By Brian S. Korn, Partner, Financial Services
In a new bulletin providing supplemental guidance on third-party relationships, the Office of the Comptroller of the Currency (OCC) answered frequently asked questions about the relationships between financial institutions and fintechs, among other topics.
Building on Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” Bulletin 2017-21 addressed in a Q-and-A format the management of operational, compliance, reputation, strategic and credit risks presented by third-party business relationships.
Defining a third-party relationship as “any business arrangement between the bank and another entity, by contract or otherwise,” the OCC explained that it can include activities that involve outsourced products and services; use of outside consultants, networking arrangements, merchant payment processing services, and services provided by affiliates and subsidiaries; joint ventures; and other business arrangements in which a bank has an ongoing third-party relationship or may have responsibility for the associated records.
“Recently, many banks have developed relationships with financial technology (fintech) companies that involve some of these activities,” the OCC recognized in the new bulletin. “If a fintech company performs services or delivers products on behalf of a bank or banks, the relationship meets the definition of a third-party relationship and the OCC would expect bank management to include the fintech company in the bank’s third-party risk management process.”
Bank management should conduct in-depth due diligence and ongoing monitoring of each of the bank’s third-party service providers that support critical activities, according to the bulletin, adjusting its risk management practices for each relationship based on the level of risk. No single structure for the third-party risk management process exists, the OCC said, and multiple banks may collaborate to meet regulator expectations when they share the same third-party service providers (as long as it does not involve a customized product or service, however).
Whether or not a fintech company arrangement can be considered a critical activity depends on a number of factors, such as whether significant bank functions (payments, clearing, settlements and custody, for example) are involved or other activities that could have a major impact on bank operations if the bank has to find an alternative third party or if the outsourced activities have to be brought in-house. “The OCC expects banks to have more comprehensive and rigorous management of third-party relationships that involve critical activities,” the guidance noted.
Can a bank engage with a start-up fintech company with limited financial information? The agency answered this question by reiterating Bulletin 2013-29’s requirement that banks should consider the financial condition of the third party during the due diligence stage of the life cycle before selecting or entering into contracts or relationships.
“In assessing the financial condition of a start-up or less established fintech company, the bank may consider a company’s access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect the third party’s overall financial stability,” the OCC wrote. “Assessing changes to the financial condition of third parties is an expectation of the ongoing monitoring stage of the life cycle. Because it may be receiving limited financial information, the bank should have appropriate contingency plans in case the start-up fintech company experiences a business interruption, fails, or declares bankruptcy and is unable to perform the agreed-upon activities or services.”
The bulletin also clarified that no requirement exists that a third party must meet the bank’s lending criteria in order to establish a relationship.
Banks are collaborating with fintechs to offer products or services to underbanked or underserved consumers, the OCC said, creating third-party relationships under the scope of Bulletin 2013-29 by establishing dedicated interactive kiosks or automated teller machines with video services that enable the consumer to speak directly to a bank teller, for example.
Turning to the possibility of a marketplace lending arrangement with nonbank entities, the agency said a bank’s board and management “should understand the relationships among the bank, the marketplace lender, and the borrowers; fully understand the legal, strategic, reputation, operational, and other risks that these arrangements pose; and evaluate the marketplace lender’s practices for compliance with applicable laws and regulations.”
Banks must also establish appropriate processes and systems to effectively monitor and control the risks inherent within the marketplace lending relationships, the OCC said, from adequate loan underwriting guidelines to cover credit risk management to ensuring the marketplace lender has adequate compliance management processes in place to satisfy compliance risk management concerns.
“To address these risks, banks’ due diligence of marketplace lenders should include consulting with the banks’ appropriate business units, such as credit, compliance, finance, audit, operations, accounting, legal, and information technology,” Bulletin 2017-21 explained. “Contracts or other governing documents should lay out the terms of service-level agreements and contractual obligations. Subsequent significant contractual changes should prompt reevaluation of bank policies, processes, and risk management practices.”
The guidance also addressed questions about whether Bulletin 2013-29 applies to a situation where a bank engages a third party to provide bank customers with the ability to make mobile payments using their bank accounts (yes) and whether a community bank may outsource the development, maintenance, monitoring and compliance responsibilities of its compliance management systems (yes, as long as the bank monitors and ensures the third party complies with current and subsequent changes to consumer laws and regulations).
To read Bulletin 2017-21, click here.
Why it matters
Required reading for financial institutions, the 14 FAQs in Bulletin 2017-21 cover topics ranging from collaboration among banks to meet regulatory expectations for managing third-party relationships to whether a relationship with a fintech company is a critical activity to the management of risks when entering a marketplace lending arrangement with nonbank entities.
back to top