Bank Provider of BaaS Dinged By OCC; Plan for Fintech partnership? – Fine Tech

A recent action by the Office of the Comptroller of the Currency (OCC) highlights how banks need to ensure they have robust compliance programs to manage risks associated with banking-as-a-service (BaaS) partnerships with third-party fintechs.

On August 29, 2022, the OCC entered into an agreement with Blue Ridge Bank, NA (Blue Ridge Bank), a Virginia-based community bank, requiring Blue Ridge Bank to make serious reforms to its compliance practices (the Agreement). The existence of this agreement was disclosed to the public through a Securities and Exchange Commission (SEC) Form 8-K filed by Blue Ridge Bank’s holding company. The settlement is a result of the OCC finding that Blue Ridge Bank had engaged in unsafe or unsound practices.

In the settlement, the OCC identified Blue Ridge Bank’s practices related to board responsibility and involvement, third-party risk management, Bank Secrecy Act (BSA) / Anti-Money Laundering (AML) risk management, suspicious activity reporting and information technology (IT). ) control and risk management as sources of concern. The OCC did not provide further details about the issues it raised with Blue Ridge Bank’s compliance practices, but the terms of the settlement make clear that the OCC did not approve of how Blue Ridge Bank operated its BaaS partnerships with non-bank fintechs. companies. As a result, Blue Ridge Bank must now implement extensive changes to the bank’s fintech policies, procedures and operations regarding these areas to bring them into compliance with OCC directives.

Background

The BaaS business model allows a bank to offer its range of products and services to a broad base of consumers and small businesses by leveraging a fintech’s internet-based capabilities and marketing expertise. Entering into BaaS partnerships with fintechs can be very profitable for banks, but these partnerships require both the bank and the fintech partner to comply with the bank’s compliance obligations.

The BaaS business model has come under scrutiny by regulators in recent years as they seek to understand the complex nature of some of these new and evolving schemes. In his remarks to The Clearing House and Bank Policy Institute’s (TCH + BPI) 2022 Annual Conference, Acting Comptroller of the Currency Michael J. Hsu discussed how the OCC plans to continue studying bank-fintech partnerships to identify how digitization of banking services has affected the banking landscape from a regulatory perspective. In this context, Mr. Hsu compared certain bank-fintech arrangements to the complex array of relationships involved in the 2008 financial crisis, analogizing the disruption caused by the rise of BaaS programs to that caused by the globalization of manufacturing in the 1980s and disintermediation of credit and liquidity risk in the banking system in the 1990s and 2000s.

With respect to Blue Ridge Bank, it has been reported that the bank’s partnerships with fintechs make up a significant part of its business. It is not clear why the OCC took an interest in Blue Ridge Bank among many other community and specialty banks that have embraced BaaS. While some speculate that Blue Ridge Bank got on the OCC’s radar because of its BaaS business model, there has been speculation that the deal is a result of the OCC addressing regulatory concerns with Blue Ridge Bank it identified while reviewing the bank during a merger attempt between Blue Ridge Bank and FVCBankcorp, Inc. in 2021. This merger was canceled in January 2022.

What remains clear, however, is that the OCC is becoming increasingly skeptical about whether any banks are sufficiently aware of the risks posed by their fintech relationships, let alone whether the banks are adequately monitoring for and responding to those risks. Risks to the safety and soundness of the banks remain the focus of the OCC’s attention, but reducing the risk to consumers using services provided through BaaS programs is also an important priority.

OCC Terms and Conditions

The agreement requires Blue Ridge Bank to implement a major overhaul of its compliance programs. The OCC has required the bank to improve (i) the board’s involvement in the bank’s compliance work; (ii) third party risk management compliance program, (iii) BSA/AML monitoring and compliance program, (iv) customer identification programs, (v) suspicious activity monitoring and archiving (SAR) program, and (vi) IT control programs . In addition, the bank must also improve the board members’ accountability for the bank’s compliance with applicable laws and regulations, and increase transparency between the board members and the compliance departments.

