsibility to comply with all applicable laws and regulations.
Similar structures have been utilized for certain activities in the banking industry for many years, such as activities related to prepaid card programs. However, the agencies have observed an evolution and expansion of these arrangements to include more complex arrangements that involve the reliance on third parties to deliver deposit products and services.
Potential Risks
Depending on the structure, third-party arrangements for the delivery of deposit products and services can involve elevated risks. The agencies have observed that risks may be elevated in certain circumstances, such as the examples below.
Operational and Compliance
  • Significant operations performed by a third party: Substantially relying on third parties to manage a bank’s deposit operations can eliminate or reduce a bank’s crucial existing controls over and management of the deposit function. Without adequate initial due diligence and ongoing monitoring, risks to the integrity of a bank’s deposit function are heightened.4
  • Fragmented operations: Fragmented operational functions for deposit products and services among multiple third parties may make it more difficult for the bank to effectively assess risks and assess whether all third parties can and do perform assigned functions as intended.
  • Lack of access to records: A potential lack of sufficient access by a bank to the deposit and transaction system of record and other crucial information and data maintained by the third party can impair the bank’s ability to determine its deposit obligations. In some circumstances, such uncertainty can lead to delays in end-users’ access to their deposits, which in turn can expose the bank to additional legal and compliance risks.
  • Third parties performing compliance functions: Reliance on third parties to perform regulatory compliance functions may increase the risk of the bank not meeting its regulatory requirements. Specifically, the third party may perform certain regulatory compliance functions such as monitoring and reporting suspicious activity, customer identification programs, customer due diligence, and sanctions compliance on behalf of the bank. Regardless of whether the functions are shared between the bank and the third party, the bank remains responsible for failure to comply with applicable requirements.
  • Insufficient risk management to meet consumer protection obligations: Insufficient oversight of these arrangements may impact a bank’s compliance with consumer protection laws and regulations, such as requirements under Regulation E (implementing the Electronic Fund Transfer Act) to investigate and resolve certain payment disputes within required timeframes, and under Regulation DD (implementing the Truth in Savings Act) to provide certain disclosures regarding consumer deposit accounts. Presenting insufficient or misleading information to end users also may result in violations of laws and regulations, including consumer protection requirements.5 In addition, inadequate complaint administration and error resolution processes may limit a bank’s ability to effectively identify and address issues impacting end users of the deposit accounts and result in potential consumer harm.
  • Lack of contracts: Multiple levels of third-party and subcontractor relationships, where the bank does not have direct contracts with entities that perform crucial functions may pose challenges to the bank’s ability to identify, assess, monitor, and control various risks.
  • Lack of experience with new methods: Arrangements leveraging new technologies or new methods of facilitating deposit products and services with which bank management and staff do not have prior experience may result in inadequate risk and compliance management practices to manage or oversee these arrangements and associated risks.
  • Weak audit coverage: Lack of sufficient audit scope and coverage, follow-up processes, and remediation may result in inadequate oversight of these arrangements and reduce the effectiveness of the audit function.
Growth
  • Misaligned incentives: A third party’s incentives may not be aligned with those of the bank, such as when a third party may be incentivized to promote growth in a manner that is not aligned with the bank’s regulatory obligations, resulting in insufficient attention to risk management and compliance obligations.
  • Operational capabilities lag growth: Rapid growth as a result of these arrangements (either in the overall number of arrangements or in the size of specific arrangements) may result in risk management and operational processes struggling to keep pace.
  • Financial risks from funding concentrations: Arrangements may result in significant and rapidly increasing funding concentrations, which may make it more challenging for the bank to manage and mitigate liquidity and funding risks, particularly when funding is deployed in illiquid or long-term assets.
  • Inability to manage emerging liquidity risks: Arrangements where a significant proportion of a bank’s deposits or revenue are associated with a third party may pose liquidity risks, such that the bank may be reluctant to make decisions necessary to manage those risks, including, if necessary, to terminate the arrangement.
  • Pressure on capital levels: Arrangements may result in material and rapid balance sheet growth (including significant intraday balance sheet levels) without commensurate capital formation.
End User Confusion and Misrepresentation of Deposit Insurance Coverage
  • Potentially misleading statements and marketing: Third-party arrangements for the delivery of deposit products and services can pose risks of end user confusion related to deposit insurance, which may be exacerbated by marketing materials or other statements by nonbank third parties. Some nonbank third parties could be reasonably mistaken for an insured depository institution (IDI) by end users, particularly when they refer to FDIC deposit insurance in marketing and other public-facing materials. End users may not be aware that access to their funds may depend on the third party and that deposit insurance does not protect against losses resulting from the failure of the third party.
  • Regulatory violations: Inaccurate or misleading information regarding the extent or manner under which deposit insurance coverage is available could constitute a violation under part 328, subpart B.6
    • Omissions of material information also may constitute misrepresentations under the FDIC’s rule. Such deposit insurance misrepresentations may occur, for example, when nonbank third parties have communicated to end users that their funds are FDIC insured, without disclosing that FDIC insurance protects only against the failure of an IDI, and not against the failure of the nonbank entity.
