The 2023 interagency guidance on third-party relationships changed the oversight baseline for every bank. For sponsor banks, institutions whose core business involves providing charter access to fintech companies, the guidance raised expectations materially. Examiners now apply the full lifecycle framework from OCC Bulletin 2023-17, FDIC FIL-44-2023, and FRB SR 23-4 to every fintech relationship a sponsor bank maintains.
The scope is broad: due diligence before onboarding, contract terms that preserve audit and termination rights, ongoing monitoring with documented evidence, subcontractor management, and performance metrics that trigger action. Banks that treat fintech oversight as a periodic checklist rather than a continuous program are producing findings at an accelerating rate.
Key Takeaways:
- The 2023 interagency guidance (OCC 2023-17, FDIC FIL-44-2023, FRB SR 23-4) applies the full third-party lifecycle framework to all fintech partnerships
- Due diligence must be proportional to the risk of the relationship; BaaS partnerships with direct consumer exposure require the highest level of review
- Ongoing monitoring requires documented evidence, not just an annual questionnaire
- Subcontractor (fourth-party) management is an active examination focus, especially for middleware providers and cloud infrastructure
What the Interagency Guidance Requires for Sponsor Banks
The interagency guidance defines a six-stage lifecycle for third-party relationships: planning, due diligence, contract negotiation, ongoing monitoring, termination, and governance. Each stage carries specific expectations. For sponsor banks operating BaaS programs, examiners apply heightened scrutiny because these relationships typically involve critical activities, functions that, if disrupted or performed improperly, could materially affect the bank's financial condition, operations, or customers.
The guidance defines critical activities as those involving:
- Significant bank functions (e.g., deposit-taking, lending, payments)
- Significant shared services (e.g., core processing)
- Activities that could cause the bank to face significant risk if the third party fails
- Activities that could have significant customer impact
Virtually every fintech partnership at a sponsor bank meets this threshold. That means every element of the oversight framework applies at full intensity, not the scaled-down version appropriate for a bank's landscaping vendor.
Due Diligence Requirements Before Onboarding
Before entering a fintech partnership, the sponsor bank must conduct due diligence proportional to the risk of the relationship. For BaaS partnerships, this is the highest tier. The interagency guidance expects the bank to evaluate:
Financial condition. Review the fintech's audited financials, funding runway, and business model sustainability. Several BaaS relationships have failed because the fintech ran out of capital, and the bank was left holding accounts it couldn't service. The Synapse bankruptcy in 2024 made this risk tangible for every regulator.
Operational capability. Assess the fintech's technology infrastructure, staffing, business continuity and disaster recovery plans, and track record of delivering the proposed product. A fintech that has never operated a deposit product should receive more intensive diligence than one with a five-year track record.
Compliance management. Evaluate the fintech's internal compliance program: designated compliance personnel, written policies and procedures, training programs, complaint handling, and audit history. The bank should review the fintech's compliance testing results, regulatory examination history (if any), and any prior enforcement actions.
Information security. Review the fintech's SOC 2 Type II report, penetration testing results, vulnerability management practices, and incident response plan. Under GLBA's Safeguards Rule, the bank is responsible for ensuring its service providers maintain adequate security for customer data.
Legal and regulatory standing. Check for pending litigation, regulatory actions, consumer complaints (CFPB database, state AG offices, BBB), and negative media. Review the fintech's state licenses where applicable.
The bank must document this due diligence in a format that examiners can review. An email chain saying "we talked to them and they seem solid" is not documentation. A written due diligence report with findings, risk ratings, and conditions for approval is.
Contract Terms That Regulators Expect
The interagency guidance identifies specific contract provisions that examiners expect to see in third-party agreements. For sponsor bank-fintech contracts, these include:
| Contract Provision | Regulatory Expectation |
|---|---|
| Audit rights | Bank retains the right to audit the fintech and access its books and records. Must include regulator access. |
| Subcontractor approval | Fintech must obtain bank approval before engaging material subcontractors. |
| Compliance obligations | Contract specifies applicable regulations and allocates compliance responsibilities. |
| Performance standards | Measurable service levels with remedies for failure. |
| Data ownership and access | Bank owns customer data and can access it in real time. |
| Business continuity | Fintech maintains BCP/DR plans and provides them to the bank. |
| Termination provisions | Bank can terminate for cause with defined transition assistance. |
| Insurance requirements | Minimum coverage levels for errors and omissions, cyber liability, and general commercial liability. |
| Regulatory access | Contract permits examiners to access the fintech's facilities, personnel, and records. |
| Indemnification | Mutual or fintech-to-bank indemnification for losses arising from the fintech's failures. |
The absence of any of these provisions in a sponsor bank's fintech agreements is a finding. Examiners will request sample contracts and compare them against the guidance's expectations. Banks that use standardized contract templates across all fintech partners, rather than accepting each fintech's preferred terms, are in a stronger position during examinations.
Ongoing Monitoring: What "Continuous" Actually Means
Due diligence doesn't end at onboarding. The interagency guidance requires ongoing monitoring proportional to the risk and nature of each third-party relationship. For sponsor banks, ongoing monitoring of fintech partners should cover:
Compliance testing. The bank must independently test whether the fintech is operating within the compliance parameters established in the contract and the bank's policies. This includes transaction testing (sampling fintech-originated transactions for BSA/AML and consumer compliance), disclosure review, marketing review, and complaint analysis. Testing frequency should be risk-based, quarterly or more often for high-risk programs.