Under the agreement, Blue Ridge Bank is required to address the deficiencies identified by the OCC in these areas by:

  1. Reform its policies, procedures and practices to include the board in certain aspects of the decision-making processes within Blue Ridge Bank’s compliance programs, including by creating a board committee that oversees Blue Ridge Bank’s compliance efforts and provides quarterly reports to the board as a whole on the bank’s efforts to to comply with the agreement and to require board approval of new fintech collaborations before Blue Ridge Bank can enter into them;

  2. Develop and adhere to a comprehensive third-party risk management program to monitor and respond to risks posed by the Bank’s fintech relationship;

  3. Improve its BSA/AML compliance programs, which must now include (a) an effective BSA program that assesses the bank’s BSA/AML compliance risk “across all products, services, customers, entities and geographies, including all activities delivered by or through [b]anks third-party fintech partnerships,” (b) a BSA audit program that addresses the BSA/AML risks posed by their fintech partnerships, and (c) a plan to adequately staff Blue Ridge Bank’s BSA compliance department with competent, appropriate trained staff;

  4. Improve its policies, procedures and processes for the collection and maintenance of customer due diligence (CDD) information, extended due diligence (EDD) information and beneficial ownership information to include specific requirements for Blue Ridge Bank’s fintech partners;

  5. Develop policies, procedures and processes to improve the bank’s SAR filing and monitoring across all Blue Ridge Bank business lines, but most importantly those involving fintech partnerships, and conduct regular reviews of this program; and

  6. Develop an IT control program that addresses data storage, processing and security risks associated with the fintech partnerships, which must include an adequate business continuity plan.

However, the most important requirement placed on Blue Ridge Bank is one that limits Blue Ridge Bank’s ability to expand its BaaS partner programs going forward. Under the agreement, Blue Ridge Bank must seek a “no supervisory objection from the OCC” before onboarding a new fintech partner, or offering new products or services or conducting new activities with or through existing third-party fintech relationship partners. Seeking the OCC’s no-objection requires the bank to submit a complete due diligence package for the OCC to review, which must include, at a minimum, supporting documentation, a copy of any proposed contract, and minutes of any management or board committee meeting approving the relationship.

A blueprint for a third-party risk management compliance program

The agreement provides a blueprint for how banks should think about their BaaS partnership programs, and the expectations that partners should be prepared to meet. As we have written in previous articles, a successful BaaS partnership requires the bank and fintech to work together to design and implement banking, lending and payment services that comply with current legal and regulatory requirements. The recent OCC action against Blue Ridge Bank underscores the need to balance innovation with prudent compliance and risk management.

Generally, the OCC expects a bank that provides services through third parties (ie, fintechs) to have third-party risk management and oversight processes “commensurate with the level of risk and complexity of their third-party relationships.” OCC Bulletin 2013-29; OCC Bulletin 2020-10; OCC Bulletin 2021-40. The terms of the agreement provide insight into how the OCC wants to see its guidance on managing fintech partnership risks translated into banks’ compliance practices.

According to the agreement, banks should assess whether their existing third-party risk management compliance programs adequately address the following areas:

  • Written guidelines and procedures governing how the Bank operates its BaaS programs, which shall address, at a minimum, how the Bank will (a) identify the risk its third-party partners pose to the Bank’s compliance and safe and sound banking obligations, (b ) assess and monitor third parties, (c ) ensure that the third party’s risk management and oversight program is sufficiently comprehensive and adequately funded, and (d) select and seek board approval of new fintech partners;

  • A BSA risk assessment for each of the bank’s fintech partners;

  • Robust due diligence and risk assessment criteria to identify whether a given fintech is a suitable partner for a given BaaS program;

  • A compliance monitoring program to evaluate and monitor each fintech partner’s and BaaS program’s compliance with applicable laws and regulations, which should include both internal and third-party monitoring capabilities and a reporting process that facilitates board and management monitoring and accountability;

  • A process to address or, if necessary, terminate a relationship with a fintech partner that puts the bank at risk of violating applicable laws and regulations;

  • Audit plans to have a qualified third-party auditor conduct independent reviews and assessments of the Bank’s compliance programs, the financial reports illustrating the transactions processed through its BaaS programs, and the operational risk associated with the Bank’s fintech partnerships;

  • A plan to ensure that the bank’s compliance program is adequately staffed by experienced and qualified staff; and

  • Annual testing of the bank’s third-party program for compliance with risk management and guidelines, procedures and processes for implementing any recommendations for improvements that may come from such testing.

While the OCC’s “blueprint” for ensuring that fintech partners adhere to a bank’s compliance requirements is thorough, it unfortunately does not provide the underlying factual background to the agreement. Nevertheless, the agreement gives other banks with extensive fintech partnerships the opportunity to avoid a similar situation by reviewing their own policies, procedures and processes against this list before a regulator does.

The content of this article is intended to provide a general guide to the subject. You should seek specialist advice about your specific circumstances.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *