Brave New World: Adjusting to and Regulating Emerging Technologies

Welcome to the July 2021 edition of our newsletter!  In this issue, we’ll examine how emerging technologies and services are spurring new layers of oversight for financial institutions.

Banking Regulators Try to Catch Up to Innovations

Spurred on in part by the pandemic, several disruptive industries have grown tremendously in the past few years, from “fintech” companies innovating to compete with traditional banking to an expansion of third-party vendors used for accounting and other functions that were once kept in-house.  The outsourcing of these functions can reduce costs and create efficiency, but financial regulators have begun to be concerned that their rapid growth may create gaps in oversight.

Several federal banking regulators recently issued a nearly 90-page guidance document on this topic also addresses issues like data privacy and security among such vendors, and will be open for public comments before more formal adoption.  “The use of third parties by banking organizations does not remove the need for sound risk management,” the guidance said in part.  “On the contrary, the use of third parties may present elevated risks to banking organizations and their customers.  Banking organizations’ expanded use of third parties, especially those with new or innovative technologies, may also add complexity, including in managing consumer compliance risks, and otherwise heighten risk management considerations.  A prudent banking organization appropriately manages its third-party relationships, including addressing consumer protection, information security, and other operational risks.  The proposed supervisory guidance is intended to assist banking organizations in identifying and addressing these risks and in complying with applicable statutes and regulations. … The proposed guidance provides examples of third-party relationships, including use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements in which a banking organization has an ongoing relationship or may have responsibility for the associated records. The proposed guidance also describes additional risk management considerations when a banking organization entertains the use of foreign-based third parties.”

As with many compliance-related endeavors, knowing your vendor is as key as knowing your customer.  For financial institutions and other industries within the space, understanding the history of a vendor is critical.  What is their track record and reputation within the industry?  Although newer companies may lack such a history, their principals likely will not.  In some ways, the guidance is an effort akin to European data protection regulations, calling for increased security of sensitive information.  With that context in mind, a thorough vetting of potential new vendors – and perhaps of existing vendor relationships — will serve companies in all industries well, as an interconnected business environment responds to an equally evolving regulatory regime.