[Federal Register Volume 85, Number 143 (Friday, July 24, 2020)]
[Notices]
[Pages 44890-44894]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-16058]
=======================================================================
-----------------------------------------------------------------------
FEDERAL DEPOSIT INSURANCE CORPORATION
RIN 3064-ZA18
Request for Information on Standard Setting and Voluntary
Certification for Models and Third-Party Providers of Technology and
Other Services
AGENCY: Federal Deposit Insurance Corporation (FDIC).
ACTION: Notice and request for information.
-----------------------------------------------------------------------
SUMMARY: The FDIC is issuing this request for information (RFI) as part
of its FDiTech initiative to promote the efficient and effective
adoption of technology at FDIC-supervised banks and savings
associations (financial institutions), particularly at community banks,
and to facilitate the supervision of technology usage at these
institutions without increasing costs or regulatory burden. The FDIC is
committed to increasing transparency, improving supervisory and
regulatory efficiency, supporting innovation in banking, and providing
opportunities for public feedback. This RFI seeks input on whether a
standard-setting and voluntary-certification program could be
established to support financial institutions' efforts to implement
models and manage model risk by certifying or assessing certain aspects
of the models themselves, and to conduct due diligence of third-party
providers of technology and other services by certifying or assessing
certain aspects of the third-party providers' operations or condition.
The FDIC is especially interested in information on models and
technology services developed and provided by financial technology
companies, sometimes referred to as ``fintechs.''
DATES: Comments must be received by September 22, 2020.
ADDRESSES: You may submit comments, identified by RIN 3064-ZA18, by any
of the following methods:
Agency Website: https://www.fdic.gov/regulations/laws/federal/. Follow the instructions for submitting comments on the agency
website.
Email: [email protected]. Include RIN 3064-ZA18 in the
subject line of the message.
Mail: Robert E. Feldman, Executive Secretary, Attention:
Comments, Federal Deposit Insurance Corporation, 550 17th Street NW,
Washington, DC 20429.
Hand Delivery/Courier: Comments may be hand-delivered to
the guard station at the rear of the 550 17th Street NW building
(located on F Street) on business days between 7:00 a.m. and 5:00 p.m.
All comments received must include the agency name and RIN 3064-
ZA18.
Public Inspection: All comments received will be posted without
change to https://www.fdic.gov/regulations/laws/federal/--including any
personal information provided--for public inspection. Paper copies of
public comments may be ordered from the FDIC Public Information Center,
3501 North Fairfax Drive, Room E-1002, Arlington, VA 22226 by telephone
at (877) 275-3342 or (703) 562-2200.
FOR FURTHER INFORMATION CONTACT: Alexander LePore, Jr., Senior Policy
Analyst, (202) 898-7203, [email protected].
SUPPLEMENTARY INFORMATION: The FDIC is an independent Federal agency
with a mission of maintaining stability and public confidence in the
nation's financial system, in part by examining and supervising certain
financial institutions, including for safety and soundness and consumer
protection.\1\ The FDIC is the primary Federal banking supervisor for
more than 3,000 state-chartered banks and savings associations that are
not members of the Federal Reserve System, and it conducts regular
examinations of these supervised institutions.\2\ Examinations include
an assessment of how a financial institution manages the risks
presented by its relationships with third parties.
---------------------------------------------------------------------------
\1\ The FDIC also promotes stability and public confidence in
the nation's financial system by insuring deposits and resolving
failed insured depository institutions, leading sound policy
development, evaluating resolution plans of the largest of
institutions, and monitoring and mitigating systemic risks in the
banking sector and financial system as a whole.
\2\ The FDIC also has a back-up supervision and examination role
with respect to approximately 2,000 insured depository institutions
(pursuant to sections 8 and 10 of the Federal Deposit Insurance Act,
12 U.S.C. 1818, 1820) for which the Office of the Comptroller of the
Currency and the Board of Governors of the Federal Reserve System
are the primary Federal regulators.
---------------------------------------------------------------------------
The FDIC reviews a financial institution's management of
significant third-party relationships in the context of the normal
supervisory process. The FDIC examines the quality and effectiveness of
an institution's risk management program as it pertains to the safety
and soundness and consumer
[[Page 44891]]
protection aspects of third-party arrangements. The FDIC also examines
a financial institution to ensure that the products, services, and
activities supported by a third party are safe and sound and comply
with applicable laws and regulations, including those concerning
consumer protection and civil rights. Reviews of third-party
arrangements are also a critical area included in examinations of the
trust and information technology functions.
Financial institutions often establish relationships with third
parties to provide certain functions that financial institutions do not
perform or to meet short-term needs that they are unable to fulfill.
