Recently, with increasing frequency, questions have been posed regarding the responsibilities of bank regulated entities (“Bank Entities”) with respect to their “third-party relationships,” particularly with financial technology companies.
On June 7, 2017, the Office of the Comptroller of the Currency (the “OCC”) issued a supplement (the “Supplement”) to its Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013.
As an overview, the OCC stated:
OCC Bulletin 2013-29 defines a third-party relationship as any business arrangement between the bank and another entity, by contract or otherwise. Third-party relationships include activities that involve outsourced products and services; use of outside consultants, networking arrangements, merchant payment processing services, and services provided by affiliates and subsidiaries; joint ventures; and other business arrangements in which a bank has an ongoing third-party relationship or may have responsibility for the associated records. Recently, many banks have developed relationships with financial technology (fintech) companies that involve some of these activities, including performing services or delivering products to a bank’s customer base. If a fintech company performs services or delivers products on behalf of a bank or banks, the relationship meets the definition of a third-party relationship and the OCC would expect bank management to include the fintech company in the bank’s third-party risk management process. (Emphasis added.)
The OCC expects banks to perform due diligence and ongoing monitoring for all third-party relationships. The level of due diligence and ongoing monitoring, however, may differ for, and should be specific to, each third-party relationship. The level of due diligence and ongoing monitoring should be consistent with the level of risk and complexity posed by each third-party relationship. For critical activities, the OCC expects that due diligence and ongoing monitoring will be robust, comprehensive, and appropriately documented. Additionally, for activities that bank management determines to be low risk, management should follow the bank’s board-established policies and procedures for due diligence and ongoing monitoring.
The Supplement then addresses a series of FAQs that should be considered by Banking Entities. Conversely, these FAQs also provide guidance to fintech companies seeking relationships with Bank Entities and in addressing due diligence inquires. FAQs.
