OCC Releases New Supplemental Examination Procedures Regarding Management of Third-Party Relationships
On January 24, 2017 the Office of the Comptroller of the Currency (OCC) issued its anticipated new examination procedures (Exam Procedures), which supplement the OCC’s third-party risk management guidance (Third-Party Guidance).1 The issuance of the Exam Procedures is in keeping with the general trend of the banking regulators to update their third-party risk management guidance to address the rapidly evolving nature of banking partnerships, particularly those involving financial technology (FinTech) firms. Unlike the Federal Deposit Insurance Corporation (FDIC), which released recently proposed guidance for third-party lending in draft form and sought public comment,2 the OCC issued its Exam Procedures in final form. Given the increasing robustness over time of the banking regulators’ third-party examination guidance, banks and their business partners, including service providers and significant FinTech clients, should review carefully this growing body of guidance and make appropriate adjustments to minimize their regulatory exposure.
The Exam Procedures are directly applicable to national banks, federal savings associations, and federal branches and agencies of foreign banks. Although they are not directly applicable to third-party banking partners, they nevertheless have a significant indirect impact on such banking partners as the Exam Procedures directly influence the policies and processes banks will maintain with respect to their banking partners.
Structurally, the Exam Procedures set forth for OCC bank examiners a series of examination objectives and questions to ask in connection with the examination process. Given their structure, the Exam Procedures implicitly provide a checklist of the key items banks and their partners may wish to focus on as they structure and manage their relationship. In particular, the Exam Procedures provide a series of items for examiner review concerning the contracts governing a banking partnership that are suggestive of the terms and conditions that the OCC will expect to be a part of such contracts. These terms and conditions are extensive and include, for example, various prescriptive provisions such as a bank’s right to audit a partner, limit subcontracting, terminate the contract without penalty under certain conditions, mandate disclosures in the event of a data breach, demand business resumption and disaster recovery plans, and demand maintenance of insurance. The Exam Procedures note, though, that examiners ought to calibrate their examination scope and “[s]eldom will every objective or step of the [of the Exam Procedures] be necessary.” It should also be stressed that while the Exam Procedures strongly imply a set of issues that are of central concern during the examination process, they are not a comprehensive set of issues with which banks and their partners should be concerned. Rather, as their name implies, they are supplemental.
Substantively, although the Exam Procedures do not expressly discuss regulatory concepts, they do provide a structure for an examination that is intended to evaluate the level of various kinds of risk to which a bank is exposed and the manner in which the bank manages those risks. The risks identified by the OCC are standard: operational, compliance, reputational, strategic, and credit; however, the context in which they may arise continues to develop as FinTech business models evolve. To manage these risks an OCC-regulated bank is expected to develop a structured set of policies and processes, with the policies requiring an evaluation of the bank’s position3 and the generation of plans and the procedures implementing the policies over a five-phase life cycle: planning, due diligence and third-party selection, contract negotiation, monitoring, and termination/contingency planning. A bank’s choice of personnel is treated separately, as an activity guided by the kinds of choices just described, and is broken down into a discussion covering the responsibilities of the bank’s board and the responsibilities of management. A bank’s control systems also receive treatment separate from other functions, in particular the monitoring function, because monitoring relates to the supervision of the partner’s activities, whereas control relates to the supervision of the entire set of functions relating to the management of the risk of all aspects of a bank’s third-party relationships.
The Exam Procedures make specific reference to a bank’s relationship with marketplace lenders4 and focus on a series of aspects of these relationships, including, for example, whether:
- marketplace lender partners originate, process, underwrite, close, fund, purchase, deliver or service any loans;
- “the bank [has] sufficient support systems, controls, and personnel to adequately support the volume of planned loan origination, servicing, or collections activities”;
- marketplace lenders working with the bank underwrite their loans using methods that “are new, nontraditional or different from the bank’s underwriting standards”;
- the loans made by marketplace lenders meet the bank’s underwriting standards;
- the bank can monitor the performance of such loans;
- loan volume can be maintained;
- the bank has the ability to monitor disclosure, origination, underwriting, closing, account management and collection;
- the bank is subject to any “recourse or participation arrangements” and has any remedies against the marketplace lender for breach; and
- the bank purchases instruments from the marketplace lender.
These items suggest that a bank that uses the services of a marketplace lender should not become over-reliant on the marketplace lender and outsource its core risk-management responsibilities but, rather, must to a great extent maintain its own lending-related systems. On the other hand, the Exam Procedures do not prescribe any specific level or type of capital on the part of the bank or the desirability of one type of third-party relationship over another.
The OCC’s release of its Exam Procedures is a reminder to banks and their partners that the OCC is focused on such partnerships. As new examination guidance often is a precursor to new examination issues, banks and their partners should review and proactively address issues that may arise in the course of a bank examination. In particular, banks and their partners should pay particular attention to their contractual relationship and be prepared to rationalize such contract’s key terms and conditions in light of the Exam Procedures and other regulatory expectations.
OCC, “Supplemental Examination Procedures for Risk Management of Third-Party Relationships,” Jan. 24, 2017. The Third-Party Guidance is set forth in the OCC’s Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” Oct. 30, 2013.
See our discussion of the FDIC’s proposed guidance for third-party lending. See also Pratin Vallabhaneni, Observations on the FDIC’s Examination Guidance for Third-Party Lending, Harvard Law School Forum on Corporate Governance and Financial Regulation, Sept. 3, 2016.
This part of the risk-control framework is described as involving an inventory of third-party relationships and a rough characterization of those relationships according to concentration (over-reliance on a particular provider), location (domestic or foreign), the use of subcontractors by third-parties, exposure to financial market utilities, the involvement of marketplace lenders, legal risk posed by third parties or their products, reputational risks imposed by particular third parties, the fit of the products provided by third parties with the aims and capabilities of the bank, and credit risks posed by third parties.
The Exam Procedures note that there is no single definition for “marketplace lender,” but notes the general understanding that the term includes “companies engaged in Internet-based lending businesses (other than payday lending).”