Banks that lack proper oversight to identify, measure, and control risks with third-party fintech vendors may face a greater risk of regulatory action from U.S. agencies (at a time when those agencies have been issuing more cease-and-desist orders overall). S&P Global Ratings thinks this is especially true for smaller banks that are offering products through fintech partners because they may lack the more robust risk management frameworks that larger banks have.
What's Happening
U.S. regulators in the last year have announced cease-and-desist orders against multiple banks that partner with fintechs--primarily for insufficient third-party risk management. Most of the orders that have been announced recently involve banks with under $10 billion in total assets. These banks will likely need to strengthen their risk management and compliance efforts to comply with these orders or reevaluate their fintech relationships.
Why It Matters
There has been an uptick in cease-and-desist orders related to third-party risk management since three key regulators updated their guidance on the issue in June 2023. The interagency guidance from the Federal Deposit Insurance Corp., Federal Reserve, and Office of the Comptroller of the Currency focuses on how banks should manage risks from third-party relationships. For example, it states, "It is important for a banking organization to understand how the arrangement with a third party, including a fintech company, is structured so that the banking organization may assess the types and levels of risks posed and determine how to manage those third-party relationships accordingly."
We think U.S. banks are partnering with fintechs to gain customers and enhance revenue. Small banks may lack the resources to build tech products in-house, and they may look to partner with fintechs to stay competitive with larger banks that have significant tech budgets. While partnerships can increase revenue for these banks, they also come with risks and costs, in our view:
- Banks typically have higher regulatory and compliance standards than many lightly regulated fintechs.
- Some smaller banks may lack the scale to ensure robust risk-management frameworks for managing third-party fintech relationships.
- Banks partnering with fintechs may need to increase compliance costs to satisfy regulatory expectations.
- If the costs of satisfying those expectations are too high, we think banks may be more selective about these partnerships or explore other strategies to remain competitive, such as increasing scale through mergers and acquisitions (M&A).
What Comes Next
Smaller U.S. banks may become more cautious about expanding fintech partnerships because of the scrutiny and costs involved. We think this favors the largest banks with the largest technology and compliance budgets--they'll be able to further build their market positions in the U.S.
We think community banks and small regional banks will continue to pursue M&A to attain the necessary scale to meet higher regulatory compliance costs or develop more competitive products through continued investment in technology.
Outsourcing arrangements that entail third-party reliance and risks will get more scrutiny from global regulators. Vulnerabilities in IT infrastructure, which includes outsourcing partners, can be entry points for cyber criminals.
In the EU, some of the increased scrutiny will come via the Digital Operational Resilience Act--a regulation that, among other things, outlines key principles for managing information and communication technology (ICT) third-party risk. It will apply to financial institutions operating in the EU and their critical ICT providers beginning in January 2025.
Related Research
- Tech Disruption In Retail Banking: Country-By-Country Analysis 2023, Sept. 27, 2023
- The Future Of Banking: Adding A Banking License To Companies' Menus Might Be A Recipe For Success, Oct. 11, 2022
This report does not constitute a rating action.
| Primary Credit Analyst: | Nicholas J Wetzel, CFA, Englewood + 303-721-4448; nicholas.wetzel@spglobal.com |
| Secondary Contacts: | Brendan Browne, CFA, New York + 1 (212) 438 7399; brendan.browne@spglobal.com |
| Stuart Plesser, New York + 1 (212) 438 6870; stuart.plesser@spglobal.com | |
| Additional Contact: | Fintech_Lab; fintech_lab@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.