    • Deposit insurance misrepresentations under part 328 may also occur when parties to these arrangements communicate to end users that their funds are insured by the FDIC on a pass-through basis without disclosing that certain regulatory requirements7 must be satisfied for pass-through deposit insurance coverage to apply.8
Risk Management and Governance Considerations
Banks are expected to operate in a safe and sound manner and in compliance with applicable laws and regulations, including those related to safety and soundness, consumer protection, and anti-money laundering/countering the financing of terrorism (AML/CFT). Effective board and senior management oversight is crucial to ensure a bank’s risk-management practices are commensurate with the complexity, risk, size, and nature of the activity and relationship, both when the relationship commences and as it evolves over time. In this regard, banks should ensure practices are consistent with the Interagency Guidelines Establishing Standards for Safety and Soundness,9 and banks also are encouraged to review and consider the risk-management principles for third-party relationships set forth in the Interagency Guidance on Third-Party Relationships: Risk Management.10 The list at the end of this document provides various existing resources, including guidance, that may be helpful for banks managing such arrangements.
The agencies have observed examples of effective risk-management practices that a bank may consider when managing third-party arrangements for the delivery of deposit products and services, including the examples below.11
Governance and Third-Party Risk Management12
  • Developing and maintaining appropriate policies and procedures that detail organizational structures, lines of reporting and authorities, expertise and staffing, internal controls, and audit functions to ensure that risks are understood and mitigated.
  • Developing appropriate risk assessments that identify and analyze risks specific to features of each arrangement. This practice is important to allow the bank to assess whether proposed controls can appropriately mitigate risks in keeping with the bank’s risk appetite. Effective risk assessments typically involve expertise across relevant functional areas of the bank including risk management and compliance, and also consider the activities and features specific to an arrangement to assist in implementing effective controls.
  • Conducting and documenting due diligence that is of sufficient scope and depth to determine whether the bank can rely on third parties to perform the various necessary roles to deliver deposit products and services on the bank’s behalf.
  • Entering into contracts and agreements that clearly define roles and responsibilities of banks and third parties and enable banks to manage the risks of the arrangements effectively.
  • Assessing potential risks when the bank does not have a direct contractual relationship with all parties with significant roles to determine whether and how such risks can be sufficiently mitigated and remain consistent with the bank’s risk appetite.
  • Establishing effective ongoing monitoring processes, commensurate with the risk of each activity and relationship, and sufficient to detect any issues so they can be addressed in a timely manner.
Managing Operational and Compliance Implications13
  • Maintaining a clear understanding of any management information system (MIS)14 that will be used to support the activity, including any obligations and contractual reporting requirements when the deposit and transaction system of record is managed through the third party or through a subcontractor to another party.
  • Developing and maintaining risk-based contingency plans, which address potential operational disruption or business failure at the third party that may disrupt end users’ access to funds, including contractual provisions that facilitate the bank’s contingency plans. The contract might, for example, address the transfer of the relevant accounts, data, or activities to another entity in the event of the third party’s bankruptcy, business failure, business interruption, or failure to perform as expected.
  • Implementing internal controls to mitigate risks inherent in deposit functions. These could include, but are not limited to, dual control and separation of duties, payment data verification, and clear error processing and problem resolution procedures. When deposit-related functions are performed by a third party, due diligence, contracts, and ongoing monitoring can allow the bank to assess accuracy, reliability, and timeliness of controls and records.
  • Establishing adequate policies, procedures, oversight, and controls to help ensure the bank complies with applicable laws and regulations, including consumer protection requirements. Effective compliance management includes conducting active oversight of third-party relationships; ensuring effective complaint management, error investigation and resolution; maintaining written policies and procedures; ensuring appropriate consumer protection-related disclosures; and managing a potential disruption of service.15
AML/CFT Sanctions Compliance16
  • Having adequate policies, procedures, oversight, and controls to help ensure the bank complies with applicable AML/CFT requirements (e.g., monitoring for and reporting suspicious activity, customer identification programs, and customer due diligence) and sanctions compliance.
Managing Growth, Liquidity, and Capital Implications17
  • Establishing appropriate concentration limits, diversification strategies, liquidity risk management strategies, and exit strategies, as well as maintaining capital adequacy. This may include contingency funding plans that describe how the bank will respond to customers’ unexpected deposit withdrawals and reasonable assumptions, such as non-maturity deposit customer behavior.
  • Performing appropriate analysis to determine whether parties involved in the placement of deposits meet the definition of a deposit broker under 12 U.S.C. 1831f and implementing regulations, 12 CFR 337.6, and appropriately reporting any such deposits as brokered deposits in the Call Report.18
Addressing Misrepresentations of Deposit Insurance Coverage19
  • Establishing policies and procedures and developing prudent risk-management practices for certain deposit-related arrangements to ensure compliance with 12 CFR 328, subpart B, which prohibits misrepresentation of deposit insurance.20
  • Ensuring such policies and procedures include, as appropriate, provisions related to monitoring and evaluating activities of persons that facilitate access to the bank’s deposit-related services or products to other parties, as required under part 328.
