Request a Demo

Invela Calls for Interagency Collaboration on Third Party Risk Management

As part of Invela’s broader effort to encourage greater collaboration among regulators to align open finance and risk management, Invela submitted a formal comment letter responding to the NCUA’s proposed updates to its Guidelines for Safeguarding Member Information and its Guidance on Response Programs for Unauthorized Access. The proposals acknowledge something practitioners have known for years: the line between regulatory obligations and non‑binding guidance has become blurred – and that blur has consequences.

The problem: TPRM is being misapplied to open finance

Third‑party risk management (TPRM) is essential to a safe financial system. But when TPRM frameworks designed for vendor relationships are applied wholesale to open finance data access, the result is predictable: confusion, friction, and unnecessary barriers to innovation.

We’ve seen this firsthand. Invela’s team has spent decades building fintechs, navigating supervisory expectations, and helping institutions unlock consumer‑permissioned data. The mismatch between TPRM and open finance is persistent – and avoidable.

Last year, we published a white paper outlining this issue. And in January, we submitted a comment letter to the OCC urging regulators to formally distinguish between TPRM and open finance risk management. Invela echoed that call in our letter responding to the NCUA’s recent proposal, and will continue to encourage interagency collaboration to promote open finance innovation with appropriate risk management.

The fix: regulators should align – publicly and explicitly

The NCUA rightly notes that guidance is not regulation. That distinction matters, especially when statutory obligations like Section 1033 of the Dodd‑Frank Act require institutions to enable consumer‑directed data access.

To avoid conflicting interpretations, prudential regulators and the CFPB should issue a unified interagency statement clarifying:

  • That TPRM guidance does not override statutory obligations
  • That open finance risk management is distinct from TPRM
  • That institutions can confidently support consumer‑permissioned data access without fear of misapplied supervisory expectations

The OCC’s 2020‑10 FAQs – particularly FAQ 4 – offer a strong foundation. The 2019 Interagency Statement on Alternative Data shows how coordinated guidance can unlock innovation. It’s time for a similar moment for open finance.

The bottom line

Open finance is accelerating. Institutions want clarity. Consumers expect access. And regulators have an opportunity to modernize the supervisory framework in a way that supports innovation while maintaining safety and soundness.

Invela welcomes the NCUA’s leadership and looks forward to continued engagement as the agency considers next steps.

Let’s Talk

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

Powered by  GDPR Cookie Compliance