This article was published in the Winter 2019 issue of Delaware Banker. It is reprinted here with permission.

In October 2018 the FDIC became the latest federal financial regulator to announce plans to create an Office of Innovation, following on the heels of the OCC and the CFPB. In separate speeches given in Philadelphia and Washington D.C.,¹ FDIC Chairman Jelena McWilliams explained the rationale for this move. Although technological innovation has always been part of the business of banking, McWilliams noted in her November 13, 2018 speech that: “What is different today is the speed and tremendous impact of technological innovation in and on banking, and the potential for technology to disrupt not just an institution or two, but banking as we know it.”

In her November 15th speech, McWilliams highlighted the strong benefits to the nation of a regulated banking industry, citing the importance of having a safe place for consumers to deposit cash and access credit, and noting the “central role” of banks in the payments systems. According to McWilliams, however, banks are at risk of being permanently dislodged as the primary source of key banking products and services. Accordingly, banks have no choice but to look for opportunities to innovate. At the same time, however, there has been no relaxation in safety and soundness standards. McWilliams acknowledged the tension between the need for banks to explore unconventional ways of doing things and regulator caution, noting that “we are looking at ways that the FDIC as a regulator can avoid getting in the way of beneficial innovations and technologies that will help regulated entities stay competitive.” In this article, we explore how federal financial regulators are seeking to facilitate innovation through recently-issued formal guidance regarding “responsible innovation.”

OCC Guidance

The OCC received enormous media attention in 2017 when it proposed the creation of a special purpose “fintech” national charter. Less noticed, but arguably just as important to the financial services industry, the OCC issued key guidance during 2017 targeting financial innovation.

Risk Management of New, Expanded, and Modified Bank Products and Services

In October 2017, the OCC rescinded longstanding OCC Bulletin 2004-20, “Risk Management of New, Expanded, or Modified Bank Products and Services: Risk Management Process,” and replaced it with Bulletin 2017-43 of the same name. In making this change, the OCC noted that:

Today’s technological advances include expanded use of artificial intelligence, machine learning, algorithms, and cloud data storage. These changes—in combination with rapidly evolving consumer preferences—are reshaping the financial services industry at an unprecedented rate and are creating new opportunities to provide consumers, businesses, and communities with more access to and options for products and services.²

Despite its ostensible emphasis on all things new, Bulletin 2017-43 primarily reinforces longstanding risk management concepts, including the need for a high level of knowledge by bank management and the board of directors. Within these themes, the Bulletin stresses the need for management to understand the underlying technologies that fintech companies employ together with the associated impacts on risk processes and controls. In particular, a bank’s change management processes with respect to new technologies are expected to address:

• Reviews by appropriate risk management, line managers, and senior managers in applicable business units (such as lending, finance, treasury, deposits, payments, compliance, audit, legal, technology, and information security) before implementing the new or modified operational process
• Proper testing of new or modified operational systems, processes, and technology
• Risk parameters and exception reporting that have been approved by appropriate management
• Mechanisms for ensuring that delivery to customers occurs as intended
• An exit strategy that identifies and limits the adverse effect to the bank and its customers in the event of a failed or flawed implementation
• Employee training in the new or modified operational process associated with the new activities.³

Bulletin 2017-43 additionally places a strong emphasis on third-party oversight. Banks are advised to include fintech companies in their third-party risk management processes and determine if the fintech companies’ activities meet the definition of critical activities. As banks look to enter into arrangements with fintech companies, third-party due diligence and ongoing monitoring should be deemed essential, and plans should be made to address all life-cycle stages described in OCC Bulletin 2013-29.

In sum, nothing contained in Bulletin 2017-43 attempts to dictate to a national bank what it can and cannot do. Rather, the bulletin stresses the need for careful planning, input from all relevant stakeholders, ongoing monitoring of actual against forecast results , periodic reassessment, and the ability to cease new activities, once begun, and change direction if necessary to protect the interests of the bank and its customers.

