OCC Issues Fintech FAQ

The Office of the Comptroller of the Currency issued frequently asked questions on Wednesday to supplement a bulletin published in October 2013 regarding how financial institutions manage risk in relationships with third parties, with some implications for fintech firms that provide services for banks.

The 2013 bulletin defined a third-party relationship as any business arrangement between a bank and another entity. Increasingly, that includes fintech companies.

“Recently, many banks have developed relationships with financial technology (fintech) companies that involve some of these activities, including performing services or delivering products to a bank’s customer base,” OCC noted in the FAQs published Wednesday.

The FAQ makes clear that banks that do partner with fintechs are expected to include the provider in their risk management process.

Fintech firms that provide services to multiple financial institutions may have an opportunity to better serve those customers by helping them collaborate to meet their risk management obligations. The OCC stated in the FAQs that banks that use the same fintech provider for similar services “may collaborate to meet certain expectations, such as performing the due diligence, contract negotiation, and ongoing monitoring responsibilities.”

OCC warned that collaborations between banks may not may not be sufficient on their own for banks to meet their risk management responsibilities if the fintech services they use, however similar, don’t present the same level of risk at each institution. Banks are required to adopt risk management processes “commensurate with the level of risk and complexity of their third-party relationships,” according to the FAQ. They must also ensure risk management collaborations don’t run afoul of antitrust laws.

One point of confusion in the 2013 bulletin was regarding banks’ obligation to consider a third party’s financial condition before forming a partnership. The bulletin noted that banks’ analyses may be as comprehensive as if they were extending credit to the provider, leading some banks to believe that they couldn’t do business with fintech firms that didn’t meet their lending criteria. The FAQ clarifies that’s not the case.

Banks should consider their partners’ financial condition before entering a relationship, but OCC recognizes that with startups and young firms, that information may not be available and urges banks to have contingency plans for a fintech provider that goes out of business.

When fintech firms provide critical services for a bank, though, the bank is expected to conduct in-depth and ongoing monitoring. Even when the amount of available information is limited, banks are expected to develop alternative ways to analyze a provider. They are expected to establish risk-mitigating controls and contingency plans for service interruptions, document their efforts to obtain information from the provider, and ensure the relationship will meet their needs.

The FAQ noted, too, that banks that rely on fintech startups for critical functions are expected to consider their risks in determining whether the startup is the “best service [provider] available to the bank despite the fact that the bank cannot acquire all the information it wants.”

— Read Trump Picks Former Banker for Comptroller of the Currency on ThinkAdvisor.