Innovation is a key to competitive advantage and keeping pace with consumer digital banking preferences. Increasingly, banks are engaging the services of fintech's who can deliver certain information and services in a more agile environment, putting banking services at consumers' fingertips. Some banks are entering into strategic alliances to ensure their platforms keep a competitive edge in the coming months and years. From a risk management and regulatory supervision/enforcement perspective, banks need to understand the specific services and capabilities of their partners and the risks involved. Last month, the OCC, the FDIC and the Federal Reserve released a joint bulletin "Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks." OCC Bulletin 2021-40.
In the Bulletin, the OCC highlights: "During due diligence, a community bank considers how the fintech company may assist the bank in meeting its strategic objectives and determines whether the relationship aligns with the bank's risk appetite. A community bank evaluates whether the proposed activity can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements. To augment existing resources, leverage specialized expertise, and gain efficiencies, community banks might collaborate or engage external resources when evaluating a proposed relationship with a fintech company."
The OCC also refers community banks to its prior third-party vendor management and supervision requirements, but notes importantly, that the new Bulletin is a separate "resource for bank management."
Accordingly, in conducting management risk assessments, banks may wish to consult a variety of prior materials to synthesize various detail and requirements:
- OCC Bulletin 2017-43 "New, Modified, or Expanded Bank Products and Services: Risk Management Principles"
- OCC Bulletin 2020-10 "Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29"
- OCC News Release 2015-1 "Collaboration Can Facilitate Community Bank Competitiveness, OCC Says"
- OCC Bulletin 2013-29 "Third Party Relationships: Risk Management Guidance"
- OCC Bulletin 2002-16 "Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance"
- 86 Fed. Reg. 38182 (July 19, 2021) "Proposed Interagency Guidance on Third-Party Relationships: Risk Management"
Strategic and financial goals alignment is a critical component to understand and assess. Another is assessing whether the "relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements."
Six Key Topics to Consider:
- Business Experience
- Financial Condition
- Legal & Regulatory Compliance
- Risk Management & Controls
- Information Security
- Operational Resilience
In addition to outlining the six key areas, the Bulletin offers helpful considerations as to how banks can gain information to better understand specific topics which underpin potential risks. For example, the following are all outlined in the Bulletin as "potential sources of information" in assessing the key areas (however, this list does not include all of the sources enumerated in the Bulletin and is not exhaustive):
- Organization charts
- Client references
- Media reports (and social media/ company website)
- Employment policies
- Financial statements & public regulatory filings
- Enforcement actions/ litigation, regulatory fines
- Business continuity plans
- Cybersecurity reports and incident plans
- Service level agreements
- Compliance reporting regarding meeting existing service level agreements
- Policies including customer communications and customer complaint policies
- Marketing materials
- Risk Controls reportings
- Information security controls reports
The Bulletin provides "illustrative examples" which offer perspectives on risk issues that may require bank focus. Banks should take stock of the available information during due diligence to strategize contract provisions, relationship responsibilities and obligations. Such plans may need to include contingencies in the event, for example, the fintech experiences business interruption. Contractual provisions should address specifically critical service requirements, audit rights, incident response and information sharing protocols, as well as addressing potential wind up and transition to future vendors. The bottom line is that the bank must adequately ensure the services do not adversely impact the bank's safety and soundness.
In turn, fintech companies should be prepared to discuss these six key considerations with prospective bank business partners. Fintechs that are transparent in their interactions with prospective bank clients likely will incrementally improve the possibility of winning engagements.
Delivering innovative banking services and related information is fast becoming table stakes for many banks. Doing it prudently, with safety and soundness at the core, is critical to eliminating undue risk and avoiding potential future regulatory/enforcement scrutiny. Getting these important relationships right up front will benefit all concerned in the future, including banks, fintechs and most important, customers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.