On September 6, Acting Comptroller of the Currency Michael Hsu warned that fintech and big tech partnerships and their forays into payments and lending could lead to increased risk for the banking industry. “My sense is that we are still in the early stages of a significant shift in how banking services will be offered in the future.” A copy of his remarks, made on Clearing House Association and Bank Policy Institute Annual Conferencecan be found here.
Hsu said the Office of the Comptroller of the Currency (OCC) sees a transition in banking today analogous to the globalization of manufacturing in the 1980s. “Digitalization has placed a premium on online and mobile engagement, customer acquisition, customization, big data, fraud detection, artificial intelligence, machine learning and cloud management. These activities require expertise and economies of scale that most banks do not have. Fintechs and big techs have entered, start with payments, but expanding far beyond that. The result is an increasingly disintegrated stack of banking services, with technology companies competing across many layers.”
Hsu acknowledged that by working together, banks can gain technological innovations at a lower cost, while fintechs gain access to long-standing customer bases and the reputation of their banking partners. However, Hsu warned that the benefits of these partnerships could be lost if the bank lacks an effective risk management framework, stating that banking information technology “concerns in the national banking system are elevated. They currently account for 25 percent of all cited supervisory concerns. A majority relate to basic elements of risk management, e.g. board supervision, management and internal control. Common issues involve inadequate information security controls, change management issues, especially with new products and services, and IT operational robustness.” Even more concerning for the OCC are the unknown risks that will emerge from this digital transition.
Emphasizing that the OCC is committed to avoiding a repeat of the 2008 financial crisis, Hsu assured conference participants that “[a]At the OCC, we are currently working on a process to divide bank fintech schemes into cohorts with similar security and solvency risk profiles and attributes. This will enable a clearer focus on risk and expectations for risk management.” Hsu referred to the OCC’s recently released five-year strategic plan recognizing and addressing the increasing digitization of the banking industry.
A recent OCC enforcement action makes clear that oversight of bank-fintech partnerships indicates an area the OCC plans to focus on. Just last month, the OCC reached a formal written agreement with a community bank in Virginia to step up monitoring of its fintech partnerships following allegations of attempted money laundering by one of those partners.
Under the terms of the agreement, the Virginia bank is required to, among other things:
- Adopt, implement and follow a written program to effectively assess and manage the risks posed by the Bank’s third-party fintech relationships;
- Obtain an OCC non-objection before onboarding or signing a contract with a new third-party fintech partner, or offering new products or services or conducting new activities with or through existing third-party fintech partners;
- Adopt a revised independent bank secrecy audit program that includes an expanded scope and risk-based review of activities conducted through the bank’s third-party fintech partners;
- Develop, implement and adhere to an enhanced written risk-based program to ensure timely identification, analysis and suspicious activity monitoring and reporting for all lines of business, including activities provided by and through the bank’s third-party fintech relationship accounts and sub-accounts.
The supervisory requirements imposed on the Virginia bank are consistent with remarks Comptroller Hsu made in another recent speech to the Texas Bankers Association – a copy of those remarks can be found here. The OCC expects banks to perform due diligence on their fintech partners, especially those firms with limited history. And if the recent enforcement in Virginia is a reliable indicator, it will be the banks that will be held accountable for not anticipating and preparing for the risks of associating with fintech partners.