Third-Parties, Fintechs, and Financial Institutions: Understanding the Risk
Published on April 1, 2024Interviewer: Eric Wester, AAP, APRP, NCP - UMACHA
Interviewee: Nanci McKenzie, JM, AAP, APRP - Nanci McKenzie, LLC, Independent Consultant
On the heels of UMACHA's Managing Third-Party & Fintech Relationships Symposium, we decided this would be a great opportunity to sit down with a recognized expert in the field of payments risk, Nanci McKenzie, owner of Nanci McKenzie, LLC, a consulting company.
As you will soon discover, Nanci is passionate about payments and risk. She was excited to sit down and discuss various aspects of risk management in today’s environment, where the interplay between Third-Party Service Providers (including Third-Party Senders), fintechs, and financial institutions continues to evolve, with the continued adoption of Banking as a Service (BaaS) among other banking services.
Let’s jump right into our discussion with Nanci!
Can you tell us a little bit about yourself, your new company, and generally, how you help support the payments industry?
I’m Nanci McKenzie. I recently became an independent consultant.
I have been in the middle of the fiNANCIal industry for 38 years, having worked in banks, a credit union, a core banking technology company, a Payments Association, and at a software technology company. I have held senior leadership positions at financial institutions and payment technology companies, where I oversaw product development, strategic planning, and deposit operations. I have a deep understanding of the payment technology landscape and the challenges that financial institutions face in this rapidly evolving industry.
There have been several regulatory findings over the last year or so related to financial institutions and their fintech partners, with a common theme seeming to surround BSA/AML programs. Do you have advice for financial institutions that are either contemplating entering a relationship with a fintech partner or for those who already have one or more fintech partners for whom they provide banking services?
A Third-Party Risk Management Program and a BSA/AML Program certainly do go hand in hand, and yes, there have been many regulatory findings, and I expect there to be many more. This is, in large part, because the regulators expect financial institutions to have a risk management and compliance program in place according to the recent (effective June 9, 2023) Interagency Guidance on Third Party Relationships: Risk Management (88 FR 37920). Here, the regulators clarify any third-party relationship includes any products or services the financial institution provides to any business arrangement that interacts with customers (in other words, consumers). The Know Your Customer (KYC) requirements of the Bank Secrecy Act (BSA), the need to identify the Beneficial Owners, and the required monitoring for Anti-Money Laundering (AML) connects the requirements of risk management over third-party relationships, which include a relationship a financial institution has with a fintech.
My advice to a financial institution that is involved in a relationship or is planning to expand its treasury management services to include third-party relationships, including fintech, is to make sure to:
- Have qualified individual(s) that know and understand the banking regulations, interagency guidance, including the Federal Financial Institution Examination Council (FFIEC), and the Nacha Operating Rules and Guidelines
- Have a policy and procedures in place that associate with the third-party relationships (and follow them!)
- Ask your regulator what they will expect and look for during an examination
- Make certain your legal advisor has approved the agreement(s) you are using for that relationship
- Have a clear due diligence process which includes and follows the risk scoring/rating you have for that third-party relationship
- Identify the risks of that third-party relationship
- Include verification of an Information Security Program (SOC 2, ISO 27001, etc.)
- Perform comprehensive periodic risk reviews once the initial onboarding process is complete
- Perform Risk Assessment(s) at onboarding and periodically
- Determine if the third-party is required under the Nacha Operating Rules to perform an annual ACH audit (by December 31) and an ACH Risk Assessment
- Contingency plan for termination of the relationship
- Board of Directors (BOD) oversight of the third-party relationship program
- Include benchmarking within the reporting to the Board of Directors
The Nacha Operating Rules and Guidelines are clear that Third-Party Service Providers (TPSP), Third-Party Senders (TPS), Nested Third-Party Senders, as well as the Participating Depository Financial Institutions (DFIs) are to perform an annual ACH audit by December 31st. Additionally, they are required to conduct a risk assessment based on the risks associated with that relationship. Typically, this occurs once a year, but it could be more frequent, especially in the event of a change in the relationship. In my opinion, I would not suggest having a risk assessment completed less than every 2 years, but again, this should be determined based on the risks inherent in that relationship. Events that would typically trigger a risk assessment outside the regular schedule, based on the risks, could include:
- Change in business line (e.g. move to online store and/or orders, originally served CPA firms but now include healthcare organizations, strictly payroll companies but now include debt collectors, etc.)
