Third-Party Risk Management in the Age of BaaS + Comptroller Hsu on tokenization and AI and other thoughts
Welcome to the next issue of Legal-tender: Your fin-tastic guide to the legal side of crypto and fintech.1
For this newsletter, I write about the following:
The prudential regulators finalized their third-party risk management guidance; I address some high-level concepts of the guidance and focus on their thoughts regarding contracting with third parties.
OCC Comptroller Hsu presented interesting remarks on tokenization and AI.
While regulation of crypto entities at the federal level remains a contested issue—with recent draft legislation and no clear path to a bill seemingly anytime soon—states continue to augment their money transmission laws to better include crypto. Texas and Louisiana are the latest examples.
Some quick hits with links to items I found interesting that may have flown under the radar.
If you enjoy my newsletter, please subscribe and share!
Third-Party Risk Management in the Age of BaaS
As most people reading this are likely aware, the OCC, FRB, and FDIC released their long-anticipated final Interagency Guidance on Third-Party Relationships: Risk Management (“Interagency Guidance”). While each agency had existing guidance, this guidance was quite dated for the FDIC.2 Even though the FRB’s and OCC’s guidance were likewise dated, both had been updated or supplemented relatively recently.3 Still, while the guidances overlapped in requirements, they weren’t uniform. Their prior guidances have been rescinded and replaced by the Interagency Guidance.
Interagency Guidance
High-Level Concepts
TL/DR:
Adopted a principles-based approach, emphasizing risk management principles over detailed rules.
Refused to tailor guidance to different types of banking organizations; all banks must calibrate their risk management based on their size, complexity, and risk profile.
The definition of “critical activities” is left to the discretion of individual banks.
- Principles-based approach guides regulators
The prudential regulators said they adopted a “principles-based approach” when finalizing their guidance. Choosing between a principles-based approach versus a prescriptive is hard, especially in fast-moving industries where regulators are unlikely to keep pace in providing formal guidance.
Choosing a principles-based approach colors many of their changes from the draft proposal as well as their lack of specificity in specific areas of managing third-party relationships. This lack of specificity is evident in the BaaS context, where the term itself is not used. The concept, instead, is only alluded to (the closest the agencies come is the term “subcontractors” for entities used by the third party). Instead, the prudential regulators emphasize that “longstanding principles of third-party risk management” apply to all third-party relationships.
With respect to comments about technological advances and innovation, the agencies recognize that some banking organizations are forming relationships with fintech companies, including under new or novel structures and arrangements. Depending on the specific circumstances, including the activities performed, such relationships may introduce new or increase existing risks to a banking organization, such as those risks identified by some commenters. For example, in some third-party relationships, the respective roles and responsibilities of a banking organization and a third party may differ from those in other third-party relationships. Additionally, depending on how the business arrangement is structured, the banking organization and the third party each may have varying degrees of interaction with customers. Longstanding principles of third-party risk management set forth in this guidance are applicable to all third-party relationships, including those with fintech companies. Therefore, it is important for a banking organization to understand how the arrangement with a third party, including a fintech company, is structured so that the banking organization may assess the types and levels of risks posed and determine how to manage those third-party relationships accordingly.
Thoughts: Unfortunately, it’s a lawyerly answer of “it depends.” I understand the prudential regulators’ rationale in adopting this approach. But because many BaaS models present different customer interactions with banks, some further formal guidance would have been appreciated here.
That said, I believe regulators are still catching up to this new dynamic. And more informal guidance is likely to come out through (best case scenario) speeches and other such statements and (worst case scenario) through enforcement actions. Nonpublic guidance will likely come through examinations; hopefully, the Interagency Guidance will (i) lead to the prudential regulators developing a more consistent approach to examinations of banks and fintech and BaaS relationships and (ii) updating examination manuals.
- Reject tailored approach for different banking organizations
Some commenters requested that guidance be tailored, including to address that smaller banks have different needs and resources than larger banks, including creating some form of a “safe harbor.” The agencies refused these requests and reiterated that the Interagency Guidance is relevant to all banks. The agencies require that each bank analyze the risks associated with the third-party relationship and calibrate its risk management process based on the bank’s size, complexity, and risk profile.
