On September 6, Acting Comptroller of the Currency Michael Hsu warned that fintech and big techs partnerships and their forays into payment and lending could lead to increased risk for the banking industry. “My sense is that we are still in the early stages of a significant shift in how banking services are going to be provided in the future.” A copy of his remarks, made at the Clearing House Association and Bank Policy Institute’s Annual Conference, can be found here.
Hsu said that the Office of the Comptroller of the Currency (OCC) sees a transition in banking today analogous to the globalization of manufacturing in the 1980s. “Digitalization has put a premium on online and mobile engagement, customer acquisition, customization, big data, fraud detection, artificial intelligence, machine learning, and cloud management. These activities require expertise and economies of scale that most banks do not have. Fintechs and big techs have stepped in, starting with payments but expanding well beyond that. The result is an increasingly de-integrated stack of banking services, with technology firms competing across many layers.”
Hsu acknowledged that by partnering, banks can obtain tech innovations at a lower cost, while fintechs gain access to longstanding customer bases and reputations of their banking partners. Hsu warned, however, that the benefits of these partnerships can be lost if the bank lacks an effective risk management framework, stating that bank information technology “concerns in the national banking system are elevated. They currently constitute 25 percent of all cited supervisory concerns. A majority are related to fundamental elements of risk management, e.g., board oversight, governance, and internal controls. Common issues involve insufficient information security controls, change management issues particularly with emerging products and services, and IT operational resilience.” Even more concerning to the OCC are the unknown risks that will emerge from this digital transition.
Emphasizing that the OCC is committed to avoiding a replay of the 2008 financial crisis, Hsu reassured the conference attendees that “[a]t the OCC, we are currently working on a process to subdivide bank-fintech arrangements into cohorts with similar safety and soundness risk profiles and attributes. This will enable a clearer focus on risks and risk management expectations.” Hsu referenced that the OCC’s recently released five-year strategic plan acknowledges and addresses the increasing digitization of the banking industry.
A recent OCC enforcement action makes clear that oversight of bank-fintech partnerships denotes an area in which the OCC plans to focus. Just last month, the OCC reached a formal written agreement with a Virginia community bank to step up its monitoring of its fintech partnerships after allegations of attempted money laundering by one of those partners.
Under the agreement terms, the Virginia bank is required to, among other things:
- Adopt, implement, and adhere to a written program to effectively assess and manage the risks posed by the bank’s third-party fintech relationships;
- Obtain an OCC nonobjection prior to onboarding or signing a contract with a new third-party fintech partner, or offering new products or services or conducting new activities with or through existing third-party fintech partners;
- Adopt a revised independent Bank Secrecy Act audit program that includes an expanded scope and risk-based review of activities conducted through the bank’s third-party fintech partners;
- Develop, implement, and adhere to an enhanced written risk-based program to ensure the timely identification, analysis, and suspicious activity monitoring and reporting for all lines of business, including activities provided by and through the bank’s third-party fintech relationship accounts and subaccounts.
The oversight requirements imposed on the Virginia bank align with the remarks Comptroller Hsu made at another recent speech before the Texas Bankers Association — a copy of those remarks can be found here. The OCC expects banks to conduct due diligence on its fintech partners, especially those firms with limited histories. And, if the recent Virginia enforcement action is a reliable indicator, it will be the banks that will be held accountable for failing to anticipate and prepare for the risks of associating with fintech partners.