Third-Parties, Fintechs, and Financial Institutions: Understanding the Risk

Published on April 1, 2024

Interviewer: Eric Wester, AAP, APRP, NCP - UMACHA

Interviewee: Nanci McKenzie, JM, AAP, APRP - Nanci McKenzie, LLC, Independent Consultant

On the heels of UMACHA's Managing Third-Party & Fintech Relationships Symposium, we decided this would be a great opportunity to sit down with a recognized expert in the field of payments risk, Nanci McKenzie, owner of Nanci McKenzie, LLC, a consulting company.

As you will soon discover, Nanci is passionate about payments and risk. She was excited to sit down and discuss various aspects of risk management in today’s environment, where the interplay between Third-Party Service Providers (including Third-Party Senders), fintechs, and financial institutions continues to evolve, with the continued adoption of Banking as a Service (BaaS) among other banking services.

Let’s jump right into our discussion with Nanci!

Can you tell us a little bit about yourself, your new company, and generally, how you help support the payments industry?

I’m Nanci McKenzie. I recently became an independent consultant.

I have been in the middle of the fiNANCIal industry for 38 years, having worked in banks, a credit union, a core banking technology company, a Payments Association, and at a software technology company. I have held senior leadership positions at financial institutions and payment technology companies, where I oversaw product development, strategic planning, and deposit operations. I have a deep understanding of the payment technology landscape and the challenges that financial institutions face in this rapidly evolving industry.

There have been several regulatory findings over the last year or so related to financial institutions and their fintech partners, with a common theme seeming to surround BSA/AML programs. Do you have advice for financial institutions that are either contemplating entering a relationship with a fintech partner or for those who already have one or more fintech partners for whom they provide banking services?

A Third-Party Risk Management Program and a BSA/AML Program certainly do go hand in hand, and yes, there have been many regulatory findings, and I expect there to be many more. This is, in large part, because the regulators expect financial institutions to have a risk management and compliance program in place according to the recent (effective June 9, 2023) Interagency Guidance on Third Party Relationships: Risk Management (88 FR 37920). Here, the regulators clarify any third-party relationship includes any products or services the financial institution provides to any business arrangement that interacts with customers (in other words, consumers). The Know Your Customer (KYC) requirements of the Bank Secrecy Act (BSA), the need to identify the Beneficial Owners, and the required monitoring for Anti-Money Laundering (AML) connects the requirements of risk management over third-party relationships, which include a relationship a financial institution has with a fintech.

My advice to a financial institution that is involved in a relationship or is planning to expand its treasury management services to include third-party relationships, including fintech, is to make sure to:

Have qualified individual(s) that know and understand the banking regulations, interagency guidance, including the Federal Financial Institution Examination Council (FFIEC), and the Nacha Operating Rules and Guidelines
Have a policy and procedures in place that associate with the third-party relationships (and follow them!)
Ask your regulator what they will expect and look for during an examination
Make certain your legal advisor has approved the agreement(s) you are using for that relationship
Have a clear due diligence process which includes and follows the risk scoring/rating you have for that third-party relationship
- Identify the risks of that third-party relationship
- Include verification of an Information Security Program (SOC 2, ISO 27001, etc.)
Perform comprehensive periodic risk reviews once the initial onboarding process is complete
Perform Risk Assessment(s) at onboarding and periodically
Determine if the third-party is required under the Nacha Operating Rules to perform an annual ACH audit (by December 31) and an ACH Risk Assessment
Contingency plan for termination of the relationship
Board of Directors (BOD) oversight of the third-party relationship program
Include benchmarking within the reporting to the Board of Directors

We know that Third-Party Senders involved in payment processing, particularly ACH processing, are required under the Nacha Operating Rules to conduct a risk assessment. How often should Third-Party Senders be revisiting their risk assessment or conducting a new risk assessment? Are there events that should trigger a review of a previous risk assessment?

