On March 5, the OCC issued new and revised frequently asked questions (FAQs) concerning third-party risk management. The FAQs supplement 2013 OCC guidance concerning third-party risk management, which provides supervisory guidance on the risks associated with third-party relationships, including those with fintechs. The new guidance also rescinds a 2017 version of the FAQs.

The new and updated FAQs remind banks and third-party providers, including fintechs, of longstanding principles governing third-party risk management. The FAQs reiterate that the level of attention paid to such relationships should be commensurate with the level of risk and complexity of its third-party relationships; and that the higher the risk of the individual relationship, the more robust the third-party risk management should be for that relationship. The OCC also places responsibility on bank management to determine the risks associated with each of its third-party relationships.

Although all of the FAQs should be of interest to fintechs, some are particularly relevant due to their topic or because they provide more nuanced answers to earlier FAQs. Notable FAQs address:

• Third-party relationships with cloud computing providers (FAQ 3), which clarifies that using a cloud provider is a third-party arrangement and that risk management expectations are fundamentally the same as for other third-party relationships
• Third-party relationships with data aggregators (FAQ 4), which several commenters have been critical of in recent days, differentiates between a bank’s contractual relationship with a data aggregator (a business relationship) and screen scraping (not a business relationship)
• The criteria a bank’s board of directors and management should use to determine whether a fintech arrangement involves critical activities (FAQ 10)
• Collaboration among multiple banks (such as performing due diligence, contract negotiation, and ongoing monitoring) that are using the same third-party service provider (FAQ 12)
• Factors a bank may consider when assessing the financial condition of a startup or less established fintech, including the fintech’s access to funds, funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors (FAQ 16)
• Alternative information sources a bank may consider when conducting due diligence of a fintech with limited due diligence information (FAQ 17)
• Using fintechs to offer products or services to the underbanked or underserved (FAQ18)
• Marketplace lending arrangements (FAQ19)
• Mobile payments providers (FAQ 20)
• Use of alternative data from third-party providers in credit underwriting, fraud detection, marketing, pricing, servicing, and account management (FAQ 27)

The OCC’s new and updated FAQs follow closely in time the FDIC’s technology lab’s release of a new six-page guide designed to help fintechs and other companies partner with banks. In sum, any fintech or other company seeking to partner with a bank should review this new information because it sets forth in detail the risk assessment and due diligence processes that banks must undertake when considering working with third parties.

Initial Fintech in Brief Advisory:
FDiTech Releases New Guide to Help ‘FinTechs’ Connect with Banks