The agencies remain focused on third-party risks. Although the agencies have not established any new third party risk management requirements, including in last summer’s interagency guidance, these actions clearly convey ongoing concern about the complexity and growth of such arrangements - particularly when it comes to deposit-taking and fintechs. The statement on third party deposit arrangements serves as a reminder that banks need to carefully consider the implications of such arrangements and manage their risks in order to avoid reporting errors, compliance failures, or even violations of law. This statement likely emerges from repeated observations of issues with these expectations and may serve as a warning that the agencies intend to more closely scrutinize banks’ practices around third party deposit arrangements. They may also more directly evaluate the third parties themselves, as they are subject to supervisory examination and may be deemed Institution Affiliated Parties and subject to supervisory enforcement without limited liability protections. In order to prepare for this scrutiny, banks that obtain or manage deposits through third parties should carefully review these risks and practices with involvement from all three lines of defense to see where they may have gaps.
On the road to fintech guidance? As last summer’s guidance did not include guidance specific to fintechs, this RFI represents a step towards potential supplemental guidance to address unique considerations of these third-party relationships. Banks should use this as an opportunity to raise the aspects of their fintech partnerships that are not adequately addressed in the existing interagency guidance and would benefit from clarity on the agencies’ expectations. While awaiting further details, banks should follow the existing third party risk management guidance as closely as possible to gain assurance that third-party policies, practices, personnel, and models are in compliance with all relevant regulations.
The agencies clarify that these expectations would be included in bank supervision and examinations. They also commit to working with FinCEN to develop any necessary corresponding guidance and examination procedures.
Banks may already meet the expectations but would need to more thoroughly demonstrate compliance. While most financial institutions already conduct an AML risk assessment and many use it to drive the structure and resource allocation of their risk-based programs, the new requirements will mandate that institutions more explicitly demonstrate this linkage. Significantly, the requirements to incorporate distribution channels and intermediaries as well as the reports filed (e.g., SARs, CTRs) in their risk assessments will likely require many institutions to re-evaluate and update their risk assessment methodologies. In addition, as this rule would formally require institutions to incorporate the AML/CTF National Priorities for the first time, they should assess their potential exposure to each of the eight priorities and the specific controls in place for any associated risks. This baseline activity will aid institutions in meeting the forthcoming mandate to incorporate the National Priorities into their risk assessment process. The proposal’s requirement that financial institutions have persons responsible for the AML/CFT program based in the United States may also create challenges for financial institutions who have offshored significant elements of their compliance functions in recent years. While the proposal does not provide specific guidance on the extent of personnel needing to remain in the United States, financial institutions need to carefully weigh continued use of offshore centers for any management roles and responsibilities.
Formal requirements mean increased scrutiny and enforcement. Although the agencies note that this proposal largely formalizes existing expectations outlined in guidance, the elevation to rulemaking means that the expectations would become enforceable using mandatory orders, among other enforcement tools. As the proposal is likely to be finalized without significant changes to these expectations, companies should prepare for increased regulatory scrutiny of their AML/CFT programs and engage in the regulatory comment process to highlight any concerns, potential challenges, and areas requiring clarification to help shape the final regulations.
The rule does not set specific requirements for how institutions are to implement and structure the quality standards for their AVM use, instead opting for a principles-based approach that provides the flexibility to account for the size, risk and complexity of the institution. The rule covers (a) use of AVMs for determination of collateral value for credit decisions, which would exclude other uses such as monitoring value over time or validating an already completed valuation; (b) direct use of AVMs in determining the collateral value, which would exclude use of AVMs by qualified appraisers to assist with value determination; (c) valuation of residential collateral as part of consumer lending, which would exclude any application of AVMs in commercial lending, including small business loan underwriting; (d) valuation of the consumers’ primary dwelling, which would exclude any application of AVMs for underwriting investment properties or second homes; and (e) use only by mortgage originators and secondary market issuers.
High-level principles provide more flexibility than clarity. Although financial institutions generally appreciate flexibility in implementing requirements, this rule’s very high-level principles may not provide sufficient detail for firms to interpret and implement accurately and effectively in certain areas. For example, as many firms (especially smaller organizations) rely on vendor off-the-shelf AVMs, it may not be clear how they can protect against data manipulation if they have no control over or insight into what data their vendors use to develop the models and how the data was processed.
Complying with nondiscrimination laws may be easier said than done. Similarly, we expect that firms using vendor off-the-shelf AVMs, as well as AVM cascades frequently developed by third parties, will find it difficult to understand how they can comply with applicable nondiscrimination laws. In addition to facing the same transparency obstacles described above, many smaller firms likely have transaction volumes that are too low to meaningfully test valuations for discriminatory biases. Applying commonly-used bias/disparate impact measurement approaches would also be very challenging due to the fact that (a) it is impossible to measure “actual” real estate value as the basis for determining AVM error (human appraisals and actual transaction prices are likely to be tainted by the same biases one seeks to measure); and (b) identification of “similarly situated” properties for fair comparison would require significant simplifying assumptions that may drastically impair the reliability of the analyses.
Firms can leverage existing practices. Other requirements are more straightforward. For example, firms will be able to comply with the requirements to ensure confidence in estimates and require random sample testing by leveraging existing detailed regulatory guidance, such as the interagency guidance on model risk management. The requirement to “avoid conflicts of interest” may also be straightforward to implement, at least as it relates to the risk that an entity may “cherry pick” one preferred AVM value out of a range of values they can access from different vendor and/or internal automated valuation models. There are existing industry practices for developing and maintaining thorough multi-model AVM cascades that encompass measurement and reporting of a range of accuracy, bias and coverage metrics that entities can leverage to address this requirement.
Comment letters may flood in but to what end? The agencies have once again opened the door to a great opportunity for firms to provide constructive feedback - and pushback - around certain regulations. It is unclear how the regulators will respond to the large amounts of constructive ideas they will receive, and we do not anticipate that this initiative will lead to any major changes in policy direction. However, depending on the results of the upcoming election, a new Administration could use the feedback received from this initiative to loosen regulatory requirements.