OCC Bulletin 2017-21: A Must Read for Banks Before Partnering with a Fintech Company
Ever since OCC Bulletin 2013-29 “Third-Party Relationships: Risk Management Guidelines” was issued in 2013, banks have made significant investments in third-party vendor management programs. This investment, a key part of the compliance management system, was an essential step toward adopting the mindset that while you can outsource a function, you cannot outsource the risk – which for many, was a significant shift from prior years. As a financial services consulting firm working with clients on these issues, we have helped build and implement vendor management programs for a wide range of vendor types, including third-party debt collectors, debt buyers, attorney networks and even end-to-end servicing. These programs have all included the same core functions:
- Risk Assessment
- Due Diligence
- Contract Structuring
- Ongoing Oversight
Recently, more organizations have engaged, or are considering engaging, in partnerships with fintech companies. These new partnerships have ranged from delivering a payments methodology for customers to finding new ways to acquire clients to purchasing loans (e.g. marketplace lenders). However, these new partnerships have raised serious questions for third-party vendor risk managers as it relates to oversight requirements, such as:
- What level of risk does a fintech company pose to the bank? How will regulators view these risks?
- Can effective due diligence be performed if limited information (e.g. financial, historical performance) is available?
- How should ongoing monitoring be structured for a fintech firm that may only have a few employees?
- What are the bank’s fair lending risks if a third-party is booking the loans?
- What “fourth-party vendor” risks are associated with a fintech company?
On June 7, 2017, the OCC issued guidelines to help clarify some of these requirements (OCC Bulletin 2017-21). This new OCC Bulletin covers a lot of ground – re-stating many of the requirements from OCC Bulletin 2013-29 but also addressing several new topics head-on. Three key takeaways from the Bulletin are summarized below.
The OCC clarifies that a vendor management program, including those focused on fintech companies, should be risk-based upon the specific activities the company performs, as outlined in bank’s existing board-approved policies and procedures. This provides flexibility in how banks need to oversee fintech companies rather than forcing a one size fits all approach. All vendor management should be ongoing as opposed to “one and done.” However, if a fintech relationship does not present significant risk to the bank, vendor management requirements can align accordingly. For all vendor management relationships—but especially fintech companies with new or more complicated features and functions— documenting why a vendor presents a certain level of risk in a thoughtful and logical manner is essential to effectively manage compliance. This guidance should provide relative peace of mind that the OCC does not assume all fintech relationships are high-risk because they are new or emerging.
The OCC specifically addresses performing due diligence on “less established” companies that may have limited financial information. A key component addressed in the bulletin is that banks can consider access to funds, funding sources, earnings, net cash flow, expected growth, and expected borrowing capacity as part of a financial stability assessment. This clarification provides greater leeway for banks conducting due diligence as many fintech companies may not have the data to pass existing vendor management financial requirements, some of which may be considered “knock-out criteria.”
Marketplace lending arrangements are directly discussed. In addition to reiterating the potential legal, strategic, reputational, credit and operational risks that these relationships may pose, which should be considered as part of the risk assessment process, the OCC calls out the need to ensure the marketplace lender comply with applicable laws and regulations. Specifically, it states,
“…banks should not originate or support marketplace lenders that have inadequate compliance management processes and should monitor the marketplace lenders to ensure that they appropriately implement applicable consumer protection laws, regulations, and guidance.”
Support can be interpreted broadly in this guidance and highlights the need for effective ongoing oversight and monitoring for any bank engaged with a marketplace lender.
These three takeaways are just a few of the topics covered by OCC Bulletin 2017-21 and we encourage any bank engaged, or considering engaging, in a fintech relationship to read and comprehend the full guidance. In summary, the guidance appears to reduce some of the “fear of the unknown” associated with a fintech relationship. With the proper vendor management and diligence in place, a fintech relationship can be a worthwhile endeavor while expanding the products and services offered to your customer base, if it is in line with the bank’s strategic goals and objectives.