- Change in ownership – Beneficial Owners have changed
- Change of system used for initiating payments (e.g. moved from QuickBooks (Intuit) to another software provider)
- Breach or security incident
- Increase in returns and/or exceeded allowances for returns according to Nacha Rules
- Increase in Rules violations within File format (e.g. rejects, unapproved SEC codes, etc.)
- Excessive over exposure limit approval requirements
- Unexplained Reversals
- Insufficient funds for settlement
- Increase in requests for Proof of Authorization (POA)
- Finding from an audit or regulator examination
- Suspicious activity alerts from AML system
- News sources claiming criminal or suspicious activity on part of company or beneficial owners
- Consumer reporting complaints on third-party
- Reported Suspicious Activity Report (SAR) completed by internal compliance department or made aware of another financial institution that has filed a SAR
- Transaction monitoring system or process has indicated that the risks have increased (e.g. moved from medium risk to high risk)
- Notifications of Change (NOCs) have increased due to incorrect account numbers or routing numbers
- Micro-Entries (if used) or Prenotifications (if used) have increased or spiked
Even though it is known that the ODFI is responsible for everything their Third-Parties and Originators do, legally an agreement intends to shift the liability as much as possible and spells out how this relationship is expected to play out. This includes how the relationship is to end or be terminated. Besides the risks of the ACH Entries themselves, contract law risks go well beyond the payment. Data privacy, confidentiality, OFAC requirements, contingency plans, security incidents and breach, right to audit, warranties, transparency, even litigation location fall under potential different statues depending on federal, county, and state. Not having solid agreements in place and making sure the Third-Party has solid agreements in place would be like driving a car without insurance. It’s an accident waiting to happen.
As we wrap up, do you have any words of wisdom for ensuring that third parties and fintech partners truly understand their obligations under the Nacha Operating Rules or other payment system rules when they are onboarded by a financial institution?
Get a plan in place. What is your strategic initiative? How are you going to achieve success?
Do your research. Utilize the resources you have available. Your Payments Association, UMACHA. The Third-Party Payment Processors Association (TPPPA). Payment professionals in the industry (like me 😊). Third-Party Service Providers and consultants. Association of Financial Professionals (AFP), both local chapters and the national chapter. Compliance professionals, internally and externally.
Just don’t do this ALONE! And don’t believe you can do this manually. Don’t be afraid to ask your regulator. And finally, get the agreements in place and approved by your legal advisor!
Managing Third-Party & Fintech Relationships Symposium
Did you miss our Managing Third-Party and Fintech Relationships Symposium? Don’t worry – we recorded the event and are happy to announce it is now available on-demand for immediate download. The event included a fantastic lineup of guest speakers from American Fintech Council, Troutman Pepper LLP, Kelley Drye & Warren LLP, Southern Financial Exchange, Q2, Adams & Reese Law LLP, TPPPA, and Nanci McKenzie, LLC.
About the Interviewee: Nanci McKenzie, JM, AAP, APRP
Nanci McKenzie is an experienced speaker and a recognized expert in the field of payment technology. With over 38 years of experience in the payment technology industry, Nanci has a wealth of knowledge and expertise in payment processing, fraud prevention, and risk management.
Throughout her career, Nanci has been a frequent speaker at industry events and conferences, and her presentations are known for their practicality and relevance to current trends and challenges in the payment technology industry. Her ability to communicate complex concepts in a clear and concise manner has made her a sought-after speaker and trusted advisor to many organizations.
Nanci holds a B.S. in Business and Information Management from Seminole State College and a Juris Master's degree in Financial Regulation & Compliance from Florida State University College of Law. She is currently working toward her Master of Legal Studies from Thomas R. Kline College of Law at Drexel University in two concentrations, Financial Regulatory Compliance and Cybersecurity and Data Privacy. She is also an Accredited ACH Professional (AAP) and an Accredited Payments Risk Professional (APRP).
Disclaimer: The views expressed in this interview are solely those of Nanci McKenzie and may not reflect the views of UMACHA. Opinions expressed in this post are intended to provide education, but they do not represent or constitute legal advice.
Stay connected with Eric Wester, Nanci McKenzie, and UMACHA on LinkedIn!