Thoughts: This approach makes sense but with the same caveat as above. The lack of greater formal clarity and guidance on BaaS infrastructure and fintech relationships where the bank may have limited direct contact with consumers hinders, to some degree, this goal of not tailoring the approach. These challenges may become more acute as open banking becomes more prevalent in the U.S., especially once the CFPB finalizes its 1033 rules (expected next year).
Further, the agencies stated that they “plan to develop additional resources to assist smaller, non-complex community banking organizations in managing relevant third-party risks.” Ideally, these tools/resources would be available now. So we’ll have to wait to see what these resources are when published.
- What are “critical activities”?
The proposed guidance borrowed heavily from the OCC’s FAQ question 8 regarding what constituted “critical services,” but left out a key component: not every relationship involving critical activities is necessarily a “critical third-party relationship.” The agencies, smartly IMO, did delete reference to “significant bank function”—even though the OCC FAQ gave examples—because of its imprecision. And the agencies eliminated some examples from what constitutes “critical activities,” such as “if the bank needs to find an alternate third party or if the outsourced activity has to be brought in-house.”
The agencies chose their approach “to improve clarity and emphasize flexibility.” As with above, the agencies are giving banks discretion to determine which activities are critical.
Interagency Guidance on Contract Negotiations
TL/DR
Banks must assess the acceptability of contract terms and understand each party's roles and responsibilities.
Performance measures in SLAs should discourage imprudent behavior.
Third parties need to inform banks about key strategic or operational changes.
Banks should set clear reporting requirements and maintain the right to audit third parties.
Contractual clauses must consider potential damages, remedies, and the third party's financial resources.
Third parties should meet the bank's insurance requirements.
In BaaS relationships, entities brought to the bank by the third party are considered critical, necessitating detailed contractual obligations.
- Analysis
A fulsome overview of all sections is beyond this article. Instead, being an attorney, I’ll focus primarily on the section addressing “Contract Negotiation.”
In short, this section focuses on protecting the bank. The agencies emphasize that banks need to determine if the contract terms are acceptable to the bank, especially if the bank has limited negotiating power. At the outset, the bank needs to understand the “nature and scope of [the] arrangement.”
This can also be called the narrative. What roles is each party playing. While this may seem straightforward, clearly understanding what role the bank will play and what role the third party will play is essential to successfully (i) identifying the risks involved in the potential relationship, and (ii) mitigating the risks through various contractual clauses.
The next few will be bullet points:
SLAs. The agencies warn that performance measures should not incentivize “imprudent performance or behavior.”
Providing, receiving, and retaining information. While many points the agencies make seem straightforward, a couple are worth calling out:
Notifying the bank when significant strategic or operational changes occur, including the use of subcontractors and key personnel changes. Changes such as mergers and acquisitions are straightforward, but receiving notice when “critical” subcontractors change or when the primary person overseeing the relationship or implementation changes or leaves may not always be top of mind when negotiating. But both should be.
Reporting - the bank should clearly determine what reports it wants from the third party and when it wants them. Proper reporting—and internal infrastructure to absorb and use the reports—is necessary for tracking the third party’s performance during the agreement.
Right to audit and remediation. The right to audit is generally two rights - the bank’s right to audit the third party and the bank requiring that the third party undergo independent audits and relevant subcontractors. The Interagency Guidance emphasizes SOC reports and PCI reports. Still, depending on the nature of the services provided, more fulsome reports, such as regulatory compliance and agreement compliance audits may be prudent to have.
Indemnification and Limitation of Liability. These typically do not need any introduction. They are often the most negotiated and contentious elements to any agreement. Here, banks need to assess not only the possible damages and remedies, but whether the third party will have such resources should these clauses come into play. And this ties into the next point.
