On September 6, Acting Comptroller of the Currency Michael Hsu warned that fintech and big techs partnerships and their forays into payment and lending could lead to increased risk for the banking industry. “My sense is that we are still in the early stages of a significant shift in how banking services are going to be provided in the future.” A copy of his remarks, made at the Clearing House Association and Bank Policy Institute’s Annual Conference, can be found here.

Hsu said that the Office of the Comptroller of the Currency (OCC) sees a transition in banking today analogous to the globalization of manufacturing in the 1980s. “Digitalization has put a premium on online and mobile engagement, customer acquisition, customization, big data, fraud detection, artificial intelligence, machine learning, and cloud management. These activities require expertise and economies of scale that most banks do not have. Fintechs and big techs have stepped in, starting with payments but expanding well beyond that. The result is an increasingly de-integrated stack of banking services, with technology firms competing across many layers.”

Hsu acknowledged that by partnering, banks can obtain tech innovations at a lower cost, while fintechs gain access to longstanding customer bases and reputations of their banking partners. Hsu warned, however, that the benefits of these partnerships can be lost if the bank lacks an effective risk management framework, stating that bank information technology “concerns in the national banking system are elevated. They currently constitute 25 percent of all cited supervisory concerns. A majority are related to fundamental elements of risk management, e.g., board oversight, governance, and internal controls. Common issues involve insufficient information security controls, change management issues particularly with emerging products and services, and IT operational resilience.” Even more concerning to the OCC are the unknown risks that will emerge from this digital transition.

Emphasizing that the OCC is committed to avoiding a replay of the 2008 financial crisis, Hsu reassured the conference attendees that “[a]t the OCC, we are currently working on a process to subdivide bank-fintech arrangements into cohorts with similar safety and soundness risk profiles and attributes. This will enable a clearer focus on risks and risk management expectations.” Hsu referenced that the OCC’s recently released five-year strategic plan acknowledges and addresses the increasing digitization of the banking industry.

A recent OCC enforcement action makes clear that oversight of bank-fintech partnerships denotes an area in which the OCC plans to focus. Just last month, the OCC reached a formal written agreement with a Virginia community bank to step up its monitoring of its fintech partnerships after allegations of attempted money laundering by one of those partners.

Under the agreement terms, the Virginia bank is required to, among other things:

  • Adopt, implement, and adhere to a written program to effectively assess and manage the risks posed by the bank’s third-party fintech relationships;
  • Obtain an OCC nonobjection prior to onboarding or signing a contract with a new third-party fintech partner, or offering new products or services or conducting new activities with or through existing third-party fintech partners;
  • Adopt a revised independent Bank Secrecy Act audit program that includes an expanded scope and risk-based review of activities conducted through the bank’s third-party fintech partners;
  • Develop, implement, and adhere to an enhanced written risk-based program to ensure the timely identification, analysis, and suspicious activity monitoring and reporting for all lines of business, including activities provided by and through the bank’s third-party fintech relationship accounts and subaccounts.

The oversight requirements imposed on the Virginia bank align with the remarks Comptroller Hsu made at another recent speech before the Texas Bankers Association — a copy of those remarks can be found here. The OCC expects banks to conduct due diligence on its fintech partners, especially those firms with limited histories. And, if the recent Virginia enforcement action is a reliable indicator, it will be the banks that will be held accountable for failing to anticipate and prepare for the risks of associating with fintech partners.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mary C. Zinsner Mary C. Zinsner

Mary Zinsner is a partner in Troutman Pepper’s Washington, D.C. office who handles high stakes matters for banks nationwide. Mary focuses her practice on litigation and strategy in lender liability, check and bank operation, class action, consumer finance, fiduciary matters, and creditor’s rights…

Mary Zinsner is a partner in Troutman Pepper’s Washington, D.C. office who handles high stakes matters for banks nationwide. Mary focuses her practice on litigation and strategy in lender liability, check and bank operation, class action, consumer finance, fiduciary matters, and creditor’s rights disputes. She has also been accepted into the American Arbitration Association’s (AAA) Roster of Arbitrators. Viewed as leaders in the practice of alternative dispute resolution (ADR), AAA arbitrators are required to receive ongoing education in the art and science of arbitration and demonstrate knowledge, prowess, mastery, and proficiency in a particular field.

Read more about Mary C. ZinsnerMary's Linkedin Profile
Show more Show less
Photo of James Stevens James Stevens

James provides corporate and regulatory advice to our clients. He has substantial experience in the representation of public and private companies, including banks, neobanks, marketplace lenders, payments companies, crypto and DeFi companies, and other fintech and financial services providers in connection with formation…

James provides corporate and regulatory advice to our clients. He has substantial experience in the representation of public and private companies, including banks, neobanks, marketplace lenders, payments companies, crypto and DeFi companies, and other fintech and financial services providers in connection with formation, licensing, sponsorship and program agreements, mergers and acquisitions, debt and equity financing transactions, joint ventures, and regulatory reporting and compliance.

Read more about James Stevens
Show more Show less
Photo of Jeremy Rosenblum Jeremy Rosenblum

Jeremy focuses his practice on federal and state lending and consumer practices laws, with emphasis on the interplay between federal and state laws, joint ventures between banks and nonbank financial services providers, the development and documentation of new financial services products (especially products…

Jeremy focuses his practice on federal and state lending and consumer practices laws, with emphasis on the interplay between federal and state laws, joint ventures between banks and nonbank financial services providers, the development and documentation of new financial services products (especially products designed to serve the needs of unbanked and under-banked consumers), bank overdraft practices and disclosures, geographic expansion initiatives, and compliance with federal and state consumer protection laws, including statutes prohibiting unfair, deceptive and abusive acts and practices (UDAAP); usury laws; the Truth in Lending Act (TILA); the Electronic Funds Transfer Act; E-SIGN; the Equal Credit Opportunity Act; and the Fair Credit Reporting Act (FCRA).

Read more about Jeremy Rosenblum
Show more Show less
Photo of James Kim James Kim

As a former senior enforcement attorney with the CFPB, James provides the industry knowledge and expertise that fintechs and financial institutions require when launching new products or facing regulatory scrutiny.

Read more about James KimJames's Linkedin Profile
Related Posts
Cybersecurity_1060950942
DOJ Seizes Over $112 Million in Funds Linked to Cryptocurrency Investment Schemes
April 6, 2023
Security Online Privacy Sized
Illinois Supreme Court Rules BIPA Claims Accrue With Each Scan
February 23, 2023
Cybersecurity_963458566
Public Comments on the CFPB's Proposed Section 1033 Data Access Rule
January 31, 2023