The OCC, FDIC, and Federal Reserve Board have issued a guide that is intended to assist community banks in conducting due diligence when considering relationships with financial technology (fintech) companies (Guide).
The issuance of the Guide follows the agencies’ July 2021 release of proposed interagency guidance for banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements. The proposal sets forth principles for managing risk in each stage of a third-party relationship life cycle, including conducting due diligence. In the introduction to the Guide, the agencies indicate that the Guide draws from their existing guidance and is consistent with the proposed interagency guidance.
The agencies also note in the Guide’s introduction that while the Guide is written from a community bank perspective, the fundamental concepts discussed may be useful for banks of varying sizes and for other types of third-party relationships. Banks are instructed to reference relevant guidance from the agencies that is listed in a footnote.
In the Guide’s introduction, the agencies indicate that because the Guide does not anticipate all types of third-party relationships and risk, a community bank can tailor how it uses information in the Guide based on its specific circumstances, the risks posed by each third-party relationship, and the related product, service or activity offered by the fintech company. They also advise community banks that the scope and depth of due diligence will depend on the risk to the bank from the nature and criticality of the prospective activity to be performed by the fintech company.
The Guide discusses a series of topics to be considered by a community bank when conducting due diligence on a fintech company and provides potential sources of information and illustrative examples for each topic. These topics consist of a fintech’s:
- Business experience, business strategies and plans, and the qualifications and backgrounds of directors and principals;
- Financial condition and competitive market environment and client base;
- Legal and regulatory compliance;
- Risk management policies, processes, and controls;
- Information security program and information systems; and
- Business continuity planning, incident response plan, and reliance on subcontractors.
The publication of the Guide is another indication of the increased attention that regulators seem to be paying of late to the area of third-party relationship risk management. Whether this increased attention and guidance will translate to a heavier emphasis on such topics in the course of regulatory examinations remains to be seen.