Insurance. Banks frequently have set requirements for insurance; ensuring that their third party partner can meet these obligations is critical, especially if the partner is a BaaS bringing new products to the bank (and in such situations, it may require a review of the bank’s insurance premium requirements to assess whether higher tiers are required).
And finally - “subcontracting.” This is a primary area where I wish the guidance better reflected a distinction between types of subcontractors and directly addressed that some subcontractors may be entities with direct forward-facing customer interaction. The Interagency Guidance alludes to it - “if the banking organization uses third parties for higher-risk activities, including critical activities.” Therefore, I think the best takeaway is to conclude that in a BaaS relationship, the entities the BaaS brings to the bank are critical. For such relationships, “it is important to consider more detailed contractual obligations, such as reporting on the subcontractor’s conformance with performance measures, periodic audit results, and compliance with laws and regulations.”
Conclusions
Overall, having unified guidance is good. This new Interagency Guidance marks an important step toward a more uniformly regulated banking environment. I expect more tools and resources to follow this initial publication, especially for smaller entities. The future developments in this sector will be crucial in shaping the fintech landscape.
OCC Comptroller Stresses Responsible Adoption of Tokenization and AI in Banking
In a speech at the American Bankers Association Risk and Compliance Conference, Acting Comptroller of the Currency Michael J. Hsu addressed the rapidly evolving landscape of tokenization and artificial intelligence in the banking industry. Hsu emphasized the potential benefits and risks of these technologies while underscoring the importance of responsible innovation and prudent adoption.
TL/DR
Tokenization: Hsu highlighted the benefits of tokenization in enhancing settlement efficiency by reducing frictions, costs, and risks associated with transactional lags. However, he cautioned against the risks of the crypto industry, emphasizing the need for trusted blockchains and the development of legal frameworks to support tokenization.
AI: Hsu discussed the challenges of aligning AI systems with human values and addressing bias and discrimination. He raised concerns about AI-enabled fraud and the spread of harmful misinformation. Hsu advocated for a risk and compliance approach to AI adoption, emphasizing the importance of engaging regulators and implementing measures to mitigate risks.
Hsu’s Thoughts on Tokenization
Tokenization, driven by blockchain technology, was a key focus of Hsu's remarks. He highlighted its ability to enhance settlement efficiency by reducing frictions, costs, and risks related to transactional lags. By representing real-world assets and liabilities as tokens on trusted blockchains, banks can streamline transaction processes and eliminate intermediaries, resulting in significant cost savings and faster finalization of transactions.
However, Hsu cautioned against the risks inherent in the crypto industry. He pointed out the market's immaturity and susceptibility to fraud, scams, and hacks, and the challenges of anti-money laundering compliance. Hsu noted the design flaw of "trustlessness" in public blockchains, highlighting the inefficiencies and the trilemma between decentralization, security, and scalability.
In contrast, Hsu suggested that centrally operated, trusted blockchains could provide greater security and scalability. Embracing the concept of trusting a blockchain operator, instead of pursuing complete trustlessness, could enhance efficiency and regulatory compliance. These "trusted blockchains" have the potential to facilitate secure and efficient settlement processes through tokenization without the limitations of decentralization.
Despite the promise of tokenization, Hsu stressed the need for further development of legal frameworks and risk management capabilities. Establishing clear ownership and property rights of tokens, especially across jurisdictions and in bankruptcy scenarios, is essential for ensuring safe and fair transactions. Hsu emphasized the importance of building the necessary legal foundations to support the tokenization of real-world assets.
Hsu’s Thoughts on AI
Turning to AI, Hsu highlighted the challenges associated with aligning AI systems with human values and desired behavior. Unlike traditional software, AI systems learn from training data, making their outputs less predictable. This raises concerns surrounding governance and accountability. Hsu called for ongoing research and clear guidelines on responsibility and accountability to address this alignment problem effectively.
Moreover, Hsu emphasized the importance of addressing bias and discrimination in AI systems. Biased training data can lead to unfair outcomes, and even unbiased decision-making at the individual level may result in disparities at the group level. In consumer lending, where AI adoption can impact wealth inequality, it is crucial to foster discussions and implement measures that mitigate bias and ensure fair outcomes.
