A path through?

The Office of the Comptroller of the Currency’s clarifying memo on third-party risk management brought some relief to community banks.

By Cheryl Winokur Munk

Community banks can now breathe a little easier about their vendor relationships thanks to clarity the Office of the Comptroller of the Currency has provided on issues related to third-party risk.

In June, the OCC published a series of 14 frequently asked questions that pertain to issues such as reducing oversight for lower-risk relationships, working with marketplace lenders and partnering with startup fintechs that have limited financial information.

The FAQs helps banks flesh out information the OCC provided in guidance dating back to October 2013. Since this initial guidance came out, the OCC has continued to draw attention to third-party risk management in its Semiannual Risk Perspective publications, as well as in examination procedures published in January 2017.

“While the information isn’t necessarily new, it does highlight the hot-button areas—fintechs and marketplace lenders—and gives you ammunition against rogue field examiners pushing for a greater level of due diligence FFIEC guidance requires,” says Brad Smith, managing director of Cornerstone Advisors’ Technology Solutions practice.

One important area the FAQs address is how banks can reduce their oversight costs for lower-risk relationships. Until now, many community banks have been treating most vendors as equal and requiring the same level of documentation across the board, which means they have been spending way too much time on low-risk vendors, Smith explains.

While the OCC reiterated that it expects banks to perform due diligence and ongoing monitoring for all third-party relationships, the guidance states that the “level of due diligence and ongoing monitoring…may differ for, and should be specific to, each third-party relationship.”

In practice, this means that banks won’t have to expend as much time and energy on extremely low-risk vendors and can instead devote more resources to vendors that create the most exposure for the bank.

“The biggest issue for most banks with vendor management is resources,” Smith says. “This is a way to provide some collars around that.”

Focus on fintech
The relationship between banks and fintech providers is another major area covered by the FAQs. Banks, especially smaller ones, are increasingly seeking to partner with upstart technology companies to provide value-added services to customers.

Indeed, an overwhelming majority of regional and community banks are currently collaborating with fintechs, according to a report last year by the law and consulting firm Manatt, Phelps & Phillips LLP. What’s more, 86 percent of regional and community bank respondents said that working with fintechs is “absolutely essential” or “very important” to their institution’s success.

While many banks are working with fintech partners, the OCC’s 2013 guidance caused some confusion about appropriate risk management for these relationships. The FAQs provide greater clarity on these issues.

“The OCC does not discourage banks from partnering with fintech firms, but it’s a qualified nod in that banks must first do their due diligence,” says Tom Grundy, senior regulatory consultant for Wolters Kluwer’s U.S. Advisory Services group.

Working with startups with limited financial info
The FAQs clear up a long-standing misperception about the financial scrutiny banks must give to potential startup partners. Many potential partners are so new that there’s not much financial information on which a bank can base decisions about the company’s future prospects. Some banks mistook the OCC’s 2013 guidelines to mean they could only partner with third-party service providers that met their credit underwriting guidelines—which severely limited the pool of potential partners. However, the OCC clarified in its latest guidance that there is no such requirement, providing welcome relief to some bankers who may have turned away potential partners based on an erroneous interpretation of the 2013 guidelines.

The new guidance states, “[The] bank may consider a company’s access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity and other factors that may affect the third party’s overall financial stability.”

“The OCC does not discourage banks from partnering with fintech firms, but it’s a qualified nod in that banks must first do their due diligence.”
—Tom Grundy,
Wolters Kluwer

Of course, a bank must still be careful to limit its potential exposure. Indeed, the guidance states further that banks looking to work with startups must have “appropriate contingency plans” in case the provider suffers a business interruption, fails or declares bankruptcy, for instance.

Industry observers say the OCC is attempting to strike the proper balance between encouraging innovation and protecting banks from potential trouble. “You hope that you place a bet that wins, but sometimes you don’t,” says Grundy. “The important thing to remember is when you go into business with a third party, you have to have a contingency plan in place in case that third party fails.”


Percentage of regional and community banks that said working with fintechs is “absolutely essential” or “very important” to their institution’s success.

A nod to marketplace lenders
Unlike in its earlier guidance, the OCC specifically called out marketplace lenders in the FAQs and gave examples of what banks should consider when entering a marketplace lending arrangement with nonbank entities. The area has grown considerably since Lending Club first teamed up with two small community banks in 2013. More community banks are starting to consider partnering with a marketplace lender.

“A bank’s board and management should understand the relationships among the bank, the marketplace lender and the borrowers; fully understand the legal, strategic, reputation, operational and other risks that these arrangements pose; and evaluate the marketplace lender’s practices for compliance with applicable laws and regulations,” the guidance states.

The guidance goes on to say that banks “should have the appropriate personnel, processes and systems so that they can effectively monitor and control the risks inherent within the marketplace lending relationship.” Risks include reputation, credit, concentrations, compliance, market, liquidity and operations.

It also clarifies for banks some areas of confusion regarding collaboration. The OCC affirmed that it’s okay to collaborate with other banks that use the same third-party service providers but noted that banks still bear individual responsibility for risk management. The guidance states that each “individual bank should have its own effective third-party risk management process tailored to each bank’s specific needs.”

Cheryl Winokur Munk is a writer in New Jersey.