Banks, Third Parties & FinTechs -- The OCC Speaks
In the United States, the Office of the Comptroller of the Currency (OCC) is often viewed as providing the gold standard (in OCC Bulletin 2013-29) for how regulators evaluate third-party vendors for regulated financial institutions. For over a year, OCC officials have indicated they are working to update the guidance issued in 2013.
Yesterday, the OCC broke its silence regarding the guidance...by issuing a Frequently Asked Questions (FAQ) document. FAQs provide policymakers with a crafty way to update guidance without formally going through the full internal process required in order to issue an actual policy. FAQs provide insight into how a regulator will implement existing requirements without changing the underlying requirements themselves. Subtle shifts in implementation priorities and interpretation can also substantially alter the impact of a policy without changing the actual text. FAQs, when issued, can thus provide useful "forward guidance" concerning policy trajectories.
Summary: The new FAQs released yesterday indicate the OCC is making available to FinTech companies a "mini-sandbox" arrangement by relaxing a handful of key regulatory requirements. This places the OCC on a par with another U.S. financial regulator (the Commodity Futures Trading Commission) in providing a small opening for FinTech firms to expand their engagement in American financial markets. At the same time, the OCC is making clear that banks will have to bear the cost of these relaxations.
Clarity on Coverage + Flexibility = Mini--Sandbox
Clarity on Coverage: The OCC made clear yesterday that FinTech companies fall squarely within the regulatory scope of Bulletin 2013-29. The OCC is holding firm on the thresholds for determining whether or not a FinTech company is contributing to a "critical activity" under the rules.
FinTech companies hoping for sandbox-like exemptions from might be disappointed. The FAQs make clear they will be subject to the full scope of due diligence and extended compliance required under the OCC guidance, and that bank boards will bear full responsibility for verifying such compliance. Coordination regarding compliance and certification of shared vendors remains permissible (and, with respect to cybersecurity, actively encouraged using specified platforms), but banks will still be required to undertake analysis and risk management activities regarding their own use of such shared vendors.
Three specific types of FinTech activities were singled out for special attention: crowdfunding, mobile payments, and outreach to the underbanked/unbanked. In all three instances, the OCC FAQs make clear that the full scope of regulatory requirements extend to these sectors. They also imply that in some instances (crowdfunding) bank engagement in these activities can increase their regulatory capital requirements.
Online Lending/Crowdfunding: The FAQs expressly state that banks are responsible for ensuring that all online lending platforms in which the bank participates must "implement applicable consumer protection laws, regulations, and guidance." The FAQs also enumerate the ways in which participation on crowdfunding platforms can raise operational risks. This observation implies that bank regulatory capital requirements regarding operational risk could increase for those banks actively participating in crowdfunding platforms.
Mobile Payments: The FAQs express the view that mobile payments are equivalent to debit cards and, thus, will be subject to the same rules as third-party debit card issuers for banks.
Financial Inclusion: The OCC FAQ encourages banks to partner with FinTech firms in order to provide payments (but not credit) to the underserved/unbanked. Banks are permitted to link savings account with FinTech companies creating incentives for additional savings activities. But the guidance is silent on which company (bank or FinTech) owns which data sets related to this activity.
Flexibility: The FAQs indicate the OCC intends to be flexible on a range of technical but strategically significant implementation issues. These are:
Documentation: The OCC will permit FinTech firms to become third party vendors to banks using less information than the Guidance currently requires. It is permitting unspecified "alternative ways" for banks to analyze alternative information from FinTech comanies. In addition, it is permitting banks to engage with such FinTechs....but only if the banks incorporate redundant systems in order to ensure they are "prepared to address interruptions in delivery." The FAQs requires bank management to certify that a FinTech company providing less-than-complete regulatory-required information is nonetheless "the best service providers available to the bank."
Financial Support: The FAQs make clear that the OCC neither requires nor expects third parties to meet a bank's lending criteria. This is a significant clarification because many FinTech contracts can constitute the functional equivalent of credit for small start-ups. The FAQs make clear that the OCC will not construe such contracts as credit, thus doubling the flexibility regarding required documentation for third-party vendor qualification. This may also generate increased willingness by banks to enter into significant contracts with third party Fintech firms, funneling needed financial support to these firms through market mechanisms.
Access to Information: At present, certain third party "technology service providers" (TSPs) are subject to direct oversight by federal regulators as a condition of contributing services to regulated financial institutions. Banks with a contractual relationship with such TSPs can request copies of the supervisory reports. The FAQs indicate the OCC intends to be "proactive" in distributing the supervisory reports to banks with contractual relationships with TSPs. The FAQs provide two channels for reducing informational asymmetries for banks considering new contractual relationships with TSPs. First, the OCC is encouraging existing banks to share information (but not the confidential information in the reports) with other banks considering entering into contractual relationships with specific TSPs. Second, the OCC specifically recommends that banks rely on AICPA (American Institute of Certified Public Accountants) Attestation No. 18 to assess whether the TSP or any other third party has in place adequate controls with respect to subcontractors.
These relaxations constitute a concrete (but small) move in the direction of establishing a mini-sandbox in the United States. The actual regulatory relaxations may be small, but unlike other sandboxes around the world they are not time-limited. FinTech firms in the United States will have to generate value and compelling use cases while incorporating regulatory compliance directly into their business plans from the beginning.
Yesterday's FAQs indicate Fitch companies serving regulated banks will find it easier to qualify as an authorized third party provider (compared with non-fintech third parties) if banks are willing to absorb additional costs and regulatory risks associated with the relationship. This implies that the economic gains associated with using more efficient technology-intensive processes and/or alternative data sets will have to be significant in order to justify the additional business costs at banks. Qualifying firms will find their ability to achieve scale quickly will accelerate since banks now have clarity that large contracts to small FinTech firms (and other third party vendors) will not be classified as credit and subject to the credit approval process.
The United States now has two regulators moving incrementally to create a more Fintech-friendly regulatory environment. If they are competing with their counterparts internationally (a topic we have been exploring separately HERE and HERE and HERE), they are choosing to compete on a very different playing field.
The FinTech RegTrends Blog is published by BCM International Regulatory Analytics LLC. A weekly report quantifying cross-border regulatory policy trends in the sector and anticipating outcomes, using proprietary and patented quantification mechanisms,is available to subscribers HERE.