Therefore, financial institutions rely on third-party relationships for
many different aspects of their operations, including credit
management, operational risk management, valuation, and stress testing.
Management is responsible for identifying and controlling risks from
activities conducted by or through its financial institution, whether
these risks arise from internal business activities or through
arrangements with a third party.\3\ These risks include those that
arise from reliance on models, technologies, and other products or
services provided by third parties. Model guidelines \4\ describe risk
management principles relating to financial institutions employing
models, which are described as quantitative methods, systems, or
approaches that apply statistical, economic, financial, or mathematical
theories, techniques, and assumptions to process input data into
quantitative estimates.\5\ In general, model risk management should be
commensurate with the financial institution's overall use of models,
the complexity and materiality of its models, and the size and
complexity of the financial institution's operations. Financial
institutions also should be mindful of consumer protection risks when
using third-party models or technologies, to ensure they are developed
and operated in compliance with applicable consumer protection laws and
regulations, which may include, for example, fair lending laws, privacy
laws, and prohibitions against unfair, deceptive, or abusive acts or
practices.\6\
---------------------------------------------------------------------------
\3\ Section 39 of the Federal Deposit Insurance Act requires the
Federal Deposit Insurance Corporation to establish safety and
soundness standards. 12 U.S.C. 1831p-1. These standards are set
forth in part 364 of the FDIC Rules and Regulations. 12 CFR part
364.
\4\ See, e.g., Supervisory Guidance on Model Risk Management,
FIL-22-2017 (June 7, 2017), Guidance for Managing Third-Party Risk,
FIL-44-2008 (June 6, 2008), Interagency Guidelines Establishing
Standards for Safety and Soundness, 12 CFR part 364, appendix A, and
Interagency Guidelines Establishing Information Security Standards,
12 CFR part 364, appendix B.
\5\ For example, financial institutions entering into a
relationship with a third party to employ these models would also
need to comply with section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) and ensure that lending practices that are not
discriminatory in violation of the Equal Credit Opportunity Act (15
U.S.C. 1691-1691f).
\6\ See, e.g., Equal Credit Opportunity Act, 15 U.S.C. 1691-
1691f; Fair Credit Reporting Act, 15 U.S.C. 1681-1681x; Interagency
Statement on the Use of Alternative Data in Credit Underwriting,
FIL-82-2019 (Dec. 13, 2019); Interagency Fair Lending Examination
Procedures (Aug. 2009); Policy Statement on Discrimination in
Lending, FR Doc. No. 94-9214 (Apr. 15, 1994); Dodd-Frank Act, Title
X, Subtitle C, Sec. 1036; Pub. L. 111-203 (July 21, 2010).
---------------------------------------------------------------------------
As the financial services industry evolves, more financial
institutions are using third-party models and technologies for
functions that either are new or had been performed in-house in the
past. The FDIC recognizes that the use of such models and technologies
can assist the financial institution in providing greater benefits to
consumers and increasing financial inclusion. The use of third-party
models and technologies may also give the financial institution access
to greater expertise or efficiency in providing a particular product or
service at lower cost.
Many financial institutions, particularly community banks, have
indicated to the FDIC that sometimes the costs and other resources
associated with deploying models or technologies from third parties can
be prohibitive. Vendors offer increasingly complex models with a range
of features, and as a result, institutions may find it challenging to
validate and assess such models. For example, an institution might
conclude that it must hire new internal staff, retain consultants, or
impose contractual obligations on the third party in order to conduct
the model validation. In addition, for third-party outsourcing
arrangements that support models, institutions conduct risk reviews on
third-party providers. These risk reviews involve financial,
operations, contract, and insurance assessments, along with assessment
of other aspects of the outsourcing arrangements. Representatives of
financial institutions have expressed concerns to the FDIC that the
costs associated with the financial institutions' review of both models
and third-party providers of models can create barriers to entry,
particularly in the community banking market, by limiting the
institutions' ability to effectively and timely on-board third parties
and deploy new and innovative models.
The FDIC recognizes the important role that technological
innovations can play in transforming the business of banking and
enabling regulators to supervise more efficiently, thereby reducing
regulatory burden while maintaining consumer protection and safety and
soundness standards. Therefore, the FDIC is exploring opportunities to
assist financial institutions in effectively complying with laws and
regulations regarding management of third-party risks concerning the
use of models, such as credit underwriting models. Among other things,
the FDIC is considering the value of standards for assessing models.