Financial monitoring. Periodically review the fintech's financial condition, especially for startups with limited operating history. A fintech that was well-capitalized at onboarding may not be twelve months later. Watch for signs of financial distress: layoffs, reduced product investment, delayed payments, or executive departures.
Performance metrics. Track quantitative indicators: application volumes, approval rates, default rates, complaint rates, SAR filing rates, error resolution timeliness, and customer attrition. Deviations from expected ranges should trigger investigation, not just notation.
Incident tracking. Document all operational incidents, compliance exceptions, data breaches, and consumer complaints associated with each fintech partner. Track resolution timelines and root causes. Patterns across incidents reveal systemic issues that individual incidents do not.
Annual review. Conduct a formal annual review of each fintech relationship that reassesses the risk rating, evaluates performance against contractual standards, and determines whether the relationship should continue, be modified, or be terminated. Present results to the board or a designated committee.
For a complete breakdown of what belongs in each review, see our fintech partner compliance review checklist.
Subcontractor Management: Fourth-Party Risk
Most fintech partners rely on their own third parties: cloud providers, identity verification services, payment processors, data aggregators, and fraud detection platforms. These subcontractors, the bank's fourth parties, create risk that the bank must understand and monitor.
The interagency guidance expects banks to:
- Require fintech partners to notify the bank of material subcontractor relationships and changes
- Evaluate the fintech's own vendor management practices during due diligence
- Include contractual provisions requiring bank approval for critical subcontractors
- Understand the concentration risk when multiple fintech partners rely on the same subcontractor
The Synapse bankruptcy illustrated the danger of middleware concentration. Multiple banks relied on Synapse as the intermediary between their systems and their fintech partners. When Synapse failed, those banks lost visibility into account balances, transaction records, and customer data. Examiners now specifically ask sponsor banks about their exposure to middleware providers and how they would maintain operations if an intermediary failed.
Performance Metrics and Escalation Triggers
Monitoring without action is not oversight. The bank needs predefined thresholds that trigger escalation when a fintech partner's performance degrades. Examples:
- Complaint rates exceeding a defined threshold per 1,000 accounts → escalation to senior management and enhanced monitoring
- SAR filing rates deviating significantly from peer benchmarks → BSA officer review and potential program suspension
- Disclosure error rates above tolerance in compliance testing → remediation plan with defined timeline
- Operational incidents exceeding frequency or severity thresholds → executive review and potential contract modification
- Financial condition deterioration → enhanced financial monitoring and contingency planning
These triggers should be documented in the bank's third-party risk management program and approved by the board or a designated committee. Examiners will ask to see the trigger framework and evidence of how the bank has responded when triggers were activated.
How Canarie Supports Ongoing Third-Party Oversight
Managing third-party oversight across multiple fintech partners creates an evidence problem. Each monitoring activity, compliance testing, financial reviews, incident tracking, board reporting, needs to be documented, tied to specific obligations, and retrievable during examinations.
Canarie connects each oversight requirement to a defined task with ownership, deadlines, and evidence capture. When a quarterly compliance test is due for a fintech partner, the assigned analyst receives the task, completes the review, and attaches the evidence, all in one system. Board reports pull from the same data, so reporting reflects actual oversight activity rather than a compliance officer's summary from memory.
See how Canarie maps oversight obligations to executable workflows →
Frequently Asked Questions
How does the 2023 interagency guidance apply differently to sponsor banks versus traditional community banks?
The guidance applies the same framework to all banking organizations, but its impact is disproportionately heavy for sponsor banks. Traditional community banks may have a handful of third-party relationships involving critical activities, typically a core processor and perhaps a cloud provider. Sponsor banks, by contrast, may have dozens of fintech relationships, each involving critical activities like deposit-taking, lending, or payments. The guidance's proportionality principle means sponsor banks must maintain more intensive oversight infrastructure: larger compliance teams, more frequent testing, real-time data access, and more detailed board reporting.
What happens if a sponsor bank's fintech partner refuses to provide audit access?
If the contract includes audit rights (as it should), the fintech's refusal is a contract violation and should trigger the bank's escalation process, up to and including termination. If the contract does not include audit rights, the bank has a contract deficiency that examiners will cite. OCC Bulletin 2023-17 explicitly requires that contracts provide for the bank's and regulators' right to audit the third party. A missing audit clause in a BaaS agreement is a significant finding.
How often should a sponsor bank review its fintech partners?
The guidance does not prescribe a specific frequency, but examiners expect risk-based review cadences. For high-risk fintech relationships (which includes most BaaS partnerships), the bank should conduct compliance testing at least quarterly, financial reviews at least semi-annually, and a comprehensive annual review. Transaction monitoring and complaint analysis should be continuous or near-continuous. Banks that perform only annual reviews of high-risk fintech partners will face examiner criticism. See our fintech compliance management guide for recommended cadences.
Does the bank need to oversee the fintech's subcontractors directly?
The bank does not need to conduct direct due diligence on every fintech subcontractor, but it must understand the subcontractor landscape and evaluate the fintech's own vendor management program. For critical subcontractors, such as a cloud provider hosting customer data or an identity verification service performing CDD, the bank should obtain and review relevant due diligence information (SOC reports, security assessments). The bank's contract with the fintech should require notification and approval for material subcontractor changes.