The Nacha Operating Rules and Guidelines are clear that Third-Party Service Providers (TPSP), Third-Party Senders (TPS), Nested Third-Party Senders, as well as the Participating Depository Financial Institutions (DFIs) are to perform an annual ACH audit by December 31st. Additionally, they are required to conduct a risk assessment based on the risks associated with that relationship. Typically, this occurs once a year, but it could be more frequent, especially in the event of a change in the relationship. In my opinion, I would not suggest having a risk assessment completed less than every 2 years, but again, this should be determined based on the risks inherent in that relationship. Events that would typically trigger a risk assessment outside the regular schedule, based on the risks, could include:

Change in business line (e.g. move to online store and/or orders, originally served CPA firms but now include healthcare organizations, strictly payroll companies but now include debt collectors, etc.)
Change in ownership – Beneficial Owners have changed
Change of system used for initiating payments (e.g. moved from QuickBooks (Intuit) to another software provider)
Breach or security incident
Increase in returns and/or exceeded allowances for returns according to Nacha Rules
Increase in Rules violations within File format (e.g. rejects, unapproved SEC codes, etc.)
Excessive over exposure limit approval requirements
Unexplained Reversals
Insufficient funds for settlement
Increase in requests for Proof of Authorization (POA)
Finding from an audit or regulator examination
Suspicious activity alerts from AML system
News sources claiming criminal or suspicious activity on part of company or beneficial owners
Consumer reporting complaints on third-party
Reported Suspicious Activity Report (SAR) completed by internal compliance department or made aware of another financial institution that has filed a SAR
Transaction monitoring system or process has indicated that the risks have increased (e.g. moved from medium risk to high risk)
Notifications of Change (NOCs) have increased due to incorrect account numbers or routing numbers
Micro-Entries (if used) or Prenotifications (if used) have increased or spiked

Can you speak to the importance of ensuring solid agreements exist between each participant in a chain of participants? For example, between an ODFI and a Third-Party Sender, and between a Third-Party Sender and the Originator of the ACH transactions?

Even though it is known that the ODFI is responsible for everything their Third-Parties and Originators do, legally an agreement intends to shift the liability as much as possible and spells out how this relationship is expected to play out. This includes how the relationship is to end or be terminated. Besides the risks of the ACH Entries themselves, contract law risks go well beyond the payment. Data privacy, confidentiality, OFAC requirements, contingency plans, security incidents and breach, right to audit, warranties, transparency, even litigation location fall under potential different statues depending on federal, county, and state. Not having solid agreements in place and making sure the Third-Party has solid agreements in place would be like driving a car without insurance. It’s an accident waiting to happen.

As we wrap up, do you have any words of wisdom for ensuring that third parties and fintech partners truly understand their obligations under the Nacha Operating Rules or other payment system rules when they are onboarded by a financial institution?

Get a plan in place. What is your strategic initiative? How are you going to achieve success?

Do your research. Utilize the resources you have available. Your Payments Association, UMACHA. The Third-Party Payment Processors Association (TPPPA). Payment professionals in the industry (like me 😊). Third-Party Service Providers and consultants. Association of Financial Professionals (AFP), both local chapters and the national chapter. Compliance professionals, internally and externally.

Just don’t do this ALONE! And don’t believe you can do this manually. Don’t be afraid to ask your regulator. And finally, get the agreements in place and approved by your legal advisor!

Managing Third-Party & Fintech Relationships Symposium
Did you miss our Managing Third-Party and Fintech Relationships Symposium? Don’t worry – we recorded the event and are happy to announce it is now available on-demand for immediate download. The event included a fantastic lineup of guest speakers from American Fintech Council, Troutman Pepper LLP, Kelley Drye & Warren LLP, Southern Financial Exchange, Q2, Adams & Reese Law LLP, TPPPA, and Nanci McKenzie, LLC.

About the Interviewee: Nanci McKenzie, JM, AAP, APRP
Nanci McKenzie is an experienced speaker and a recognized expert in the field of payment technology. With over 38 years of experience in the payment technology industry, Nanci has a wealth of knowledge and expertise in payment processing, fraud prevention, and risk management.

Throughout her career, Nanci has been a frequent speaker at industry events and conferences, and her presentations are known for their practicality and relevance to current trends and challenges in the payment technology industry. Her ability to communicate complex concepts in a clear and concise manner has made her a sought-after speaker and trusted advisor to many organizations.

Nanci holds a B.S. in Business and Information Management from Seminole State College and a Juris Master's degree in Financial Regulation & Compliance from Florida State University College of Law. She is currently working toward her Master of Legal Studies from Thomas R. Kline College of Law at Drexel University in two concentrations, Financial Regulatory Compliance and Cybersecurity and Data Privacy. She is also an Accredited ACH Professional (AAP) and an Accredited Payments Risk Professional (APRP).

Disclaimer: The views expressed in this interview are solely those of Nanci McKenzie and may not reflect the views of UMACHA. Opinions expressed in this post are intended to provide education, but they do not represent or constitute legal advice.

Stay connected with Eric Wester, Nanci McKenzie, and UMACHA on LinkedIn!