Expanded Risk Management Guidance for Third-Party Oversight

In addition to replacing OCC Bulletin 2004-20 with Bulletin 2017-43, the OCC expanded its existing risk management guidance for third-party oversight by issuing OCC Bulletin 2017-21, “Frequently Asked Questions to Supplement OCC Bulletin 2013-29.” Bulletin 2017-21 further clarifies the OCC’s supervisory expectations for third-party oversight by publishing 14 frequently asked questions (FAQs), a number of which specifically address relationships between banks and fintech companies:

FAQ 7: Is a fintech company arrangement considered a critical activity?

In its response to FAQ 7, the OCC clarified that a relationship between a national bank and a fintech may or may not involve a “critical activity,” depending on the nature of the specific services the bank or the fintech has agreed to perform. A critical activity is defined in Bulletin 2013-29 as an activity that:

• could cause the bank to face significant risk if a third party fails to meet expectations
• could have significant bank customer impact
• requires significant investment in resources to implement third-party relationships and manage risks, or
• could have major impact on bank operations if the bank has to find an alternative third party of if the outsourced activities have to be brought in house.

By recognizing that a third-party relationship is not automatically “high risk” because a fintech is involved, the OCC’s response implicitly encourages such relationships. In addition, by providing an affirmative response to closely-related FAQ 8, (i.e. “Can a bank engage in a start-up fintech company with limited financial information?”), the OCC further encourages a national bank not to shirk from entering into relationships with a fintech companies that do not have optimal financial depth so long as they are stable.

FAQ 9: How can a bank offer products or services to underbanked or underserved segments of the population through a third-party relationship with a fintech company?

In its response to FAQ 9, the OCC highlights the many ways that banks and fintechs may be able to collaborate, noting that “[b] anks may partner with fintech companies to offer savings, credit, financial planning, or payments in an effort to increase consumer access,” and noting that banks and fintechs often offer products that are complimentary to one another.

FAQ 10: What should a bank consider when entering a marketplace lending arrangement with nonbank entities?

Consistent with its response to FAQ 7, the OCC’s response to FAQ 10 states that the “bank’s board and management should understand the relationship . . . [and] ensure that appropriate personnel, processes, and systems [are in place to] effectively monitor and control the risks inherent within the marketplace lending relationship.” With respect to credit risk, the response provides that “banks should have adequate loan underwriting guidelines, and management should ensure that loans are underwritten to these guidelines.” Although some fintech lenders were initially optimistic that the OCC’s response to FAQ 10 signaled a favorable posture toward “bank sponsor” lending relationships,⁴ this optimism dissipated when the OCC issued Bulletin 2018-14⁵ which clarified that it “views unfavorably a [non-bank] entity that partners with a bank with the sole goal of evading a lower interest rate established under the law of the entity’s licensing state(s).”⁶

FAQ 11: Does OCC Bulletin 2013-29 apply when a bank engages a third party to provide bank customers the ability to make mobile payments using their bank accounts, including debit and credit cards?

The affirmative answer given by the OCC to this question highlights the need for banks to have a strong understanding of all payment technologies that they allow their customers to access. When they first gained popularity, it was possible for a national bank to assume that a third party-enabled mobile card payment device was not subject to OCC Bulletin 2013-29. To this end, the presence of a third-party mobile payment application has no effect on the underlying card transaction. In its response to FAQ 11, however, the OCC clarified that relationships with mobile payments providers must be managed in a manner consistent with OCC Bulletin 2013-29, and directed banks to work with such providers to establish processes for authenticating the enrollment of customers’ account information.

OCC Fintech Charter

On July 31, 2018, the OCC announced that it had started accepting applications for special purpose national bank charters from qualified fintech companies engaged in the non-depository business of banking. At this early juncture, it is not surprising that no applicants have been approved. Given the demands placed on applicants, which are not materially different from those placed on applicants for a depository charter, we anticipate a low volume of applicants. In this regard, the current OCC leadership appears to be more interested in having fintech lenders explore the possibility of becoming a national bank in their own right versus entering into bank sponsor” lending relationships. Clearly here are many other ways for national banks and fintechs to partner beyond lending, including by having the bank serve as a source of funding to the fintech, or by having the bank license underwriting methodologies developed by the fintech.