Resources
Issued jointly by the Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency on July 25, 2024 (SR-24-5).

1
These sometimes include nonbank companies, such as, but not limited to, certain financial technology (or fintech) companies.
2
For purposes of this statement, an “end user” includes consumers and businesses accessing deposit products and services through the arrangements described in this statement.
3
These arrangements are sometimes referred to as “banking-as-a-service” or “embedded finance” depending on the structure and parties involved in the arrangement.
4
Depending on the structure, such arrangements may also introduce security vulnerabilities, including by providing another access point into the bank’s systems. Integration may amplify operational risks, such as fraud, cybersecurity, and data privacy incidents occurring at the third party that then affect the bank.
5
Such laws and regulations include (among others) the prohibition against unfair or deceptive acts or practices under section 5 of the Federal Trade Commission Act, and the prohibition against unfair, deceptive, or abusive acts or practices under title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).
6
See 12 CFR 328, subpart B.
7
See 12 CFR 330.5, 330.7. For pass-through deposit insurance to apply, a consumer’s funds must first be on deposit at an IDI. In addition: (1) the deposit account records of the IDI must disclose a basis for pass-through coverage, such as a custodial or agency relationship; (2) the identities and interests of the actual owners of the funds must be ascertainable either from the records of the IDI or records maintained in good faith and in the regular course of business by another party; and (3) the relationship that provides the basis for pass-through deposit insurance coverage must be genuine, with the deposited funds actually owned by the named owners. Additional requirements apply to arrangements involving multiple levels of relationships.
8
See 12 CFR 328.102(b)(5).
9
See Interagency Guidelines Establishing Standards for Safety and Soundness, 12 CFR part 30, appendix A (OCC); 12 CFR part 208, appendix D-1 (Board); and 12 CFR part 364, appendix A (FDIC) (issued pursuant to section 39 of the Federal Deposit Insurance Act, 12 U.S.C. 1831p-1) (hereinafter Safety and Soundness Standards).
10
Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed. Reg. 37,920 (June 9, 2023) (hereinafter TPRM).
11
These examples are not a complete list of practices that could be considered in managing the risks of such arrangements.
12
These risk-management practices are drawn from applicable statutes, rules, and enforceable guidelines including the Safety and Soundness Standards, supra n. 9, and Interagency Guidelines Establishing Information Security Standards, 12 CFR part 30, appendix B (OCC); 12 CFR part 208, appendix D-2 (Board); and 12 CFR part 364, appendix B (FDIC) (issued pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 and 6805, and section 39 of the Federal Deposit Insurance Act, 12 U.S.C. 1831p-1) (hereinafter Information Security Standards), as well as existing guidance and resources, including TPRM, supra n. 10; Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks (August 27, 2021) (hereinafter Community Bank Guide); and FFIEC Information Technology Examination Handbook (hereinafter FFIEC IT Examination Handbook).
13
These risk-management practices are drawn from applicable statutes, rules, and enforceable guidelines including the Safety and Soundness Standards, supra n. 9, and Information Security Standards, supra n. 12, as well as existing guidance and resources, including TPRM, supra n. 10; Community Bank Guide, supra n. 12; FFIEC IT Examination Handbook, supra n. 12; and Interagency Guidance on Deposit Reconciliation Practices (May 18, 2016).
14
In arrangements where the third party manages the MIS, a bank may consider potential risks to the bank (such as consumer harm, business disruptions due to partner default, and access to/receipt of MIS), any potential implications to compliance with applicable laws and regulations, and appropriate mitigation measures. A bank may typically consider factors such as the third party’s ability to maintain the confidentiality, availability, and integrity of the bank’s systems, information, and data, as well as customer data, where applicable.
15
For example, banks are generally required to make funds available according to specific time schedules and to disclose their funds availability policies to their customers.
16
These risk-management practices are drawn from applicable law and regulations, including 31 CFR 1010.230, 1020.220; 12 CFR 21.11, 208.62, 353; and the Office of Foreign Assets Control sanctions established under the Trading with the Enemy Act, 50 U.S.C. App. 1-44, and other relevant authorities.
17
These risk-management practices are drawn from applicable statute, rules, and enforceable guidelines including 12 U.S.C. 1831f; 12 CFR 337.6; Safety and Soundness Standards, supra n. 9; as well as existing guidance and resources, including Interagency Policy Statement on Funding and Liquidity Risk Management, 75 Fed. Reg. 13,656 (March 22, 2010) and Joint Agency Policy Statement: Interest Rate Risk, 61 Fed. Reg. 33,166 (June 26, 1996).
18
Less than well capitalized institutions under the respective Prompt Corrective Action provisions have restrictions on their ability to accept, renew, or roll over brokered deposits. 12 CFR 337.6(a)(3), (b).
19
See 12 CFR part 328, which applies to IDIs (provisions effective on April 1, 2024, with an extended compliance date of January 1, 2025).
20
See 12 CFR 328.8.
Back to top