The potential for AI-enabled fraud and the spread of harmful misinformation were also areas of concern raised by Hsu. The ability of AI agents to mimic human communication increases the risk of fraud, while disseminating misinformation through AI and social media platforms poses significant challenges. Hsu stressed the need for banks and regulators to enhance their defense mechanisms and strategies to effectively combat these evolving risks.
To navigate these challenges, Hsu advocated for a risk and compliance approach to AI adoption. Banks should adopt AI in stages, integrating risk management measures alongside innovation. Engaging regulators early and seeking their approval is essential for maintaining public trust and ensuring long-term success.
For Hsu, collaboration between banks and regulators is crucial. Regulators must stay informed about AI developments, be responsive, and balance promoting innovation and upholding prudential standards. By adopting responsible practices and seeking regulatory approval, Hsu argues that the banking industry can harness the benefits of tokenization and AI while mitigating risks, ensuring the responsible integration of these technologies in the banking sector.
In conclusion, Hsu emphasized the significance of responsible adoption of tokenization and AI in the banking industry. While these technologies offer immense potential, Hsu believes that addressing challenges related to alignment, bias, fraud, and misinformation is crucial. By adopting a risk and compliance approach and collaborating with regulators, Hsu asserts that banks can harness the benefits while mitigating risks, ensuring the responsible integration of tokenization and AI in the banking sector.
US Open Banking Updates
In a blog post, Director Rohit Chopra addressed the foundation for opening banking in the US. The CFPB plans to introduce a new personal data rights rule that will set expectations for the market and enable consumers to exercise their data rights without being trapped by powerful incumbents or losing control of their information. While the CFPB recognizes the need to address core issues, it also emphasizes the importance of market-driven standards and collaboration with industry stakeholders to ensure fair and inclusive open banking practices.
While the CFPB expects to finalize the rule in 2024, it encourages the development of industry open banking standards that allow consumers to exercise their personal financial data rights. The CFPB will closely monitor attempts by dominant firms to limit consumer control and prioritize maintaining competition within the open banking ecosystem. By fostering a market where consumers have greater access, control, and choice, the CFPB seeks to create an open banking system that promotes innovation, safeguards privacy, and enhances the overall financial well-being of American consumers and businesses.
States continue to revise their money transmission laws to address digital assets
Texas enacts law regulating digital asset service providers
The Texas governor recently signed HB 1666, which further regulates “digital asset service providers” beyond the requirements contained within Texas’s money transmission law. The bill takes effect September 1st. [Note, the Texas governor also signed SB 895, which enacts the Money Services Modernization Act; that bill is not covered in this newsletter and am just noting it should anyone be interested in reading it]. Below is a summary:
Definitions: "Digital asset service provider" means an electronic platform that facilitates the trading of digital assets on behalf of a digital asset customer and maintains custody of the customer ’s digital assets.
Applicability: This bill applies to digital asset service providers operating in Texas that hold a money transmission license and either serve more than 500 digital asset customers in the state or have at least $10 million in customer funds. The bill does not apply to banks or entities exempted by commission rule or order.
Duties of Digital Asset Service Providers: Digital asset service providers are not allowed to commingle customer funds with their own funds or use customer funds for non-customer transactions. They must maintain customer funds not subject to Texas’s money transmission law in separate accounts or an omnibus account that only contains digital assets of customers.
Customer Transparency and Reporting: Service providers must enable customers to view their account details and outstanding liabilities at least quarterly. Providers also need to submit a report annually to the Texas Department of Banking with an attestation of outstanding liabilities to customers, evidence of customer assets held, and an attestation by an auditor confirming the report's accuracy.
Audit Requirements: The bill details audit requirements for digital asset service providers.
Money Transmission License: To obtain and maintain a money transmission license, digital asset service providers must comply with this bill's requirements. The department may suspend or revoke a license if the provider violates the bill's provisions.
