OCC Bulletin 2021-40| August 27, 2021

Third-Party Relationships: Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks

To

Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties

Summary

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the agencies) today published Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks. This guide supports responsible innovation within the federal banking system by providing community banks1 with information that may be relevant when conducting due diligence on financial technology companies.

Note for Community Banks

This guide is designed for community banks. Although the guide discusses community bank relationships with fintech companies, the content may be useful for banks of any size and for other types of third-party relationships.

Highlights

The guide

  • provides information relating to six common areas of due diligence discussed in existing supervisory guidance.
  • focuses on general considerations, potential sources of information, and illustrative examples that may be relevant as a community bank conducts due diligence on a financial technology company.
  • reiterates that the scope and depth of due diligence performed by a community bank depends on the risks posed by each third-party relationship and the nature and criticality of the prospective product, service, or activity (collectively, activity).

Background

Innovation and evolving customer preferences are significantly changing the financial services landscape, including the way financial products and services are delivered. As the banking industry becomes more complex and technologically driven, banks of all sizes are forming greater and deeper relationships with third parties to remain competitive, fulfill strategic goals and objectives, and help meet consumers' needs. Companies specializing in financial technologies (or fintech) may provide technical capabilities for banks to offer new or enhanced products and services, establish new delivery channels, improve bank processes, and remain competitive in a changing industry. These relationships can present an attractive alternative to a bank building a product, service, or activity in-house and are particularly relevant for community banks that may not have the requisite resources to otherwise reasonably consider developing or engaging in such activities on their own.

Community banks may approach relationships with fintech companies in a similar manner as they would any other third-party relationship. During due diligence, a community bank considers how the fintech company may assist the bank in meeting its strategic objectives and determines whether the relationship aligns with the bank's risk appetite.2 A community bank evaluates whether the proposed activity can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements.3 To augment existing resources, leverage specialized expertise, and gain efficiencies, community banks might collaborate or engage external resources when evaluating a proposed relationship with a fintech company.4

The agencies recognize that fintech companies have varying operational histories and governance and, in some cases, may be unfamiliar with or unable to provide the information that a community bank typically expects to evaluate during due diligence. The lack of certain information may not necessarily lead to disqualifying a fintech company as a prospective third party. Rather, a community bank may be able to evaluate other types of available information or take alternative approaches to prudently assess and manage risks. To assist community banks, the agencies collaborated on this guide as a resource for evaluating potential relationships with fintech companies and tailoring due diligence processes accordingly.

This guide serves as a resource for bank management, apart from the OCC's supervisory guidance on third-party risk management.5 The guide does not anticipate all types of third-party relationships or risks and should not be viewed as all-inclusive. Use of the guide is voluntary, and the relevance of specific information within the guide depends on the nature and extent of a community bank's third-party relationships and related activities. There may be other topics, considerations, and sources of information that a community bank should consider, depending on the prospective relationship.

Further Information

Please contact Emily Doran, Governance and Operational Risk Policy Analyst, Operational Risk Policy Division, at (202) 649-6550.

 

Grovetta N. Gardineer
Senior Deputy Comptroller for Bank Supervision Policy

Related Link

1 "Banks" refers collectively to national banks, federal savings associations, covered savings associations, and federal branches and agencies of foreign banking organizations.

2 In addition to the OCC's guidance on third-party risk management, refer to OCC Bulletin 2017-43, "New, Modified, or Expanded Bank Products and Services: Risk Management Principles."

3 Fintech companies employ varying business models across a wide spectrum of financial products and services. Specific legal and regulatory requirements will depend on the prospective activity and business arrangement.

4 For more information on collaboration and third-party assessment services, refer to OCC Bulletin 2020-10, "Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29"; and OCC News Release 2015-1, "Collaboration Can Facilitate Community Bank Competitiveness, OCC Says."

5 For more information, refer to OCC Bulletin 2013-29, "Third Party Relationships: Risk Management Guidance"; OCC Bulletin 2020-10; and OCC Bulletin 2002-16, "Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance." The agencies recently published for comment proposed interagency guidance for third-party relationships. Refer to "Proposed Interagency Guidance on Third-Party Relationships: Risk Management," 86 Fed. Reg. 38182 (July 19, 2021). This guide draws from the agencies' existing guidance and is consistent with the proposed interagency guidance.