Recently, a national bank disclosed an agreement reached with the OCC that requires the bank to improve oversight and governance of third-party fintech partnerships. According to an SEC filing, the OCC found unsafe or unsound practices related to the bank’s third-party risk management, Bank Secrecy Act (BSA)/anti-money laundering risk management, suspicious activity reporting, and information technology controls and risk management. According to the terms of the agreement, the bank must within 10 days of the agreement appoint a compliance committee consisting mainly of members from outside the bank to meet at least quarterly and provide progress reports outlining the results and status of the required corrective actions. Within 60 days of the agreement, the bank must also adopt and implement guidelines for assessing risks related to third-party fintech partnerships and address how the bank “identifies and assesses the inherent risk of the products, services and activities carried out by third-party parties, including but not limited to to BSA, compliance, operational, liquidity, counterparty and credit risk as applicable.” In addition, the bank must establish criteria for the board’s review and approval of third-party fintech relationship partners, as well as how it will assess “BSA risk for each third-party fintech relationship partner, including risks associated with money laundering, terrorist financing and sanctions risks as well as third-party processes to mitigate such risks and comply with applicable laws and regulations.” The agreement also requires due diligence, monitoring and contingency plan measures.
The agreement further stipulates that the bank’s board and management must (i) set up written guidelines for BSA risk assessment within 90 days; (ii) adopt an independent audit program; (iii) implement expanded risk-based policies, procedures and processes to obtain and analyze appropriate customer due diligence, enhanced due diligence and beneficial ownership information, including for fintech companies; (iv) develop and adhere to a set of standards to ensure timely monitoring and reporting of suspicious activity; and (v) establish a program to assess and manage the Bank’s information technology activities, including those performed by third-party partners. The bank must also carry out a review of suspicious activity within 30 days.