The Office of the Comptroller of the Currency (OCC) is one of the top financial regulatory agencies in the US. It’s responsible for making rules to ensure safe, ethical, and transparent operations for nation-wide banks and money services businesses, as well as their subsidiaries.
Over the past number of years, the OCC has watched the definition of “money services business” expand as technology companies partner with financial institutions. These partnerships have resulted in new banking as a service (BaaS) products, such as neobanks. Through its Office of Innovation, and now its Office of Financial Technology, the OCC aims to better understand and regulate both these partnerships and the Fintech solutions they create.
This piece will discuss more about the OCC Office of Financial Technology’s creation and purpose, as well as the regulatory guidelines it gave shortly after it was formed.
The Office of Financial Technology is a new department of the OCC. Its purpose is to better understand partnerships between FIs and technology companies, as well as the Fintech solutions born of these partnerships. This will help it provide the OCC with guidance in regulating this growing field of MSBs.
The OCC’s Office of Financial Technology was announced in October of 2022, and was officially established in March of 2023. It replaces and expands upon the agency’s Office of Innovation, formed in 2016.
Early in June 2023, the Office of Financial Technology published new guidelines for regulatory compliance when financial institutions partner with Fintechs and other third parties. Here are seven of the key points.
1. Third-party risk guidance is being standardized across US financial regulators
The OCC’s Office of Financial Technology didn’t develop its new guidance for managing risk in partnerships between FIs and Fintech firms by itself. It had input from two other major US financial regulatory agencies: the Federal Reserve Board (“the Fed”) and the Federal Deposit Insurance Corporation (FDIC).
Previously, each of these agencies had provided their own separate guidance on third-party risk management for FIs. Their decision to now offer joint guidance will likely reduce confusion for FIs regarding what advice to follow in assessing risk when partnering with Fintechs.
2. The guidance is intentionally broad to accommodate varying scenarios
The joint guidance doesn’t have any specific rules as to what FIs must do to manage risk in third-party relationships. This comes from the recognition that each FI’s situation is different in terms of clientele size, the complexity of financial services offered, and overall customer risk profile.
In addition, Fintech companies have their own situations and risk profiles. And the specific types of partnerships FIs form with them—which will likely only increase in number as technologies and ideas diversify—also affect the risks involved.
To that end, the guidance is just that—guidance. Each FI is responsible for weighing the risks of forming partnerships with Fintechs and other third parties based on its own unique circumstances.
3. Financial institutions need to exercise bargaining power carefully in negotiating BaaS relationships
BaaS inverts the traditional power dynamic in negotiating relationships between FIs and third parties (including Fintechs). Usually, the FI is the buyer, and the third party is the seller. This gives the FI a bit of leverage in that it can usually choose to look for an alternative if the negotiation isn’t working out.
In a BaaS relationship, FIs are selling the use of their digital infrastructures to Fintechs. This means, as buyers, Fintechs now have the upper hand in negotiation. The OCC’s Office of Financial Technology is concerned this may result in FIs being overly eager to make concessions in order to secure partnerships with Fintechs. These concessions could lead to unnecessary risk for the FI, and even the entire financial system.
Therefore, the guidance encourages an FI to consider other options if it determines any contracts with Fintechs (or other third parties) to constitute unacceptable amounts of risk. These could include negotiating together with other FIs to increase leverage, looking for another third party to sell to, or building the desired functionality in-house.
4. In BaaS relationships, financial institutions are still responsible for protecting end customers
The guidance acknowledges that in forming relationships with FIs, Fintechs, and other third parties may have more immediate and ongoing relationships with FI customers than FIs themselves. However, that in no way absolves FIs of any responsibilities regarding taking care of their customers, even those who interact with the FI through a third party.
That means FIs must ensure any third parties they want to partner with adhere to all relevant regulatory compliance obligations—especially those directly relevant to customers. So FIs must scrutinize third parties’ policies on collecting and retaining customer information; resolving customer questions and concerns; protecting customers from risks; and avoiding subjecting customers to unfair, deceptive, or abusive business acts or practices.
It also means FIs have to be aware of the operational resilience capabilities of any third parties they partner with. This includes having redundancies and backup plans in place for protecting customers’ assets and information if a third party cannot provide its services—either temporarily or permanently.
5. Financial institutions need to conduct due diligence on third parties’ finances and business models
Part of the risk management process in FIs’ relationship-building with third parties should be taking a close look at any potential partner’s financial status. This includes not just researching basic public financial information (such as audits, mandated reports, and securities filings), but also asking the third party about other information that could affect finances. Examples include income sources, profit forecasts, pending lawsuits, and credit ratings.
An FI should also conduct ongoing inspection of a (potential) third-party partner’s marketing materials and other media describing its offered products and services. The point is to ensure the third party’s business strategy—including its suite of partnerships with other organizations—does not abruptly change into something unexpected and potentially riskier.
6. Smaller financial institutions can collaborate on compliance in BaaS, but must do the same amount of work
During the development of the guidance, an argument was made that smaller FIs should have lesser liability for BaaS-related compliance failures. The reasoning was that, under the new guidance, these FIs would have to devote even more of their limited resources to vetting third-party partners and ensuring their compliance with regulatory requirements. This would make it difficult for them to be competitive in an increasingly digital financial services industry.
The OCC, Fed, and FDIC rejected this argument. They did, however, allow for the possibility of smaller FIs working together and accessing industry resource groups for compliance purposes. This would allow them to properly complete BaaS-related compliance tasks while lessening the burden placed on each individual FI.
7. Financial institutions will also have to be aware of risks associated with indirect players in BaaS relationships
FIs need to recognize the possibility that any third parties they partner with may subcontract some of their operations out to other firms. This can create risks in that FIs may have less direct control over certain BaaS activities, perhaps even critical ones. A specific activity of focus is data aggregators accessing sensitive customer information.
Be Ready for Further Regulatory Guidance from the OCC’s Office of Financial Technology with the Help of Unit21
The upshot of the Office of Financial Technology’s initial guidance seems to be that the progressive integration of non-financial businesses into the financial industry isn’t going to ease regulatory requirements on actual FIs anytime soon. In fact, it may very well increase them. So it’s important to be equipped with reliable Regtech tools, such as Unit21’s Transaction Monitoring and Case Management solutions, to be ready for what’s next.
Contact us for a demo to see if we’re the right fit for your compliance program.