Banking Guidance Gives Fintech Risk Tools for Third-Party Deals

Regulatory risks stemming from the financial services sector are inherent in fintech mergers and acquisitions and can tremendously impact a deal’s value. With this in mind, on June 6, federal banking regulators issued final guidance on managing risks in third-party relationships.

The interagency guidance provides supervised banking organizations broad risk-based principles to identify, assess, monitor, and manage risks associated with the continuous life cycle of third-party relationships—to operate in a safe and sound manner and comply with applicable laws and regulations.

The guidance explicitly mentions some banks’ novel third-party relationship structures with fintech companies and is likely to increase the risk associated with fintech deals. Although the guidance doesn’t have the force of law, in effect, banks are required to follow it. Even if a transaction’s parties don’t meet the definition of a bank, if a party provides goods or services to a bank, the guidance will apply to the arrangement or relationship as it relates to the bank.

Consequentially, if a target company in a transaction has a third-party relationship with a bank, the guidance might materially affect the contractual arrangement and affect the deal’s value. Deal lawyers involved in transactions—in which a target company has significant third-party relationships with a bank—should be deftly aware of how the guidance would impact the arrangements between parties to allocate contractual risks effectively.

A bank’s obligation to maintain sound third-party risk management practices is dynamic. It requires continuous assessment of relationships to tailor practices to the bank’s size, complexity, and risk profile with the nature of the third-party relationship. For instance, a third-party relationship supporting higher-risk activities, including critical activities, would require more comprehensive and rigorous oversight and management than one that doesn’t.

Deal lawyers need a deep understanding of the structure of each arrangement between a target and a bank to assess potential risks throughout a relationship life cycle and to advise their clients on the potential impact on a deal’s value.

For example, as part of its ongoing risk assessment of relationships that support critical bank activities, a board of directors may identify risks that require the bank to divest from a target company and/or renegotiate terms in the contractual agreements to mitigate the risks. Such adjustments could materially affect how a target company performs post-acquisition.

Sample risks in deals involving banks that could impact a target company’s performance include:

• Divestment from the target company to mitigate risks
• Modification, additional provisions, or addendums to contractual agreements to satisfy a bank’s continuous risk assessment policies
• Increased cost to maintain the relationship between a target and a bank
• Restrictions on a target company’s subcontractor relationships in connection to services provided to a bank
• Minimizing a target company’s operational flexibility to obtain and maintain relationships with banks

Practical steps to mitigate risks involving banking include:

• During the diligence process, create a complete inventory of all the third-party relationships the target has with a banking organization
• Determine if the target has any third-party relationships that support higher-risk activities, including critical activities of a bank
• Identify each arrangement that provides target access to a banking organization’s systems and information or customers’ personally identifiable information
• Identify each arrangement that involves the provision of products or services to or other interactions with customers of a bank and the degree of interaction with those customers
• Create a regulatory risk metric to gauge the value at risk stemming from the target’s relationships with banks

Risk is ubiquitous in M&A transactions, particularly those involving fintech companies and their industry-specific risks. Deal lawyers have a slew of drafting tools to mitigate these risks to engineer value-creating transactions. Transactional lawyers should keep regulatory risks top of mind when structuring fintech deals and be keenly aware of the intersectionality of regulatory developments and anticipated deal value.

The guidance introduces a new layer of risks in fintech deals. Banks will need to re-evaluate their third-party risk management practices to ensure they’re operating safely and soundly. Consequently, target companies with material third-party relationships with banks might be exposed to risks that could impact a target company’s performance.

To identify and mitigate these risks, deal lawyers should take shrewd steps during the diligence process. And to allocate risks between parties, attorneys should implement drafting tools such as reps and warranties, closing conditions, and earnout provisions.

The evolving regulatory landscape is vast, nuanced, and complex, creating uncertainty in fintech deals. This environment creates an opportunity for transactional lawyers to use foresight, judgment, and creativity to engineer innovative deal structures to mitigate risks and maximize value for their clients.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Frantz Jacques is a corporate attorney focused on mergers and acquisitions, fintech law, debt and equity financing, corporate governance, securities regulation, and cross-border transactions.

Write for Us: Author Guidelines