The Office of the Comptroller of the Currency (OCC) has released FAQs to supplement its 2013 guidance on risk management of third-party relationships. The FAQs specifically address bank relationships with fintech companies and marketplace lenders, relationships that were not necessarily an OCC focus when the 2013 guidance was issued.
As with its 2013 guidance, the FAQs focus on managing risk through a bank’s adequate due diligence and ongoing monitoring of third-party service providers such as fintech companies, and places ultimate responsibility for risk management with the bank’s management and board of directors. The FAQs recognize that the levels of due diligence and ongoing monitoring may differ based on the risk and complexity presented by specific third-party relationships.
Among other issues, the FAQs note the following:
- Third-party relationships with fintech companies can arise in a number of circumstances that might not be obvious, such as fintech companies that allow bank customers to link their bank accounts with the company’s app or website to promote savings goals, or companies that provide processing and other services in connection with mobile payments.
- Relationships with startup fintech companies are not prohibited under the 2013 guidance solely due to the limited financial information and history of a startup.
- Banks should have appropriate personnel, processes, and systems to monitor and control the risks associated with relationships with marketplace lenders. These risks include reputation, credit, concentration, compliance, market, liquidity, and operation risks. The FAQs direct banks to assess and monitor marketplace lenders’ compliance management processes and servicing arrangements, and to conduct adequate due diligence of marketplace lenders by looking at their various key operations (credit, compliance, finance, audit, operations, accounting, and information technology).
- Reviewing a third party’s SOC report or SSAE report might be useful as part of a bank’s due diligence of third parties, but such review is not necessarily sufficient due diligence of the third party. Instead, it is left up to the bank to determine whether the information in such reports allows the bank to sufficiently assess the third party.
- A bank can outsource some or all of its compliance management systems so long as the bank ensures that the third party performing compliance functions on behalf of the bank adequately complies with current consumer laws and regulations and implements any required changes as those laws are modified.
- Multiple banks that use the same service provider or obtain like products or services can collaborate to leverage resources for due diligence, contract negotiation, and ongoing monitoring responsibilities. However, each bank should remain mindful of its individual needs and risk tolerances, and conduct additional due diligence and monitoring if necessary to suit its individual needs. Furthermore, the FAQs identify certain areas as necessitating individual bank assessments tailored to the operations of the bank, such as how the third-party product fits into the bank’s strategic planning process, the risk posed to the bank by the third-party relationship, and monitoring of the third party’s compliance program and disaster recovery program.
- Banks can engage with information-sharing organizations to monitor and better understand cyber threats and vulnerabilities, and the FAQs seem to encourage the use of such organizations: the Financial Services Information Sharing and Analysis Center (FS-ISAC), the US Computer Emergency Readiness Team (US-CERT), and InfraGard.
Although nothing in the FAQs is particularly headline worthy, the FAQs are the first clarification of the 2013 guidance since it was issued and caused both banks and third-party service providers to reexamine their contractual relationships and compliance and risk management procedures. The FAQs, like the 2013 guidance, are still qualitative and risk based, and do not present a one-size-fits-all approach to monitoring and managing third-party relationships.
As with the 2013 guidance, banks should incorporate the FAQs into their third-party relationships and assessments, and third-party service providers to banks should expect questions from their bank partners based on the OCC’s guidance and expectations.