COVID-19 Update – Our firm is fully operational. Read the Latest

What We Know

FDIC Seeks to Supplement Vendor Management FIL with Third Party Lending Guidelines

August 15, 2016 | by Caren D. Enloe

As vendor management continues to be a key issue for regulators, the FDIC has issued its Proposed Guidelines for Third-Party Lending. The deadline to comment was originally September 12, 2016, and was extended through October 27, 2016, in response to several requests for an extension of time.

In its proposal, the FDIC outlines the risks associated with third party lending, sets forth its minimum expectations for associated risk management systems, its supervisory considerations and the examination procedures related to third party lending.

Here are the highlights:

The Proposed Guidelines define third-party lending as being an arrangement that relies on a third party to perform a significant aspect of the lending process.  It includes situations where the insured institution originates loans for third parties, situations where the insured institution originates loans through third party lenders or jointly with third party lenders and situations where the institution originates loans using third party platforms.

The Proposed Guidelines make clear that an institution’s board of directors and senior management are ultimately responsible for managing third party lending arrangements and cannot divest itself of liability.

The Proposed Guidelines reiterate much of what is set forth in FIL-44-2008 regarding third party risk management.

Specifically, the proposal makes clear that risk management programs should consider the following risks: strategic, operational, transaction, pipeline and liquidity, model, credit, lending compliance, consumer compliance, and BSA/AML.

**In that regard, the Proposal requires institutions engaged in third-party lending to develop risk management programs that incorporate:

–Strategic planning which establishes the risk tolerance limits and ensures necessary management, staffing, and expertise to properly manage, oversee, and audit third party lending relationships. Strategic planning should also address and incorporate exit strategies and backup plans for third-party lending arrangements that do not go as planned;

–Third-Party Lending Policies that at a minimum:

  • Limit the total capital for each third party arrangement and the program overall;
  • Establish policies and additional requirements for selecting and establishing third-party lending relationships;
  • Establish minimum performance criteria, requirements for independent review of each third party, and oversight management for each third-party relationship;
  • Establish monitoring to identify, assess, and mitigate risk including fair lending;
  • Establish reporting processes including board reporting;
  • Require access to data and other program information;
  • Defines permissible loan types;
  • Establish underwriting, administration and quality standards;
  • Establish a consumer complaint process;
  • Address capital and liquidity support and allowance for loan and lease concerns;
  • Ensure the compliance officer has adequate authority, resources, accountability, and knowledge to ensure compliance with relevant consumer protection laws and regulations that apply to each third-party lending arrangement; and
  • Maintain an appropriate training program for the institution and ensure that third party personnel maintain and institute the same.

–The Proposed Guidelines also make it clear that all proposed third-party lending arrangements should fit within the institution’s strategic plan and business model.

–Additionally, third-party lending relationships require ongoing oversight and due diligence, and sets forth the FDIC’s minimum expectations that include such matters as:

  • Policies and procedures;
  • Credit quality of loans solicited or underwritten;
  • Management information systems;
  • Compliance management systems;
  • Consumer complaints;
  • Litigation or enforcement actions;
  • Information security programs;
  • Compliance with relevant guidance, regulations, and laws regulating the loans; and
  • Repurchase activity and volume.

–The Proposal sets forth the minimum expectation that institutions understand the models used by third-party lenders to ensure they are consistent with the institution’s underwriting and loan policies and compliance with applicable consumer protection laws, among other things.

–Like other third-party relationships, third-party lending relationships should be memorialized by a contractual agreement establishing the parties’ rights and the lender’s expectations. The Proposed Guidelines reiterate that contractual agreements should address:

  • Indemnification, representations, warranties, recourse and other protections to limit the institution’s exposure;
  • Termination rights;
  • The Institution’s right to require the third party to implement policies and procedures for any function or activity it outsources to the third party; and
  • Allow the institution full access to information or data necessary to perform its risk and compliance management responsibilities.

–The FDIC expects that credit underwriting and administration guidelines will be established by the institution and not the third party.

–Partnering with third parties does not relieve the institution from ultimate responsibility for compliance with all applicable laws and regulations, including consumer protection and fair lending. “Third parties that have direct contact with borrowers, develop customer-facing documents, or provide new, complex, or unique loan products require enhanced compliance-related due diligence and oversight by the institution to ensure areas of potential consumer harm are identified and mitigated…and should be particularly attuned to potential elevated fair lending risks.”

–Institutions engaged in significant lending activities through third parties will receive increased supervisory attention, including concurrent and more frequent examinations.


The proposal should come as no surprise to lenders who have been monitoring the recent enforcement actions and continued focus on third party vendor management issues from all regulators. As the FIL will apply to all FDIC-supervised institutions engaged in third-party lenders, FDIC institutions should reassess their risk management programs and compliance management systems to ensure all are in compliance with the proposed guidelines.

Caren Enloe leads Smith Debnam’ s consumer financial services litigation and compliance group. In her practice, she defends consumer financial service providers and members of the collection industry in state and federal court, as well as in regulatory matters involving a variety of consumer protection laws.  Caren also advises fintech companies, law firms, and collection agencies regarding an array of consumer finance issues. An active writer and speaker, Caren currently serves as chair of the Debt Collection Practices and Bankruptcy subcommittee for the American Bar Association’s Consumer Financial Services Committee. She is also a member of the Defense Bar for the National Creditors Bar Association, the North Carolina State Chair for ACA International’s Member Attorney Program and a member of the Bank Counsel Committee of the North Carolina Bankers Association. Most recently, she was elected to the Governing Committee for the Conference on Consumer Finance Law. In 2018, Caren was named one of the “20 Most Powerful Women in Collections” by Collection Advisor, a national trade publication. Caren oversees a blog titled: Consumer Financial Services Litigation and Compliance dedicated to consumer financial services and has been published in a number of publications including the Journal of Taxation and Regulation of Financial Institutions, California State Bar Business Law News, Banking and Financial Services Policy Report and Carolina Banker.  ...LEARN MORE

Shape919.250.2000 noun_20940@smithdebnamlaw