Pepper Hamilton: New OCC Bulletin On Third-Party Oversight Highlights FinTech Relationships

On June 7, the Office of the Comptroller of the Currency (OCC) issued OCC Bulletin 2017-21 (Frequently Asked Questions to Supplement Bulletin 2013-29; Third-Party Relationships: Risk Management Guidance). This is the OCC’s second bulletin focusing on third-party oversight released this year (click here for our analysis of OCC Bulletin 2017-7). The first bulletin was directed to national bank examiners and established procedures for evaluating the effectiveness of third-party oversight programs. The latest bulletin is targeted at banks and clarifies the OCC’s supervisory expectations for safe and sound risk management in the form of 14 FAQs. Both bulletins discuss relationships between national banks and financial technology companies (fintechs), which continue to receive heightened OCC attention. This Alert focuses on the new FAQs regarding third-party relationships involving fintechs. As defined in OCC Bulletin 2013-29, a third-party relationship includes “any business arrangement between a bank and another entity, by contract or otherwise.”

FAQ 7: Is a fintech company arrangement considered a critical activity?

As defined in OCC Bulletin 2013-29, a “critical activity” is an activity that involves a significant bank function or an activity that:

• could cause the bank to face significant risk if a third party fails to meet expectations
• could have significant bank customer impact
• requires significant investment in resources to implement third-party relationships and manage risks
• could have major impact on bank operations if the bank has to find an alternative third party of if the outsourced activities have to be brought in house.

In its response to FAQ 7, the OCC clarified that a relationship between a national bank and a fintech may or may not involve a critical activity, depending on the nature of the specific services the bank or the fintech has agreed to perform. In giving this response, the OCC recognized that third-party relationships are not automatically “high risk” merely because a fintech is involved.

FAQ 10: What should a bank consider when entering a marketplace lending arrangement with nonbank entities?

Consistent with its response to FAQ 7, the OCC’s response to FAQ 10 states that the “bank’s board and management should understand the relationship . . . [and] ensure that appropriate personnel, processes, and systems [are in place to] effectively monitor and control the risks inherent within the marketplace lending relationship.” With respect to credit risk posed by these relationships, the response provides that “banks should have adequate loan underwriting guidelines, and management should ensure that loans are underwritten to these guidelines.”

Although some may read the OCC’s response to FAQ 10 as an endorsement of “bank partnership model” lending relationships between national banks and marketplace lenders, the response includes no explicit mention of these relationships. The response references “marketplace lending or servicing arrangements,” and states that “banks should not originate or support marketplace lenders that have inadequate compliance management processes . . .,” but does not speak to the respective obligations of the parties to these arrangements. Thus, it is conceivable that the bulletin only addresses other types of relationships, such as warehouse lines of credit or loan servicing arrangements. At a minimum, however, the response confirms that national banks should not hesitate to enter into relationships with marketplace lenders as long as appropriate oversight mechanisms are in place.

FAQ 11: Does OCC Bulletin 2013-29 apply when a bank engages a third party to provide bank customers the ability to make mobile payments using their bank accounts, including debit and credit cards?

Until now, a national bank could have taken the position that a third party that merely enabled mobile card payments was not subject to OCC Bulletin 2013-29. To this end, the presence of a third party’s mobile payments application has no effect on the underlying card transaction, and the bank’s involvement is likely confined to deciding whether to promote the availability of the application to its customers. In its response to FAQ 11, however, the OCC clarified that these relationships need to be managed “in a manner consistent with OCC Bulletin 2013-29,” and directed banks to “work with mobile payment providers to establish processes for authenticating enrollment of customers’ account information.”

Complying with FAQ 11 may prove challenging as it will likely entail:

• reviewing contracts (updating master service agreements, work orders, service-level agreements, etc.)
• conducting onsite physical security audits
• analyzing data security protocols (and gaining access to third-party protocols)
• understanding exactly what data of the bank and its customers is shared and with whom, how this data is transferred, and where it is stored
• preparing for the possibility of data breach notifications
• tracking additional consumer complaints
• creating appropriate exit/wind-down strategies.

In addition, bank management will be expected to assess the overall risk posed by the relationship, assign an appropriate risk rating (e.g., high, medium or low risk), and perform ongoing monitoring consistent with the rating assigned.

This clarification may also prove troublesome for providers of mobile payment applications and software, which are likely to face heightened scrutiny as potential service providers to national banks and the attendant risk of OCC examination.

Pepper Points

• OCC bulletin 2017-21 focuses more on fintechs, including marketplace lenders and facilitators of mobile payments, than on any other topic. This focus underscores the major impact that fintechs are continuing to have on the banking industry. In clarifying that the presence of a fintech in a third-party relationship does not automatically render a relationship high risk, the OCC is sending a clear message that fintech-enabled services have become an integral part of the financial services ecosystem.
• Although the bulletin represents an endorsement by the OCC of relationships between national banks and fintechs, the bulletin repeatedly stresses the need for compliance management systems and controls commensurate with the particular legal, compliance, information security and reputational risks posed by each such relationship.
• In its response to FAQ 11, the OCC resolved longstanding uncertainty regarding the application of OCC Bulletin 2013-29 to third-party mobile payment applications. Complying with the direction provided, however, will likely pose major challenges. National banks with existing relationships with third-parry providers of these applications and/or software will need to revisit their existing contracts and compliance systems and controls to confirm compliance with OCC Bulletin 2013-29.