The development of relevant standards, along with the development and
application of a voluntary certification process to ensure that models
conform to those standards, could potentially allow for more financial
institutions--particularly community banks--to engage with third
parties, including fintechs; permit FDIC supervision resources to be
used more efficiently and effectively; and reduce costs of doing
business for financial institutions and providers of models.
The FDIC also is considering whether a voluntary certification or
assessment program could support financial institutions' due diligence
of third-party providers of a range of technology and other services by
certifying or assessing certain aspects of the third-party providers'
operations or condition. The FDIC is interested in whether there are
unique elements and challenges associated with financial institutions'
due diligence of third-party providers of technology and other services
that would benefit from a voluntary certification or assessment program
applicable to such providers. The FDIC is primarily interested in due
diligence elements associated with third-party providers of technology
and other services that support a financial institution's financial and
banking activities, such as deposit, lending, and payment functions.
The FDIC also is interested in comments regarding due diligence for
other types of third-party providers, such as those providers that
support the financial institution's corporate activities, including
payroll and human resources. The FDIC also requests comments on what
alternative steps the FDIC could pursue, other than a voluntary
certification or assessment program, to support financial institutions'
efforts to assess risk efficiently and effectively when contemplating
new or monitoring existing relationships with third-party providers.
As part of this Request for Information, the FDIC is not
considering substantive revisions to its existing
[[Page 44892]]
supervisory guidance with respect to model risk management or third-
party provider risk management. However, the FDIC seeks comment on the
possible changes to its supervisory guidance that would be appropriate
to facilitate financial institutions' use of a voluntary certification
or assessment program for conducting due diligence and ongoing
monitoring of third-party providers of technology and other services,
or for reviewing models or other technologies.
Standard-Setting and Certification Programs
Government and the private sector have worked together for more
than a century to develop standards for use in private industry. The
Federal Government has encouraged using standards developed by
voluntary, consensus standard-setting bodies.\7\ The typical standard-
setting process involves a standard-setting organization (SSO) working
with stakeholders, including government agencies, to develop a standard
for a particular industry or sector of the economy. The standard is
established on a voluntary, consensus-driven basis and provides
guidelines for engaging in a particular process or for offering a
particular service or product. Categories of common standards include
product-based standards, performance-based standards, management system
standards, personnel certification standards, and construction
standards.
---------------------------------------------------------------------------
\7\ See, e.g., National Technology Transfer and Advancement Act
of 1995, Public Law 104-113, section 12(d) (Mar. 7, 1996); OMB
Circular No. A-119 Revised, ``Federal Participation in the
Development and Use of Voluntary Consensus Standards and in
Conformity Assessment Activities'' (Feb. 10, 1998).
---------------------------------------------------------------------------
Once a standard is developed, application of a conformity
assessment process provides assurance that processes, products, or
services meet the requirements identified in the standard. This step is
vital because creating a standard alone cannot promote (for voluntary
standards) or guarantee (for mandatory standards) adherence to the
standard. The conformity assessment can verify that processes,
products, or services meet the specified level of quality, safety, or
performance. Depending on the risks of nonconformance and the
confidence level necessary, there are several ways to assess whether
processes, products, or services meet a standard, from an entity's
self-declaration to third-party certification, validation, verification
or auditing. Accreditation by an independent body of organizations that
perform conformity assessment activities provides formal recognition
that the organization is competent, capable and impartial. In many
ways, the assessment process is as important as setting the standard
itself.
The standard-setting system in the United States is based on
globally accepted principles for standards development including
transparency, openness, impartiality, effectiveness, and consensus. The
standard-setting process assures that:
Information regarding standardization activities is
accessible to all interested parties;
participation is open to all stakeholders;
all interests are balanced;
standards respond to regulatory and market needs; and
decisions are reached through consensus among those
affected.
SSOs also strive to make standards as flexible as possible,
allowing for the use of different methodologies to meet the needs of
different stakeholders. Good faith efforts are made to eliminate, or at
least minimize, conflict with other existing standards or rules.
SSOs often partner with government entities, academia, and industry
to identify proposed solutions and work together toward a common goal.
SSOs also involve consumers in the process so their needs are
considered and addressed. This process results in standards that often
balance regulatory and market needs, facilitate innovation, promote
consumer protection, and strengthen competition.
In applying this standard-setting framework to models and third-
party providers of technology and other services, financial
institutions would have the ability to rely on certifications related
to the third-party provider or certified models or other technology
products and services. Financial institutions would not be required to
use only certified third parties, models, or technologies. Instead,
financial institutions would retain the flexibility to require
certified third parties to meet different requirements that the
financial institutions viewed as appropriate. For example, financial
institutions would retain the right to request that certified third
parties submit additional information for purposes of on-boarding at
that financial institution consistent with the financial institution's
unique use of the model or service, and consistent with applicable law
and regulation.
