The rapid advancement of technology, combined with shifting member demands, has led credit unions to pursue fintech partnerships to add products, platforms, and streamline operations. While it has always been important to evaluate the risks and benefits of these partnerships and understand the unique due diligence required, it has become even more critical as regulatory agencies make bigger commitments to monitor these relationships, especially when it comes to managing risk.
Federal banking regulators issued guidance last year to help financial institutions gauge potential fintech relationships such as Banking-as-a-Service (BaaS), digital assets, and Buy Now, Pay Later (BNPL). While it doesn’t directly apply to credit unions, there is value in these types of communications.
The same logic applies to a written agreement recently reached between the Office of the Comptroller of the Currency and a Virginia bank that includes instructions for improving the pursuit and monitoring of fintech relationships. The regulatory order can serve as a roadmap for how financial institutions should handle fintech partnerships moving forward.
The agreement also makes it clear that regulators other than the Consumer Financial Protection Bureau are stepping up reviews and remedies for fintech partnerships. Growth initiatives, including M&A, could be impacted if you are not vigilant in monitoring third-party relationships.
To comply with the OCC agreement, the FI must:
- Create a compliance committee and adopt, implement, and follow a written program to assess and manage risks posed by third-party fintech relationships.
- Obtain OCC non-objection before onboarding or signing a contract with a fintech partner. Non-objection is required before the bank can offer new products or services or conducts new activities through existing fintech partners.
- Adopt a written Bank Secrecy Act (BSA) risk assessment program and adopt a revised BSA audit program that includes an “expanded scope and risk-based review” of activities conducted through fintech partners.
- Ensure that its BSA department is “appropriately staffed” with personnel that have the requisite expertise, training, skills, and authority.
- Adopt, implement, and follow revised and expanded risk-based policies, procedures, and processes – including specific requirements for its fintech businesses – to vet members on an ongoing basis and monitor suspicious activity.
- Develop, implement, and follow an enhanced written risk-based program that emphasizes the “timely identification, analysis, and suspicious activity monitoring and reporting” for all lines of business.
- Give the OCC an action plan and a written report of its suspicious activity monitoring, including high-risk customer activity involving third-party fintech partners.
Acting Comptroller of the Currency, Michael Hsu, said during a recent speech that the OCC has identified at least 10 agency-regulated FIs that have BaaS partnerships with nearly 50 fintechs. Most of those FIs have less than $10 billion of assets.
Hsu suggested that FIs posit a series of questions as they align with fintechs, covering areas such as responsibility for shortcomings, restoring confidence after a misstep, and what happens when a fintech fails.
Financial institutions would be wise to proactively incorporate elements of the OCC’s agreement into their strategic plans. These policies and procedures could help credit unions avoid future pitfalls as they explore fintech partnerships.