On June 7, 2017, the Office of the Comptroller of the Currency (OCC) issued a frequently asked questions supplement (FAQs) to OCC Bulletin 2013-29, addressing third-party relationships and risk management, focusing on financial technology (fintech) companies.
The FAQs recognize many banks have recently developed relationships with fintech companies that provide services and products to bank customers. The FAQs clarify such relationships constitute third-party relationships, and that banks must subject fintech companies to third-party risk management processes, including in-depth due diligence and monitoring, particularly when critical activities are involved. If critical activities are involved, more comprehensive and rigorous oversight must be applied than is required for lower risk relationships.
While banks may not receive the in-depth information they are seeking, particularly from new companies, the FAQs provide that banks not receiving such information must: (1) develop appropriate alternatives to analyze providers; (2) establish risk-mitigating controls; (3) be prepared to address delivery interruptions; (4) make risk-based decisions that such providers are the best available despite not providing all information sought; (5) retain appropriate documentation of all efforts to obtain information and related decisions; and (6) ensure that contracts meet the bank’s needs. Although banks, when assessing a start-up or less established fintech company’s financial condition, may consider its access to funds, funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors affecting overall financial stability, banks must have appropriate contingency plans in case such companies experience business interruptions, fail, or declare bankruptcy.
The FAQs also address: (1) ways banks, through fintech relationships, can address underbanked or underserved populations; (2) marketplace lending arrangements; (3) reducing lower-risk relationship oversight costs; (4) structuring third-party risk management; (5) third-party relationship management collaboration amongst banks; (6) cyber threats; (7) mobile payments; (8) outsourcing compliance management system functions; (9) obtaining access to interagency technology service providers’ examination reports; and (10) use of third party Service Organization Control reports.
A copy of the FAQs can be viewed here: https://www.occ.gov/news-issuances/bulletins/2017/bulletin-2017-21.html.