On September 7, Acting Comptroller of the Currency Michael Hsu discussed the long-term threats to confidence in banking in remarks at the TCH + BPI Annual Conference. Hsu provided updates on key priorities at the OCC, including the impact of “fintechs and big techs” over their digitization of banking services through the promotion of crypto (we discussed Hsu’s previous comments on crypto here and here). Hsu highlighted the OCC’s position on a “cautious and prudent” approach to crypto. In doing so, he referenced Interpretative Letter 1179, which clarifies that national banks and federal savings associations should not engage in certain crypto activities unless they are able to “demonstrate, to the satisfaction of its supervisory office, that [they have] controls in place to carry out the activity in a safe and sound manner” (we discussed letter 1179 in a previous blog post here). Hsu noted that the federally regulated banking system has been largely unaffected by the collapse of several crypto platforms due, at least in part, to the OCC’s cautious and cautious approach.
Hsu also discussed the growth of the FinTech industry, of banking-as-a-service (BaaS), and of major technological attacks on payments and lending, which are changing banking and its risk profile. Hsu noted that the rapid growth of bank-FinTech partnerships is increasing the complexity and disintegration of banking services such as online and mobile payments, lending and deposit activities (we discussed Hsu’s similar concerns in a previous blog post here). Hsu expressed significant security and soundness implications of this digitization transition, including supervisory concerns raised in banking technology surveys, stating that a majority relate to “fundamental elements of risk management, such as board oversight, governance and internal control” and that common issues involve inadequate information security controls, change management issues , especially with new products and services, and IT operational resilience.”
Putting it into practice: The OCC continues to scrutinize banks and FinTechs and expects regulated banks to be held accountable for consumer harm resulting from poor risk management and controls. In fact, a Virginia-based community bank disclosed in a recent public filing and settlement with the OCC that the agency found unsafe or unsound practices related to, among other things, the bank’s third-party risk management and BSA/AML risk management. As part of the bank’s agreement with the OCC, it promised to obtain a non-objection from the agency before introducing new FinTech partners. The bank also agreed to implement and follow a written program to assess and manage the risks posed by the FinTech partnerships. With this recent action, community banks that work, or want to work, with FinTechs should review these recent filings, as well as guidance from the Federal Reserve, FDIC, and OCC on the types of due diligence community banks should engage in when considering arrangements with FinTechs (we discussed this the guide in a previous blog post here).