CBA Comment Letter re FDIC RFI on Voluntary Certification

Re:      Request for Information (“RFI”) on Standard Setting and Voluntary Certification for Models and Third-Party Providers of Technology and Other Services

The Consumer Bankers Association (“CBA”) applauds the FDIC’s efforts to promote the efficient and effective adoption of technology at FDIC-supervised banks and to facilitate the supervision of technology usage at these institutions without increasing costs or regulatory burden. Due to the COVID-19 pandemic, the banking industry has been pushed to more quickly innovate and modernize to better serve the needs of consumers. The possibility of a voluntary standard offers a potentially promising prospect to assist banks with streamlining their efforts to innovate and modernize.

As the FDIC notes in its preamble to the RFI, banks establish relationships with third-parties to provide certain functions or to meet short-term needs. As a result, risk management departments are tasked with identifying and controlling risks associated with these third-party arrangements. However, CBA would also highlight the cost prohibitive nature of managing third-party risk is only particularly troublesome for community banks. CBA urges the FDIC to develop a framework useful for banks of all sizes and complexities. For example, if the risks are determined acceptable for community banks, then, the same approval should be extended to other banks.

The remainder of this letter offers responses to select questions from the FDIC’s RFI.

General

What are the advantages and disadvantages of establishing standard-setting and voluntary certification processes for either models or third-party providers?

CBA agrees assessing third-party models is challenging due to limited or non-access to data or functional form. As a result, banks are forced to rely on reduced scope tests and to implement stronger controls, where possible. In turn, this inherently heightens the risk level.

As a potential advantage, a standard-setting organization (“SSO”) could help facilitate a culture of transparency amongst third-parties. The SSO could either facilitate the review and/or partnership with banks, or the SSO could serve as the assessor of those third-parties.

In contrast, the SSO could reduce the competitive advantage if some banks are better at managing vendors, third-parties, and/or third-party models. The SSO could trigger additional expectations across the banks. For example, the SSO may review elements and implement procedures not previously exercised by the bank.

What are the advantages and disadvantages to providers of models of participating in the standard-setting and voluntary certification process? What are the advantages and disadvantages to providers of technology and other services that support the IDI's financial and banking activities of participating in the standard-setting and voluntary certification process?

The SSO could serve as open-transparent type marketplace or ticketing system for review of third-parties. This would prevent banks from independently negotiating, and they could assess which vendors are more cooperative.

As a potential disadvantage, if evidence, procedures, standards for gaining comfort within the financial institution’s control environment are not consistent across organizations then model providers will be responding both to financial institutions and SSO. This structure could result in less efficiency. Therefore, consensus on certification standards is critical.

Are there specific challenges related to due diligence and ongoing monitoring of such third-party providers?

For models, CBA members have found each vendor is different when it comes to transparency. Banks also may not be able to see changes in models. For example, model changes may not trigger a vendor to release a new version, and the version release notes often do not list model changes. Changes to models are essential to going monitoring because it dictates how rigorous a bank should monitor the third-party.

Are there specific challenges related to the review and validation of models provided by such third- parties?

Yes. For example, interagency regulatory guidance, SR 11-7, specifically highlights the challenge of validating third-party models. As a result, banks have to do alternative testing or limited testing. In addition, legal contractual issues are also likely to arise from vendors who are less accustomed to working with financial institutions.

Are there specific challenges related to information sharing or data protection?

Yes. For example, models related to credit, marketing or where bias or fairness are of concern, or models which may use on public personal information.