Bank-fintech partnerships stand at the forefront of financial evolution, delivering unprecedented innovations driven by ever-evolving customer needs. But, as indicated by the recent unveiling of the OCC’s Interagency Guidance on Third-Party Relationships: Risk Management, the path to disruption has not come without challenges.

This new OCC Guidance firmly places the duty of compliance in the banks’ hands, with increased scrutiny on third-party vendors.

In an era of multiplying partnerships and unclear lines of responsibility, banks and fintechs must pay close attention to these guidelines — their adherence to them can truly make or break their businesses.

But to effectively plan for the future, we must first understand the past.

The Short History of Bank-Fintech Partnership Regulation

Years of unclear and inconsistent compliance regulations have created a complex environment for bank-fintech partnerships. Fuzzy responsibility boundaries, antiquated policies, and disparity in bank expectations have left financial institutions vulnerable to exploitation by malicious actors.

Banks, constrained by their limited technical capacity and piecemeal oversight of end-user activities, often need help with the challenges of comprehensive transaction monitoring. Existing solutions often require individual risk monitoring software for each fintech partner, imposing an unnecessary strain on bank resources and complicating an already convoluted process.

Additionally, recent economic turbulence and bank failures have triggered a surge of regulatory scrutiny, with federal banking agencies beginning to uncover previously undetected compliance gaps. The intensity of this inspection, combined with varying due diligence requirements across different banks, has put bank-fintech partnerships (especially those operating within multiple partnerships) in the crosshairs of enforcement action.

Compliance failures often trigger serious repercussions, from substantial penalties to potential criminal charges, particularly in key areas such as anti-money laundering (AML), sanctions screening, and customer complaint management.

It’s important to note that AML extends far beyond Know Your Customer (KYC) processes and onboarding initiatives, encompassing continuous monitoring for irregular activities, timely filing of Suspicious Activity Reports (SARs), and immediate action blocking dubious transactions. Errors in these crucial areas attract heavy fines, emphasizing the need for a holistic AML/Counter-Terrorist Financing (CTF) strategy.

OCC Guidance on Bank-Fintech Partnerships

The OCC guidance proposes a principles-based approach to third-party risk management in navigating bank-fintech partnerships. It underlines key elements for banks and their fintech partners to strengthen their oversight and compliance strategies.

That’s why we’ve distilled everything you need to know about the OCC’s Interagency Guidance on Third-Party Relationships.

Planning

Without proper planning, partnership failure (and potential litigation) are inevitable. Before initiating a third-party partnership, banks must:

• Align the strategic rationale of third-party partnerships with banks’ broader goals and objectives.
• Understand potential customer impact and evaluate banks’ oversight capabilities.

Due Diligence and Third-Party Selection

According to OCC Guidance, all banking organizations should assess the third party’s ability to deliver and comply with regulations by:

• Evaluating third parties’ financial condition, business experience, risk management, and information security.
• Aligning due diligence with the level of risk and complexity of each third-party relationship, emphasizing the need for comprehensive due diligence for higher-risk activities.

Contract Negotiation

Banks must clearly delineate each party’s rights and responsibilities during contract negotiations. This means:

• Including provisions about performance measures, information sharing, compliance, and security.
• Addressing non-public information disclosure and breach reporting.
• Reviewing contracts considering the nature of the arrangement, cost structures, performance benchmarks, requirements related to information storage, audit rights, confidentiality, subcontracting, and termination clauses.
• Requesting modifications or additional provisions to meet their needs and manage associated risks.

Consistent Oversight

The OCC guidance underlines the need for consistent monitoring throughout the relationship, enabling banks to verify the third party’s control quality and contractual obligations. All third-party relationships must:

• Engage in continuous monitoring, frequent performance reviews, meetings, and tests.
• Tailor these activities according to the risk level, relationship complexity, and activities the third party performs.

Termination

The OCC guidance identifies termination as the concluding stage of a third-party relationship lifecycle. This requires:

• Formulating a well-structured exit plan to manage the transition, data preservation, and risks related to customer impact.
• Considering effective service transition options, costs related to termination, handling joint intellectual property, and managing risks that arise from the termination for both the bank and its customers.

What Does It Mean?

The OCC guidance aids banks in tailoring and implementing risk management practices according to their size, complexity, risk profile, and nature of their third-party relationships.

Regular supervisory reviews will assess risks and the effectiveness of risk management, ensuring activities are conducted safely, soundly, and in compliance with laws and regulations.

Supervisory reviews will include a range of activities, including:

• Assessing the banking organization’s management’s ability to oversee and manage third-party relationships.
• Evaluating the impact of these relationships on the organization’s risk profile and operational performance.
• Conducting or reviewing transaction tests to gauge compliance with laws and regulations.
• Identifying and discussing any significant risks and deficiencies in the organization’s risk management process.
• Reviewing plans for sustainable remediation of deficiencies and considering supervisory findings when assigning components of the applicable rating system.

Unearthed violations or unsafe practices could lead to corrective measures, further emphasizing the importance of robust risk management in bank-fintech partnerships.

How Bank-Fintech Partnerships Should Navigate the OCC Guidance

With the ever-changing financial landscape, banks must do more than develop AML processes catering to present needs. They must build adaptable, efficient systems that respond quickly and intelligently to future changes.

But this data alone isn’t the answer. It’s about using it to easily build robust tools tailored to meet your specific compliance needs, exponentially scaling your team’s coverage while reducing the cost of risk management.

In painting a complete picture of risk across all products, such systems enhance operational efficiency and bolster an organization’s ability to adapt to new regulatory changes.

Discover how tools like Sandbar can simplify your AML processes and streamline compliance workflows by scheduling a demo here.