OCC Order Serves as Blueprint for Banks, Credit Unions Working with Fintech

Banks and credit unions have a new roadmap for handling fintech partnerships.

The Office of the Comptroller of the Currency (OCC) just issued a written agreement to Blue Ridge Bankshares instructing the Charlottesville, Va., company to improve how it pursues and monitors fintech relationships.

The agreement comes months after the OCC raised issues with Blue Ridge’s ($2.8 billion-asset) proposed merger with FVCBankcorp (the deal was ultimately terminated). While the specific issue was never disclosed, there was speculation it had to do with Blue Ridge’s fintech dealings.

The OCC’s agreement, I believe, is a must-read for any bank or credit union that works with fintechs or plans to do so soon. This includes Banking-as-a-Service (BaaS); digital assets; and Buy Now, Pay Later (BNPL); among other things.

The OCC has finally gone beyond the guidance that federal banking regulators provided last year to help banks gauge their fintech partnerships.

It also makes it clear that regulators other than the Consumer Financial Protection Bureau are stepping up reviews and remedies for fintech partnerships. Growth initiatives, including M&A, could be impacted if you are not vigilant in monitoring your third-party relationships.

To comply with the agreement, Blue Ridge must:

• Create a compliance committee and adopt, implement, and follow a written program to assess and manage risks posed by third-party fintech relationships
• Obtain OCC non-objection before onboarding or signing a contract with a third-party fintech partner. Non-objection is also required before Blue Ridge offers new products or services or conducts new activities through existing fintech partners.
• Adopt a written Bank Secrecy Act (BSA) risk assessment program and adopt a revised BSA audit program that includes an “expanded scope and risk-based review” of activities conducted through fintech partners
• Ensure that its BSA department is “appropriately staffed” with personnel that have the requisite expertise, training, skills, and authority
• Adopt, implement, and follow revised and expanded risk-based policies, procedures, and processes – including specific requirements for its fintech businesses – to vet customers on an ongoing basis and monitor suspicious activity
• Develop, implement, and follow an enhanced written risk-based program that emphasizes the “timely identification, analysis, and suspicious activity monitoring and reporting” for all lines of business
• Give the OCC an action plan and a written report of its suspicious activity monitoring, including high-risk customer activity involving third-party fintech partners

Acting Comptroller of the Currency, Michael Hsu, said during a recent speech that the OCC has identified at least 10 agency-regulated banks that have Banking-as-a-Service partnerships with nearly 50 fintechs. Most of those banks have less than $10 billion of assets.

Hsu suggested that banks posit a series of questions as they align with fintechs, covering areas such as responsibility for shortcomings, restoring confidence after a misstep, and what happens when a fintech fails.

These are all good things to remember as you explore fintech partnerships.

The Bottom Line

Blue Ridge said in a regulatory filing that it is cooperating to bring its fintech policies, procedures, and operations into conformity with OCC directives.

Other financial institutions would be wise to proactively incorporate elements of the OCC’s agreement into their strategic plans. These policies and procedures could help banks and credit unions avoid the same pitfalls that Blue Ridge experienced from its nixed merger.

SRM will continue to monitor this situation, including future agreements that regulators strike with financial institutions. We will keep you posted as this situation develops.