OCC Guidelines for Banks Working With Third-Party Fintech Companies

View all blog posts under Articles

The Office of the Comptroller to the Currency (OCC), a branch of the U.S. Department of the Treasury, recently updated its supplement to the OCC Bulletin 2013-29 Third-Party Relationships: Risk Management Guidance.

Professionals who are pursuing advanced education through programs such as an online LL.M. (Master of Laws) degree program should understand the importance of risk management when navigating new technologies. This update provides a helpful example in the form of a frequently asked question (FAQ) page that offers banks more guidance on best practices when working with fintech companies through third-party relationships.

These updates will require banks and their legal teams to ensure that they are meeting all of the requirements discussed below. Contracts will be important as they will outline the third-party relationship and determine whether further due diligence and administrative tasks are required going forward.

Discover the purpose of the FAQ updates and delve deeper into what a third party is and how different relationships with fintech companies should be treated in a risk management process.

The Growth of Fintech Companies

The financial technology, or fintech, industry is a rapidly growing market that is providing faster, more convenient, and cheaper technology to the financial sector.

Banks have quickly realized that relationships with fintech companies are good for not only their customer services, but also for their operational management. This realization has led to a boom in banks creating third-party relationships with fintech companies before the OCC can catch up with regulations.

The OCC Bulletin 2013-29 now offers banks clear guidelines on what needs to be reported and how to manage these relationships in the future.

What Is the Definition of a Third Party?

The OCC Bulletin 2013-29 states that a third-party relationship is any business arrangement between a bank and another entity, whether that relationship exists by contract or some other connection. According to this document, a relationship is a third-party relationship if it involves outsourcing products and services, using outside consultants and merchant payment processing services, and relying upon any services provided by affiliates or subsidiaries. It also includes those involved in joint ventures or other business arrangements where a bank has an ongoing third-party relationship. In situations like these, having a compliance specialist involved can be very important to the success of the venture. The USC online Certificate in Compliance can prepare students to help mitigate the risks that might arise from working with third parties. With a strong focus on regulatory compliance, the certificate program ensures that graduates are able to efficiently and lawfully manage the relationships between their clients and third parties.

In the case of fintech companies, several banks have built relationships with financial technology companies, also called fintech companies, over the last few years. If a fintech company offers services or delivers products for a bank, the relationship is treated as a third-party relationship. According to the OCC Bulletin 2013-29, the OCC expects banks to include the fintech company in the bank’s third-party risk management assessment.

What Are the Main Changes Addressed in the Updated Supplement?

In the OCC’s new FAQ supplement, the OCC has expanded on ways to manage risks for third-party relationships. The OCC has organized its new standards based on five phases that the OCC refers to as the life cycle. The five phases of the life cycle are planning, due diligence, contract negotiation, ongoing monitoring, and termination.

The OCC has used this FAQ supplement to further explain requirements for an effective risk management process. According to PricewaterhouseCoopers Financial Services practice, these requirements include the following:

  • Creating plans that outline the bank’s strategy and how the bank selects and assesses its third-party relationships
  • Noting proper due diligence related to the third party’s capacity to recover from difficulties
  • Outlining the rights of both the bank and the third party through contracts
  • Outlining how the ongoing monitoring of the third party will take place
  • Developing contingency plans if a termination with the third party takes place
  • Issuing documentation and reports that help the bank oversee the risk management of the relationship with the third party

How Do Banks Need to Structure Third-Party Risk Management?

According to the OCC Bulletin 2017-21, the OCC does not have one specific way that the organization requires banks to structure their third-party risk management process. However, the OCC Bulletin 2013-29 outlines that it expects banks to adopt an effective process based on the level of risk and complexity of the relationship with each of their third-party connections.

OCC Bulletin 2013-29 notes that some banks have spread the accountability for their third-party risk management process across all of their business lines. Other banks have centralized management of the process under either the information security, compliance, risk management, or procurement functions.

A third-party risk management process should include risk assessments, due diligence documents and questionnaires, and evaluations of the controls over the third-party relationship.

When Multiple Banks Use the Same Third-Party Service Providers

An illustration of mobile fintech

Image via Flickr by investmentzen

One of the new questions addressed on the updated OCC FAQ concerns whether multiple banks can collaborate when they are using the same third-party service provider.

The update states that if more than one bank uses the same service providers to secure or obtain similar products or services, the banks can collaborate to meet certain expectations. Together, the banks can divide responsibilities for performing due diligence, negotiating contracts, and monitoring the ongoing responsibilities described in OCC Bulletin 2013-29 instead of each bank having to do this work.

In a May 2016 Insights article, the Baker Tilly financial team warns that these types of relationships require clear contracts. These contracts ensure that each party knows exactly what roles it is executing.

Even if several banks are sharing responsibility of due diligence and contract negotiations for a single third party, individual banks must make sure that the information presented to the OCC fully meets the bank’s responsibilities as stated in OCC Bulletin 2013-29.

Collaboration is a tool that can allow banks to leverage resources by distributing costs across multiple banks. The OCC Bulletin 2017-21 mentions that many banks that use similar products and services from fintech companies or other service providers may become members of user groups. These user groups offer banks the opportunity to collaborate with their peers to create a more innovative product, create enhancements for their existing products or services, and address customer service and relationship management issues.

What Is the Relevance of These Changes?

These changes solidify the OCC’s desire to have all banks ensure that they are creating risk management processes and assessing their risk with all third-party relationships, regardless of how much work the third-party companies are performing.

For banks, these changes require them to show that they have a strong analytical process in place that identifies, measures, monitors, and controls all the risks associated with each of their third-party relationships. Failure to offer this information to the OCC could mean enforcement actions or a significant decline in their safety ratings as a bank.

These changes also require that the board members of large banks be more involved in the risk management of these relationships.

In light of these changes, banks themselves may want to streamline the number of third parties that they work with, such as fintech companies, to reduce the administrative work required of them to document risk management processes.

Implications and Educational Opportunities

Law firms can offer unbiased perspectives that can help banks implement OCC guidelines for due diligence, ongoing monitoring, and oversight. Having an understanding of compliant risk management and audit performance methods is therefore a valuable tool for professionals who may decide to pursue an Online LL.M. (Master of Laws) degree.

Professionals who seek to use their experience in banking can benefit from receiving advanced education and earning an online Compliance Certificate. Learn more about the University of Southern California Online Master of Laws (LL.M.) degree program, a distinctive program offering from the USC Gould School of Law. This program offers a scholarly but practical approach that can help professionals expand their legal education in topics such as risk management and compliance.



Description: Frequently Asked Questions to Supplement OCC Bulletin 2013-29

OCC Clarifies Role of Fintechs

New OCC FAQs on third-party relationships highlight bank arrangements with fintech companies and marketplace lenders

Managing third-party relationships: It’s complicated 

Managing Risk for Third-Party Relationships in Financial Services

OCC standards require strict oversight of third-party relationships