Validating FinTechs as Business Risk Partners: OCC Bulletin | Bryan Cave Leighton Paisner
Innovation is the key to competitive advantage and adapting to consumers’ digital banking preferences. Increasingly, banks are turning to fintech services which can deliver certain information and services in a more agile environment, putting banking services at the fingertips of consumers. Some banks are forging strategic alliances to ensure that their platforms retain a competitive advantage in the months and years to come. From a risk management and regulatory oversight / enforcement perspective, banks need to understand the specific services and capabilities of their partners and the risks involved. Last month, the OCC, FDIC and Federal Reserve released a joint bulletin “Conducting Due Diligence on FinTech Companies: A Guide for Community Banks.” OCC Bulletin 2021-40.
In the Bulletin, the OCC points out, “During due diligence, a community bank examines how the financial technology company can help the bank achieve its strategic goals and determines whether the relationship aligns with the appetite for it. bank risk. A community bank assesses whether the proposed activity can be carried out in a safe and healthy manner, in accordance with applicable legal and regulatory requirements. To augment existing resources, leverage specialized expertise, and gain efficiency, community banks can collaborate or engage external resources when evaluating a proposed relationship with a FinTech firm.
The OCC also refers community banks to its previous requirements for the management and supervision of third-party providers, but importantly notes that the new Bulletin is a “separate resource for bank management”.
Therefore, when assessing management risks, banks may wish to consult a variety of previous documents to synthesize various details and requirements:
Alignment of strategic and financial objectives is an essential element to understand and evaluate. Another is to assess whether the “relationship can be implemented in a safe and healthy manner, in accordance with applicable legal and regulatory requirements”.
Six key topics to consider:
- Commercial experience
- Financial condition
- Legal and regulatory compliance
- Risk management and controls
- Information security
- Operational resilience
In addition to describing the six key areas, the Bulletin offers useful considerations on how banks can obtain information to better understand specific topics that underlie the potential risks. For example, the following are all described in the Bulletin as “potential sources of information” for assessing key areas (however, this list does not include all of the sources listed in the Bulletin and is not exhaustive):
- Organization charts
- Customer references
- Media reports (and social media / company website)
- Employment policies
- Public financial statements and regulatory documents
- Coercive actions / litigation, regulatory fines
- Business continuity plans
- Cyber security reports and incident plans
- Service Level Agreements
- Compliance reports regarding adherence to existing service level agreements
- Policies, including policies on customer communications and customer complaints
- Promotional material
- Risk control reports
- Information Security Controls Reports
The Bulletin provides “illustrative examples” that offer perspectives on risk issues that may require banks’ attention. Banks should take stock of the information available during due diligence to develop a strategy on contractual arrangements, responsibilities and relationship obligations. These plans may need to include contingencies in the event, for example, that the fintech experiences a business disruption. Contractual arrangements should specifically address critical service requirements, audit rights, incident response and information sharing protocols, as well as potential liquidation and transition to future vendors. The main thing is that the bank should adequately ensure that the services do not have a negative impact on the security and soundness of the bank.
In turn, fintech companies should be prepared to discuss these six key considerations with potential banking business partners. Fintechs that are transparent in their interactions with potential bank customers are likely to gradually improve the possibility of gaining engagements.
Providing innovative banking services and related information is quickly becoming a table issue for many banks. Doing so with caution, with safety and soundness at heart, is essential to eliminate undue risk and avoid possible future regulatory / enforcement review. Building these important relationships from the start will benefit all parties involved in the future, including banks, fintechs and, most importantly, customers.