Louisiana’s new law modifies its Virtual Currency Business Act
The Louisiana governor signed SB 185 in June, and the bill modifies Louisiana’s Virtual Currency Business Act. At a high-level, the legislation establishes a more comprehensive set of regulations around virtual currency business activities, adding definitions for several key terms, refining licensing requirements, and stipulating more stringent operational protocols for businesses engaging in cryptocurrency transactions.The main elements of the law are as follows:
Definitions: The law defines additional terms used in the context of virtual currency, such as "blockchain", "mining", “minting,” and others.
Licensure and Regulation: Virtual currency businesses are still required to be licensed, with more stringent criteria for obtaining a license. These include a detailed business plan, financial projections, anticipated business volume, and evidence of a surety bond. Additionally, a comprehensive background report is needed for any person who has lived outside the U.S. in the past ten years.
License Application Process: The law extends the timeframe for acceptance or denial of a license application from 30 to 60 days and sets out prerequisites for license issuance, including providing a surety bond, demonstrating tangible net worth, and paying all costs and fees.
Tangible Net Worth: A tiered system for determining the necessary tangible net worth of a licensee is introduced. Several factors may influence the commissioner's decision in this regard.
Licensee Responsibilities: Licensees are required to hold the same type and amount of virtual currency as they are storing, holding, or maintaining for a resident. They are prohibited from using this currency unless explicitly directed by the resident. Importantly, the proposed law allows licensees to commingle their virtual currency with that of residents, provided their own assets are deemed resident assets. The licensee can only withdraw or assert a claim on the amount that exceeds the total resident assets held.
Reporting and Record-keeping: The law maintains the requirement for quarterly financial reports and introduces a new stipulation for licensees to keep records of their virtual currency activities for at least five years. Licensees must also adopt and implement written compliance policies and procedures.
Enforcement: The commissioner has broad powers to enforce the law, including suspending licenses under certain circumstances, such as failure to maintain a surety bond or conviction of a felony. Non-compliance with the law may result in penalties.
Risk Disclosure: Licensees are required to provide clear and accurate disclosures about the material risks associated with their virtual currency products, services, and activities. A failure to comply with this requirement is deemed a violation.
Quick hits
Federal Reserve Chair Jerome Powell: “We do see payments stablecoins as a form of money, and in all advanced economies, the ultimate source of credibility in money is the central bank,” Powell said. “We believe that it would be appropriate to have quite a robust federal role in what happens in stable coins going forward.”
Senator Chuck Schumer: “Now let me share my second proposal – a new legislative approach for translating this framework into legislative action. Later this fall, I will convene the top minds in artificial intelligence here in Congress for a series of AI insight forums to lay down a new foundation for AI policy.”
“Hong Kong, determined to reclaim its fintech crown and rival Singapore, is poised to become a thriving crypto hub by considering the inclusion of retail investors in cryptocurrency trading. The city-state is reportedly giving a nudge to major banks, urging them to hop on the bandwagon and embrace crypto exchanges as clients after announcing a clear regulatory framework that aims to encourage innovation.”
“Developing digital identity infrastructure such that counterparties know who they are trading with is critical to getting large institutions involved in decentralized finance (DeFi), said Joseph Chalom, head of strategic partnerships at BlackRock, at the State of Crypto Summit held by Coinbase and the Financial Times in New York on Thursday.”
I am providing this information generally; this information is not legal advice and not intended to apply to any specific legal or factual situation. By reading or subscribing to this newsletter, you are not forming an attorney-client relationship with me, or with Ketsal PLLC. These views are my own—especially the wrong ones—and do not represent Ketsal. If you need legal advice or have questions requiring an attorney, please reach out to an attorney you trust.
The FDIC “Guidance for Managing Third-Party Risk” was released in June 2008.
The FRB’s “Guidance on Managing Outsourcing Risk” from 2013 was updated in February 2021, and the OCC’s “Third-Party Relationships: Risk Management Guidance” bulletin was supplemented by its FAQs.