On June 7 2017 the Office of the Comptroller of the Currency (OCC) issued a set of frequently asked questions (FAQs)(1) to supplement its 2013 bulletin(2) on third-party relationship risk management (for further details please see "OCC issues new guidance on third-party relationships risk management"). The FAQs affirm the bulletin's broad applicability, while:
- re-emphasising the need for third-party relationship oversight to be risk based and tailored to individual institutions' needs; and
- delving into several more detailed compliance questions.
Notably, the FAQs focus on banks' relationships with financial technology (fintech) partners and their ability to collaborate among themselves to manage third-party relationships in line with OCC requirements.
The bulletin broadly defined 'third-party relationships' as "any business arrangement between a bank and another entity, by contract or otherwise". Further, it subjected third-party relationships that involve critical activities to more robust due diligence, monitoring and risk management requirements. 'Critical activities' were defined to include:
- significant bank functions (eg, payments, clearing, settlements and custody);
- significant shared services (eg, information technology); and
- other activities that generally could:
- cause a bank to face significant risk in third-party failure;
- have a significant impact on customers;
- require significant investment to implement the relationship and manage its risk; and
- have a major effect on the bank's operations if it was required to find an alternate service provider.
- retain this breadth;
- maintain the differentiation between relationships involving critical activities and others of lower risk; and
- continue to emphasise the role of a bank's board in the oversight of institution-specific risk management processes.
In general, a bank's management "should conduct in-depth due diligence and ongoing monitoring" in regard to critical activities with the expectation that both diligence and monitoring will be "robust, comprehensive, and appropriately documented". Where the management determines activities to be low risk, it must follow board-established policies and procedures. Banks must periodically update their third-party risk assessments throughout the relationship.
Ultimately, "the board is responsible for overseeing the development of an effective third-party risk management process commensurate with the level of risk and complexity of the third-party relationships". The OCC explicitly notes that "periodic board reporting is essential to ensure that board responsibilities are fulfilled".
Focusing on bank-fintech relationships, which were likely a key driver for the FAQs, the OCC notes that when "a fintech company performs services or delivers products on behalf of a bank or banks, the relationship meets the definition of a third-party relationship" that should be subject to the bank's third-party risk management process. Akin to any other third-party service provider, a fintech company arrangement may be considered a critical activity in this regard.
In an important acknowledgement of the challenges that banks occasionally face in conducting third-party diligence, the FAQs also specifically address situations where a bank receives insufficient information from a third-party service provider that supports a critical activity. In that situation, the OCC expects a bank's board and management to:
- develop appropriate alternative ways to analyse these critical third-party service providers;
- establish risk-mitigating controls;
- prepare to address delivery interruptions;
- make risk-based decisions as to whether, despite the insufficient information, these critical third-party service providers remain the best available;
- retain appropriate documentation of all efforts to obtain information and related decisions; and
- ensure that contracts meet the bank's needs.
Addressing another aspect of due diligence, particularly in the fintech space, the FAQs expand on the bulletin, which directed banks to evaluate the financial condition of third-party service providers. The FAQs note that for:
"a start-up or less established fintech company, the bank may consider a company's access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect… overall financial stability."
The FAQs clarify that the OCC does not require banks to ensure that prospective third parties, including fintech entities, meet the bank's lending criteria. Nonetheless, banks should be careful to differentiate between relationships that create direct and indirect credit exposure.
The FAQs also specifically address marketplace lending arrangements with non-banking entities and relationships to facilitate mobile payments. In the marketplace lending context, the FAQs assert that a bank's board and management should understand the relationships among the entities involved and the risks specific to marketplace lending relationships, including reputational, credit, concentration, compliance, market, liquidity and operational risks. Management must also ensure that it has proper personnel, processes and systems to monitor and control these risks, including adequate loan underwriting guidelines and appropriate board-adopted policies that include concentration limits. The FAQs direct banks to work with mobile payment providers "to establish processes for authenticating enrollment of customers' account information that the customers provide to the mobile payment providers" as mobile payment environments become more ubiquitous and customer expectations dictate that transaction accounts – as well as bank-issued credit, debit and prepaid cards – can be used in mobile wallets.
In response to industry requests for guidance on cooperative third-party diligence and oversight mechanisms, the FAQs indicate that banks may, subject to antitrust laws, collaborate with other banks "to meet certain expectations, such as performing the due diligence, contract negotiation, and ongoing monitoring responsibilities" required by the OCC. Accordingly, where appropriate, banks may take advantage of tools that offer standardised approaches to perform due diligence on third-party service providers. The FAQs also indicate that collaboration among banks "can result in increased negotiating power and lower costs to banks during the contract negotiation phase of the risk management life cycle". Further, information-sharing organisations – including the Financial Services Information Sharing and Analysis Centre, the US Computer Emergency Readiness Team and InfraGard – provide a means to improve systematic understanding of cyber threats to both banks and their third-party providers. Notwithstanding this acknowledgement of the benefits of collaboration, the OCC also cautions that:
- customised services do not lend themselves to collaboration;
- even generic services may pose different risks for different banks; and
- banks will always retain the responsibility to assess the particular way that they use a third-party provider and tailor their risk management processes accordingly.
Banks may also obtain access to interagency technology service provider (TSP) examination reports from the OCC, subject to certain limitations. Specifically, TSP reports will be made available only to banks with existing contractual relationships with the TSP at the time of examination. While the OCC has long indicated that examination reports are available only to a TSP's actual bank clients, the restriction that contracted parties cannot get access to the most recent pre-contract examination will put banks at a disadvantage early in their relationships with TSPs.
Finally, the FAQs provide express authority for banks to outsource "some or all" of their compliance management systems to third parties, provided that they "monitor and ensure that third parties comply with current and subsequent changes to consumer laws and regulations". Banks may further rely on a third party's service organisation control report prepared in accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements 18 (SSAE 18). The SSAE 18 report may be particularly useful for banks, as it addresses whether the third party effectively oversees its own subcontractors or 'fourth parties', which is an area of increasing focus among banking agencies.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
For further information on this topic please contact Joel D Feinberg, David E Teitelbaum, John K Van De Weert or David A Miller at Sidley Austin LLP by telephone (+1 202 736 8000) or email (firstname.lastname@example.org, email@example.com, firstname.lastname@example.org or email@example.com). The Sidley Austin website can be accessed at www.sidley.com.
(1) Office of the Comptroller of the Currency, Frequently Asked Questions to Supplement OCC Bulletin 2013-29 (June 7 2017), available here.
(2) Office of the Comptroller of the Currency, OCC Bulletin 2013-29 (October 30 2013), available here.