OCC Supplements Guidance on Third Party Risk Management Practices (Bulletin 2017-21)
In June, the OCC updated their guidance on third party risk management to address the growing number of bank-fintech relationships. The bulletin expanded on OCC 2013-29, holding banks responsible for risks associated with third party activities, suggesting comprehensive risk management practices that enhance oversight through inter-bank collaboration. The OCC acknowledges the potential risks arising from outsourcing critical banking functions to often less-established fintech vendors and provides strict guidelines on the screening and continued monitoring of third party relationships.
The OCC has made it clear that the use of third party vendors does not reduce the responsibility of the board of directors and senior management to ensure that all bank activity is performed in compliance with applicable laws and with regard to potential risks. They emphasize that risk management processes be proportionate to the level of risk and complexity of the respective third party relationship and include plans that outline bank strategy, inherent risks, contingency plans, and documentation. The OCC also highlights the need for proper due diligence in selecting third party vendors and preparing for interruptions of service, particularly for critical processes. Because fintech companies have assumed a greater role in banking activities, banks should employ rigorous risk management practices. The 2017-21 Bulletin provides both clarification of existing regulations and enhanced guidance on how banks should manage third party relationships safely and effectively.
Collaboration and Shared Accountability
The OCC suggests dispersed accountability across business lines to promote sharing of information and enhanced execution of due-diligence and risk assessments. Similarly, they encourage collaboration at the inter-bank level to help spread diligence costs, foster product innovation, and improve service offerings. Partnership among banks facilitate standardized approaches to vendor due diligence, lowering costs and improving negotiating power. Smaller community banks have already begun to join alliances to standardize contracts with third parties.
However, certain idiosyncrasies among banks demand that they retain individual responsibility for portions of vendor risk management, such as implementing contingency and termination plans. Banks should assess the level of risk associated with each of their third party relationships and evaluate their ability to monitor. To manage associated risks, banks are encouraged to implement Information Technology controls, perform ongoing evaluations, and set fee structures to encourage appropriate risk taking. Additionally, banks should monitor third party activity to ensure compliance with laws and regulations and reliability of disaster recovery plans. The Financial Services Information Sharing and Analysis Center (FSISAC), the U.S. Computer Emergency Readiness Team (US-CERT), and InfraGard provide information sharing platforms to help banks address cyber threats to themselves and to their third party relationships.
Fintechs and Critical Activities
While all third party engagements carry some level of risk, banks ought to identity those that relate specifically to critical activities. Fintechs, which often provide payments, clearing, settlements, and custody services fall into this category. A failure to meet expectations on any of these services, the OCC explains, would have a significant impact on customers. Therefore, they expect banks’ management of critical third party to be especially comprehensive and rigorous.
The OCC also warns against the risks associated with the potential lack of financial stability among third party fintechs, emphasizing the need for diligence into their access to funds, net cash flow, growth, and projected borrowing capacity. Depending on the level of engagement with the vendor, the bank, though not required, may want to analyze the company with the same level of rigor as if they were extending a line of credit to the company. The OCC also clarifies that that relationships between banks and fintech companies for providing services such as ATMs and kiosks to otherwise underbanked individuals fall under the same scope as the aforementioned agreements described in Bulletin 2013-29.
Engagements with marketplace lenders carry legitimate risks for banks and should be scrutinized to ensure risk exposure and objectives are consistent with the strategic goals of boards. They should institute appropriate risk management techniques to address reputation, credit, concentration, compliance, and market liquidity related risks, prior to engaging with marketplace lenders. Banks should have underwriting guidelines that ensure compliance with appropriate regulations and operational procedures. The OCC emphasizes that banks treat these relationships as full extensions of the bank, conducting proper diligence of marketplace lenders including consulting with appropriate business lines.
The OCC clarifies further the original Bulletin 2013-29 requirements to include third party providers of payment software. These vendors include companies that develop or manage software, hardware, and back-end systems. Banks should work with payment providers to ensure that they have processes for authenticating enrollment of customers carrying debit cards.
Banks may outsource their compliance management systems to third parties, particularly for monitoring, data collection, and management processes. However, the OCC expects proper oversight on behalf of the bank and a program that is inclusive of appropriate practices, procedures, internal controls and audit systems.
The OCC, in coordination with the Board of Governors of the Federal Reserve, and FDIC conduct examinations of Technology Service Providers that are available only to those banks that are in contractual relationships with the particular TSPs. However, the OCC may proactively commence TSP examinations if there is cause for significant concern. A Bank may rely on a third party’s Service Organization Control report (SOC), prepared in accordance with the American Institute of Certified Public accountants SSAE 18 to evaluate the risk management program of a third party.
The Bulletin provides an update to the more extensive 2013-29 by expanding on the types of third parties covered as well as the level of scrutiny required to maintain appropriate risk management practices. As internal bank processes and services continue to require more specialized third party fintech platforms, banks inherit a greater level of risk. Banks should treat appropriate risks like any other related risks particularly when using marketplace lending platforms and other third parties that expose the bank to credit, compliance, IT, and reputational risks. To address the growing task of third party risk management, the OCC urges banks to collaborate both among business lines and between one another.
This bulletin comes at a time when the OCC continues to explore the implications of granting Special Purpose National Bank (SPNB) charters to fintech companies that offer bank-related products. In December 2016, the OCC published a paper suggesting that granting these charters to fintechs would allow them to be regulated more closely, improving the safety and soundness of their services. Acting Comptroller Keith A. Noreika reaffirmed the merits of granting special purpose charters to fintechs in his remarks to the Exchequer Club in July of 2017 as part of the OCC’s effort to promote responsible innovation that started in the summer of 2015. It is clear from the bulletin and from the aforementioned commentary that the OCC remains wary of fintech’s encroachment into traditional banking but takes the position that granting SPNB charters will preserve innovation while helping to ensure consumer safety.
The language in Bulletin 2017-21, specifically on marketplace lenders and payments companies, suggest that the OCC intends to regulate fintechs with varying level of banking involvement at an arm’s length until their authority to grant SPNBs is confirmed. The OCC is currently facing ongoing lawsuits filed against them by the New York Department of Financial Services (DFS) and the Conference State Bank Supervisors regarding attempts by the OCC to grant SPNB charters. Regardless of whether fintech regulation will ultimately be a state or federal issue, authorities are searching for ways to wrap rules around them.
- OCC Bulletin 2013-29: Risk Management Guidance <www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html>
- OCC Bulletin 2017-21: FAQ Supplement OCC Bulletin 2013-29 <www.occ.gov/news-issuances/bulletins/2017/bulletin-2017-21.html>
- Exploring Special Purpose National Bank Charters for Fintech Companies <www.occ.gov/topics/responsible-innovation/comments/special-purpose-national-bank-charters-for-fintech.pdf>
- Remarks by Keith A. Noreika <https://www.occ.treas.gov/news-issuances/speeches/2017/pub-speech-2017-82.pdf>
- Statement by Superintendent Maria T. Vullo on the DFS lawsuit <http://www.dfs.ny.gov/about/press/pr1705122.htm>
- State Regulators Oppose OCC Fintech Charter <www.csbs.org/news/press-releases/pr2016/Pages/111416.aspx>