On June 7, 2017, the Office of the Comptroller of the Currency ("OCC") issued a bulletin addressing frequently asked questions ("FAQs") regarding the risk management practices that national banks and federal savings associations (collectively, "banks") are expected to put in place with respect to third-party relationships. The FAQs supplement previous guidance issued on the topic by the OCC in Bulletin 2013-29. This Client Alert describes the impact that Bulletin 2013-29 and the FAQs can have on financial technology ("fintech") companies that intend to provide products or services to banks.
FINTECH SERVICES SUBJECT TO THE FAQS AND BULLETIN 2013-29
Bulletin 2013-29, issued in October 2013, defines a third-party relationship as a business arrangement between a bank and another entity, by contract or otherwise. This includes activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the bank has an ongoing relationship or may have responsibility for the associated records. The FAQs acknowledge the trend of banks developing relationships with fintech companies that involve some of these activities, including performing services or delivering products directly to a bank's customer base. The FAQs make clear that if a fintech company performs services or delivers products on behalf of a bank, the relationship meets the definition of a third-party relationship and the bank must include the fintech company in its third-party risk management process.
THE RISK MANAGEMENT PROCESSES
Bulletin 2013-19 describes the lifecycle of an effective third-party risk management process as one that incorporates the following phases:
- Due diligence and third-party selection;
- Contract negotiation;
- Ongoing monitoring; and
- Termination (including developing a contingency plan).
The OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships and the bank's organizational structures. Therefore, the oversight and management of third-party relationships is expected to be more comprehensive and rigorous if "critical activities" are involved. Critical activities include:
- Significant bank functions;
- Significant shared services; and
- Other activities that:
- could cause a bank to face a significant risk if the third party fails to meet expectations;
- could have significant customer impacts;
- require significant investment in resources to implement the third-party relationship and manage the risk; or
- could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.
On the other hand, for activities that bank management determines to be low risk, management should follow the bank's board-established policies and procedures for due diligence and ongoing monitoring. The FAQs make clear that services provided by a fintech company are not automatically deemed to be critical activities. Each bank's board and management must perform an assessment of whether its relationship with a fintech company relates to critical activities. Further, this assessment should be updated periodically throughout the relationship, as opposed to being a one-time assessment conducted at the beginning of the relationship.
OCC standards require that contracts with suppliers of critical activities include the right of not only the bank but also the banking regulators to audit the compliance of the company with the terms of the contract. The contracts generally will also include stringent requirements with respect to the safeguards the supplier maintains to protect private information. The contracts can often be burdensome and intrusive on the supplier.
RISK MANAGEMENT PROCESSES APPLICABLE TO NEW COMPANIES
If a bank is unable to obtain all the information it seeks on a critical third-party service provider, particularly from new companies, the FAQs put forth the following steps that bank management is expected to take:
- develop appropriate alternative ways to analyze these critical third-party service providers;
- establish risk-mitigating controls;
- be prepared to address interruptions in delivery (for example, use multiple payment systems, generators for power, and multiple
- telecommunications lines in and out of critical sites); make risk-based decisions that these critical third-party service providers are the best service providers available to the bank
- despite the fact that the bank cannot acquire all the information it wants; retain appropriate documentation of all their efforts to obtain information and related decisions; and ensure that contracts meet the bank's needs.
The OCC acknowledges that start-up fintech companies may have limited financial information available. Although Bulletin 2013-29 states that banks should consider the financial condition of third parties during the due diligence stage, the FAQs clarify that with respect to fintech companies, banks may consider a company's access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect the fintech company's overall financial stability. Banks are also expected to assess changes to the financial condition of fintech companies as part of their ongoing monitoring of the relationship.
Bulletin 2013-19 states that depending on the significance of the third-party relationship, a bank's analysis of a third party's financial condition may be as comprehensive as if the bank were extending credit to the third-party service provider; however, the FAQs clarify that there is no absolute requirement that a third party meet the bank's lending criteria.
BANK COLLABORATION TO MEET OCC EXPECTATIONS
The FAQs make clear that if multiple banks are using the same service providers to secure or obtain like products or services, the banks may collaborate to meet certain expectations. For example, banks may become members of user groups, which create the opportunity for banks to collaborate with their peers on innovative product ideas, enhancements to existing products or services, and customer service and relationship management issues with service providers. Banks may also have participating third parties complete common security, privacy, and business resiliency control assessment questionnaires which may be shared with multiple banks.
The FAQs specifically mention that information-sharing forums have improved banks' ability to identify cyber-attack tactics on banks and third parties with whom they have relationships.
Fintech companies intending to provide their products or services to banks should carefully evaluate the way the OCC standards will affect the banks' demands on the company and plan accordingly. It will be vital that a fintech supplier to a bank not only is stable and capable of providing services reliably and with tight security but also that the company can demonstrate to the banks and potentially the regulators that this is the case. Ironically, it may also be significant whether the providers could be replaced if necessary.