FDIC Seeks to Supplement Vendor Management FIL with Third Party Lending Guidelines

As vendor management continues to be a key issue for regulators, the FDIC has issued its Proposed Guidelines for Third-Party Lending. The deadline to comment was originally September 12, 2016, and was extended through October 27, 2016, in response to several requests for an extension of time.

In its proposal, the FDIC outlines the risks associated with third party lending, sets forth its minimum expectations for associated risk management systems, its supervisory considerations and the examination procedures related to third party lending.

Here are the highlights:

The Proposed Guidelines define third-party lending as being an arrangement that relies on a third party to perform a significant aspect of the lending process.  It includes situations where the insured institution originates loans for third parties, situations where the insured institution originates loans through third party lenders or jointly with third party lenders and situations where the institution originates loans using third party platforms.

The Proposed Guidelines make clear that an institution’s board of directors and senior management are ultimately responsible for managing third party lending arrangements and cannot divest itself of liability.

The Proposed Guidelines reiterate much of what is set forth in FIL-44-2008 regarding third party risk management.

Specifically, the proposal makes clear that risk management programs should consider the following risks: strategic, operational, transaction, pipeline and liquidity, model, credit, lending compliance, consumer compliance, and BSA/AML.

**In that regard, the Proposal requires institutions engaged in third-party lending to develop risk management programs that incorporate:

–Strategic planning which establishes the risk tolerance limits and ensures necessary management, staffing, and expertise to properly manage, oversee, and audit third party lending relationships. Strategic planning should also address and incorporate exit strategies and backup plans for third-party lending arrangements that do not go as planned;

–Third-Party Lending Policies that at a minimum:

• Limit the total capital for each third party arrangement and the program overall;
• Establish policies and additional requirements for selecting and establishing third-party lending relationships;
• Establish minimum performance criteria, requirements for independent review of each third party, and oversight management for each third-party relationship;
• Establish monitoring to identify, assess, and mitigate risk including fair lending;
• Establish reporting processes including board reporting;
• Require access to data and other program information;
• Defines permissible loan types;
• Establish underwriting, administration and quality standards;
• Establish a consumer complaint process;
• Address capital and liquidity support and allowance for loan and lease concerns;
• Ensure the compliance officer has adequate authority, resources, accountability, and knowledge to ensure compliance with relevant consumer protection laws and regulations that apply to each third-party lending arrangement; and
• Maintain an appropriate training program for the institution and ensure that third party personnel maintain and institute the same.

–The Proposed Guidelines also make it clear that all proposed third-party lending arrangements should fit within the institution’s strategic plan and business model.

–Additionally, third-party lending relationships require ongoing oversight and due diligence, and sets forth the FDIC’s minimum expectations that include such matters as:

• Policies and procedures;
• Credit quality of loans solicited or underwritten;
• Management information systems;
• Compliance management systems;
• Consumer complaints;
• Litigation or enforcement actions;
• Information security programs;
• Compliance with relevant guidance, regulations, and laws regulating the loans; and
• Repurchase activity and volume.

–The Proposal sets forth the minimum expectation that institutions understand the models used by third-party lenders to ensure they are consistent with the institution’s underwriting and loan policies and compliance with applicable consumer protection laws, among other things.

–Like other third-party relationships, third-party lending relationships should be memorialized by a contractual agreement establishing the parties’ rights and the lender’s expectations. The Proposed Guidelines reiterate that contractual agreements should address:

• Indemnification, representations, warranties, recourse and other protections to limit the institution’s exposure;
• Termination rights;
• The Institution’s right to require the third party to implement policies and procedures for any function or activity it outsources to the third party; and
• Allow the institution full access to information or data necessary to perform its risk and compliance management responsibilities.

–The FDIC expects that credit underwriting and administration guidelines will be established by the institution and not the third party.

–Partnering with third parties does not relieve the institution from ultimate responsibility for compliance with all applicable laws and regulations, including consumer protection and fair lending. “Third parties that have direct contact with borrowers, develop customer-facing documents, or provide new, complex, or unique loan products require enhanced compliance-related due diligence and oversight by the institution to ensure areas of potential consumer harm are identified and mitigated…and should be particularly attuned to potential elevated fair lending risks.”

–Institutions engaged in significant lending activities through third parties will receive increased supervisory attention, including concurrent and more frequent examinations.

###

The proposal should come as no surprise to lenders who have been monitoring the recent enforcement actions and continued focus on third party vendor management issues from all regulators. As the FIL will apply to all FDIC-supervised institutions engaged in third-party lenders, FDIC institutions should reassess their risk management programs and compliance management systems to ensure all are in compliance with the proposed guidelines.