FDIC Seeks to Supplement Vendor Management FIL with Third Party Lending Guidelines

As vendor management continues to be a key issue for regulators, the FDIC has issued its Proposed Guidelines for Third-Party Lending. The deadline to comment was originally September 12, 2016 and was extended through October 27, 2016 in response to several requests for an extension of time. 

In its proposal, the FDIC outlines the risks associated with third party lending, sets forth its minimum expectations for associated risk management systems, its supervisory considerations and the examination procedures related to third party lending.  Here are the highlights:

• The Proposed Guidelines defines third-party lending as being an arrangement that relies on a third party to perform a significant aspect of the lending process.  It includes situations where the insured institution originates loans for third parties, situations where the insured institution originates loans through third party lenders or jointly with third party lenders and situations where the institution originates loans using third party platforms.
• The Guidelines make clear that an institution’s board of directors and senior management are ultimately responsible for managing third party lending arrangements and cannot divest itself of liability.
• The Proposed Guidelines reiterate much of what is set forth in FIL-44-2008 regarding third party risk management.
• Specifically, the proposal makes clear that risk management programs should consider the following risks: strategic, operational, transaction, pipeline and liquidity, model, credit, lending compliance, consumer compliance, and BSA/AML.
• In that regard, the Proposal  requires that institutions engaged in third-party lending develop a risk management program that incorporates:
• Strategic planning which establishes the risk tolerance limits and ensures necessary management, staffing and expertise to properly manage, oversee and audit third party lending relationships.  Strategic planning should also address and incorporate exit strategies and back up plans for third-party lending arrangements that do not go as planned;
• Third-Party Lending Policies that at a minimum:
• Limits the total capital for each third party arrangement and for the program overall;
• Establishes policies and additional requirements for selecting and establishing third-party lending relationships;
• Establishes minimum performance criteria, requirements for independent review of each third party and oversight management for each third-party relationship;
• Establishes monitoring to identify, assess and mitigate risk including fair lending;
• Establishes reporting processes including board reporting;
• Requires access to data and other program information;
• Defines permissible loan types;
• Establishes underwriting, administration and quality standards;
• Establishes a consumer complaint process;
• Addresses capital and liquidity support and allowance for loan and lease concerns;
• Ensures the compliance officer has adequate authority, resources, accountability and knowledge to insure compliance with relevant consumer protection laws and regulations that apply to each third-party lending arrangement; and
• Maintains an appropriate training program for the institution and insure that third party personnel maintains and institutes the same.

• The Proposed Guidelines also make it clear that all proposed third-party lending arrangements should fit within the institution’s strategic plan and business model. 
• Additionally, third-party lending relationships require ongoing oversight and due diligence and sets forth the FDIC’s minimum expectations which include such matters as :
  • Policies and procedures;
  • Credit quality of loans solicited or underwritten;
  • Management information systems;
  • Compliance management systems;
  • Consumer complaints;
  • Litigation or enforcement actions;
  • Information security programs;
  • Compliance with relevant guidance, regulations and laws regulating the loans; and
  • Repurchase activity and volume.

• The Proposal sets forth the minimum expectation that institutions understand the models used by third-party lenders to insure they are consistent with the institution’s underwriting and loan policies and compliance with applicable consumer protection laws, among other things.
• Like other third party relationships, third-party lending relationships should be memorialized by a contractual agreement establishing the parties’ rights and the lender’s expectations.  The Proposed Guidelines reiterate that contractual agreements should address:
  • Indemnification, representations, warranties, recourse and other protections to limit the institution’s exposure;
  • Termination rights;
  • The Institution’s right to require the third party to implement policies and procedures for any function or activity it outsources to the third party; and
  • Allow the institution full access to information or data necessary to perform its risk and compliance management responsibilities.

• The FDIC expects that credit underwriting and administration guidelines will be established by the institution and not the third party. 
• Partnering with third parties does not relieve the institution from ultimate responsibility for compliance with all applicable laws and regulations, including consumer protection and fair lending.  “Third parties that have direct contact with borrowers, develop customer-facing documents, or provide new, complex, or unique loan products require enhanced compliance-related due diligence and oversight by the institution to ensure areas of potential consumer harm are identified and mitigated…and should be particularly attuned to potential elevated fair lending risks.”
• Institutions engaged in significant lending activities through third parties will received increased supervisory attention, including concurrent and more frequent examinations.

The proposal should come as no surprise to lenders who have been monitoring the recent enforcement actions and continued focus on third party vendor management issues from all regulators. As the FIL will apply to all FDIC-supervised institutions engaged in third-party lenders, FDIC institutions should reassess their risk management programs and compliance management systems to insure they are in compliance with the proposed guidelines.