Request for Comment
Given rapid technological developments and evolving consumer
behaviors in banking, the FDIC seeks to learn more regarding the
benefits and challenges of collaborating with an SSO and other
stakeholders to create a standard-setting and a voluntary certification
process. This certification process would potentially assist financial
institutions in completing assessments or due diligence of: (1) Certain
models, such as credit underwriting models, by certifying or assessing
certain aspects of the models; and (2) third-party providers of
technology and other services, by certifying or assessing certain
aspects of the providers' operations or condition. The FDIC is
interested in comments regarding initial due diligence and ongoing
monitoring elements associated with third-party providers of technology
and other services that support the financial institution's financial
and banking activities, such as deposit, lending, and payment
functions. The FDIC also is interested in comments regarding due
diligence for other types of providers, such as third-party providers
that support the financial institution's corporate activities, such as
payroll and human resources.
Consistent with the collaborative approach to standard setting that
government and the private sector have long taken, the FDIC envisions a
collaboration among an SSO, the FDIC, and other stakeholders to set
standards under an SSO, along with a voluntary conformity assessment
process through accredited, independent certification organizations.
The certification organizations would conduct conformity assessments of
third-party providers that voluntarily submit required information
regarding their products, services, models, or organization, with the
task of determining conformance with the established standards. The
FDIC is issuing this RFI to seek public input regarding all aspects of
establishing an SSO, qualifying certification organizations, and
implementing a voluntary conformity assessment process.
The FDIC also is considering, and seeking comment on, whether and
how the FDIC's supervisory and examination efforts would need to be
modified to facilitate a financial institution's use of a certified
model or a certified third party of outsourced technology services.
The FDIC encourages comments from all interested parties, including
but not limited to insured banks and savings associations, technology
companies and fintechs, other third-party vendors and service
providers, other financial institutions or companies, depositors and
consumers, consumer groups, researchers, innovators, technologists,
trade associations, and other members
[[Page 44893]]
of the financial services industry. The FDIC also encourages comments
from standard-setters and participants in other industries using
standardization and certification processes, whether voluntary or
mandatory.
The FDIC invites public comment on all aspects of the RFI,
including the following questions.
General
Question 1: Are there currently operational, economic, marketplace,
technological, regulatory, supervisory, or other factors that inhibit
the adoption of technological innovations, or on-boarding of third
parties that provide technology and other services, by insured
depository institutions (IDIs), particularly by community banks?
Question 2: What are the advantages and disadvantages of
establishing standard-setting and voluntary certification processes for
either models or third-party providers?
Question 3: What are the advantages and disadvantages to providers
of models of participating in the standard-setting and voluntary
certification process? What are the advantages and disadvantages to
providers of technology and other services that support the IDI's
financial and banking activities of participating in the standard-
setting and voluntary certification process?
Question 4: What are the advantages and disadvantages to an IDI,
particularly a community bank, of participating in the standard-setting
and voluntary certification process?
Question 5: Are there specific challenges related to an IDI's
relationships with third-party providers of models or providers of
technology and other services that could be addressed through standard-
setting and voluntary certification processes for such third parties?
(1) Are there specific challenges related to due diligence and
ongoing monitoring of such third-party providers?
(2) Are there specific challenges related to the review and
validation of models provided by such third parties?
(3) Are there specific challenges related to information sharing or
data protection?
Questions 6: Would a voluntary certification process for certain
model technologies or third-party providers of technology and other
services meaningfully reduce the cost of due diligence and on-boarding
for:
(1) The certified third-party provider?
(2) the certified technology?
(3) potential IDI technology users, particularly community banks?
Question 7: What are the challenges, costs, and benefits of a
voluntary certification program or other standardized approach to due
diligence for third-party providers of technology and other services?
How should the costs of operating the SSO and any associated COs be
allocated (e.g., member fees for SSO participation, certification
fees)?
Question 8: Would a voluntary certification process undermine
innovation by effectively limiting an IDI's discretion regarding models
or third-party providers of technology and other services, even if the
use of certified third parties or models was not required? Would IDIs
feel constrained to enter into relationships for the provision of
models or services with only those third parties that are certified,
even if the IDIs retained the flexibility to use third parties or
models that were not certified?
Question 9: What supervisory changes in the process of examining
IDIs for safety and soundness or consumer protection would be necessary
to encourage or facilitate the development of a certification program
for models or third-party providers and an IDI's use of such a program?
Are there alternative approaches that would encourage or facilitate
IDIs to use such programs?