The FDIC generally issues a lower volume of risk management guidance than the OCC, and that is true of guidance relating to innovation. In this regard, on June 7, 2017, the FDIC issued FIL 22-2017, which applies model risk management guidance that was previously published by the OCC and the FRB to FDICregulated institutions with assets of $1 billion or more. Although this guidance is not specifically targeted to relationships with fintech companies, it serves to foster bank innovation by providing clear expectations regarding the use of models, which are often a key component of innovative financial products and services.

An extremely important area for both banks and non-bank fintech lenders for which the FDIC has yet to provide definitive guidance is bank sponsor lending. Nearly all such relationships currently in existence involve an FDIC-regulated institution. Thus, it is natural that the financial services industry would look to the FDIC to provide direction and leadership. To this end, on July 29, 2016, the FDIC published “Draft Third-Party Lending Guidance” for public comment. This draft guidance appears to endorse bank sponsor lending so long as the expectations of the FDIC’s outsourcing bulletin (FIL-44-2008) are met. However, aside from still being in proposed status two and one-half years after it was published, the guidance is intentionally vague regarding the applicability of federal preemption, which greatly diminishes its usefulness.⁷

CFPB Guidance

On July 18, 2018, the CFPB appointed Paul Watkins to lead the Bureau’s new Office of Innovation. Although the CFPB regulates banks with assets of $10 billion or more, the CFPB cannot be characterized as a “bank regulator,” and does not issue risk management guidance similar to that issued by the OCC and FDIC. Briefly, the CFPB plays a different role in fostering innovation in the financial services industry. For example, on September 14, 2017, the CFPB issued its first-ever no-action letter to Upstart, a company that uses non-traditional or alternative data and modeling techniques in lending decisionmaking, thereby allowing persons with limited credit history to obtain credit or obtain credit on better terms. Under the terms of its no-action letter, the CFPB committed that it has no present intent to pursue supervisory or enforcement action against Upstart with respect to the Equal Credit Opportunity Act. A key idea behind the CFPB’s Office of Innovation is to allow companies “to advance new products and services without being unduly restricted by red tape that belongs in the 20th century.”⁸

We expect no action letters to emerge as an important component of that strategy now that the uncertainty over the leadership of the CFPB has been resolved.

Conclusion

In reviewing guidance published by the federal financial agencies, we advise that jurisdictional lines between agencies be set aside. The OCC has historically taken the lead in issuing risk management guidance and its positions on such matters have broad influence, not just in the United States, but globally. Nothing in the guidance reviewed in this article or in other guidance that we are aware of sets a requirement or supervisory expectation that a bank pursue technological innovation. Business competition, and risks to continued survival, provides incentive enough to continuously strive to do things faster, better, and more efficiently.

Recent federal agency guidance is remarkable with respect to the urgency with which banks are being encouraged to innovate. However, this clarion call to innovate is tempered by the continued need to adhere to safety and soundness requirements that greatly exceed those of non-bank competitors. In addition, there is the ever-present risk that business decisions that seem wise in today’s environment could become fodder for examiner criticism in the next financial downturn. The available guidance is helpful in three primary ways. First, it provides a roadmap for preparedness—if an opportunity to innovate presents itself, a bank that has implemented the recommended actions will be poised to take advantage. Second, if the business results prove disappointing despite best efforts, management will have the means for determining what went wrong and making necessary adjustments. Third, as a general rule, regulators single-out for criticism decisions that were poorly made (i.e., made in the absence of complete information, adequate planning, proper due diligence, etc.) or poorly documented. The strong message federal regulators are sending in their recent guidance and public statements is risk taking by banks related to innovation is welcome; albeit, strict measures must be taken to ensure that all risk taking is done prudently.

Endnotes