The Office of the Comptroller of the Currency issued frequently asked questions on Wednesday to supplement a bulletin published in October 2013 regarding how financial institutions manage risk in relationships with third parties, with some implications for fintech firms that provide services for banks.
The 2013 bulletin defined a third-party relationship as any business arrangement between a bank and another entity. Increasingly, that includes fintech companies.
(Related: Federal Agencies Improving Cyber Defense: Report)
“Recently, many banks have developed relationships with financial technology (fintech) companies that involve some of these activities, including performing services or delivering products to a bank’s customer base,” OCC noted in the FAQs published Wednesday.
The FAQ makes clear that banks that do partner with fintechs are expected to include the provider in their risk management process.
Fintech firms that provide services to multiple financial institutions may have an opportunity to better serve those customers by helping them collaborate to meet their risk management obligations. The OCC stated in the FAQs that banks that use the same fintech provider for similar services “may collaborate to meet certain expectations, such as performing the due diligence, contract negotiation, and ongoing monitoring responsibilities.”
OCC warned that collaborations between banks may not may not be sufficient on their own for banks to meet their risk management responsibilities if the fintech services they use, however similar, don’t present the same level of risk at each institution. Banks are required to adopt risk management processes “commensurate with the level of risk and complexity of their third-party relationships,” according to the FAQ. They must also ensure risk management collaborations don’t run afoul of antitrust laws.