Question 10: What other supervisory, regulatory, or outreach
efforts could the FDIC undertake to support the financial services
industry's development and usage of a standardized approach to the
assessment of models or the due diligence of third-party providers of
technology and other services?
Scope
Question 11: For which types of models, if any, should standards be
established and a voluntary certification process be developed? For
example, is the greatest interest or need with respect to:
(1) Traditional quantitative models?
(2) anti-money laundering (AML) transaction monitoring models?
(3) customer service models?
(4) business development models?
(5) underwriting models?
(6) fraud models?
(7) other models?
Question 12: Which technical and operational aspects of a model
would be most appropriate for evaluation in a voluntary certification
program?
Question 13: What are the potential challenges or benefits to a
voluntary certification program with respect to models that rely on
artificial intelligence, machine learning, or big data processing?
Question 14: How can the FDIC identify those types of technology or
other services, or those aspects of the third-party provider's
condition, that are best suited for a voluntary certification program
or other standardized approach to due diligence? For example, should
such a certification program include an assessment of financial
condition, cyber security, operational resilience, or some other aspect
of a third-party provider?
SSO
Question 15: If the FDIC partnered with an SSO to set standards for
due diligence and assessments of models or third-party providers of
technology and other services, what considerations should be made in
choosing the SSO? What benefits or challenges would the introduction of
an SSO into the standard-setting process provide to IDIs, third-party
providers, or consumers?
Question 16: To what extent would a standards-based approach for
models or third-party providers of technology and other services be
effective in an environment with rapidly developing technology systems,
products, and platforms, especially given the potential need to
reassess and reevaluate such systems, products, and platforms as
technologies or circumstances change?
Question 17: What current or draft industry standards or frameworks
could serve as a basis for a standard-setting and voluntary
certification program? What are the advantages and disadvantages of
such standards or frameworks? Do standards and voluntary certifications
already exist for use as described herein?
Question 18: Given that adherence to SSO standards would be
voluntary for third parties and for IDIs, what is the likelihood that
third-party providers of models or services would acknowledge, support,
and cooperate with an SSO in developing the standards necessary for the
program? What challenges would hinder participation in that process?
What method or approaches could be used to address those challenges?
Question 19: What is the best way to structure an SSO (e.g., board,
management, membership)? Alternatively, are there currently established
SSOs with the expertise to set standards for models and third parties
as described herein?
Question 20: To what extent should the FDIC and other Federal/state
regulators play a role, if any, in an SSO? Should the FDIC and other
Federal/state regulators provide recommendations to an SSO? Should the
FDIC and other Federal/state regulators provide oversight of an SSO, or
should another entity provide such oversight?
[[Page 44894]]
Certification Organizations (COs)
Question 21: What benefits and risks would COs provide to IDIs,
third parties, and consumers?
Question 22: To what extent would COs be effective in assessing
compliance with applicable standards in an environment with rapidly
developing technology systems, products, and platforms, especially
given the potential need to reassess and reevaluate such systems,
products, and platforms as technologies or circumstances change?
Question 23: For model validation and testing, would COs evaluate a
model based solely on reports, testing results, and other data provided
by the third-party provider of the model? Or would the COs need to test
the model and generate their own test results? What steps would the COs
need to take to protect the intellectual property or other sensitive
business data of the third party that has submitted its model to the
validation process?
Question 24: If COs receives derogatory information indicating that
a certified third party or certified model or technology no longer
meets applicable standards, should the COs develop a process for
withdrawing a certification or reassessing the certification?
(1) If so, what appeal rights should be available to the affected
third party?
(2) What notification requirements should COs have for financial
institutions that have relied on a certification that was subsequently
withdrawn?
(3) Should the FDIC or Federal/state regulators enter information
sharing agreements with COs to ensure that any derogatory information
related to a certified third party or certified model or technology is
appropriately shared with the COs?
Question 25: Are there legal impediments, including issues related
to liability or indemnification, to the implementation of a voluntary
certification program that the FDIC, other Federal/state regulators,
third-party providers, and IDIs should consider?
Question 26: To what extent should the FDIC and other Federal/state
regulators play a role, if any, in the identification and oversight of
COs, including assessments of ongoing operations? Should the FDIC and
other Federal/state regulators provide oversight of COs, or should
another entity, such as an SSO, provide such oversight?
Federal Deposit Insurance Corporation.
Dated at Washington, DC, on July 21, 2020.
James P. Sheesley,
Acting Assistant Executive Secretary.
[FR Doc. 2020-16058 Filed 7-23-20; 8:45 am]
BILLING CODE 6714-01-P