Risk management principles for bank products, fintech charters touted

By Andrew A. Turner, J.D.

The Office of the Comptroller of the Currency has issued updated guidance (OCC Bulletin 2017-43) on how banks and thrifts should manage the risks that arise when they offer new, modified, or expanded financial products or services. Meanwhile, Acting Comptroller of the Currency Keith Noreika defended national bank charters for fintech companies in a speech discussing innovation and financial technology.

Risk management principles for banks. The guidance, which replaces a bulletin published in 2004, advises that new activities “should encourage fair access to financial services and fair treatment of consumers” and comply with applicable laws and regulations. It specifically considers strategic, reputation, credit, operational, compliance, and liquidity risk.

According to the OCC, technological advances like the expanded use of artificial intelligence and cloud data storage, along with evolving consumer preferences are “reshaping the financial services industry at an unprecedented rate and are creating new opportunities to provide consumers, businesses, and communities with more access to and options for products and services.” The bulletin outlines ways of conducting effective risk management to avoid strategic risk, reputation risk, credit risk, operational risk, compliance risk, and liquidity risk.

As part of ongoing supervision, OCC examiners review new activities consistent with the OCC’s risk-based supervision. The bulletin stated that examiners will consider new activities’ effect on banks’ risk profiles and the effectiveness of banks’ risk management systems, including due diligence and ongoing monitoring efforts. New activities should be developed and implemented consistently with sound risk management practices and should align with banks’ overall business plans and strategies.

The bulletin outlines ways of conducting effective risk management to avoid strategic risk, reputation risk, credit risk, operational risk, compliance risk, and liquidity risk.

1. Management should design an effective risk management system that identifies, measures, monitors, reports, and controls risks when developing and implementing new activities.
2. Management and the board should clearly understand the rationale for engaging in new activities and how proposed new activities meet the bank’s strategic objectives.
3. Management should conduct due diligence to fully understand the risks and benefits before implementing new activities.
4. Management should establish and implement policies and procedures that provide guidance on risk management of new activities.
5. Management should have effective change management processes to manage and control the implementation of new or modified operational processes, as well as the addition of new technologies into the bank’s existing technology architecture.
6. Management should have appropriate performance and monitoring systems to assess whether the activities meet operational and strategic expectations and legal requirements and are within the bank’s risk appetite.

Risk management of banks’ third-party relationships should include comprehensive oversight of those relationships, according to the bulletin. A third-party service provider’s inferior performance or service may result in loss of bank business, increased legal costs, and heightened risks in many areas, including credit, operational, compliance, strategic, and reputation.

Charters for financial technology companies. Providing assurance that a chartered fintech company would be engaged in at least one of the core activities of banking, Noreika called concerns over an inappropriate mixing of banking and commerce “exaggerated.” Speaking at Georgetown University’s Institute of International Economic Law’s Fintech Week, Noreika said that commercial companies should not be prohibited from applying for national bank charters if they meet the criteria.

Many fintech and online lending business models fit within the various categories of charters, including special purpose national banks, according to Noreika, as he observed interest in fintechs becoming full-service banks, trust banks, and credit cards banks. “Chartering innovative de novo institutions through these existing authorities enhances the federal banking system,” in his view.

The initiative to charter nondepository fintech companies remains a work in progress as Noreika noted that authority has been challenged in litigation brought by Conference of State Bank Supervisors and the New York Department of Financial Services.

 

Refuting assertions that the OCC is considering granting charters to nonfinancial companies as unwarranted fears, Noreika concluded with a call for “a constructive discussion of where commerce and banking coexist successfully today and where else it may make sense in the future.”

For more information about regulation of banking activities by the OCC, subscribe to the Banking and Finance Law Daily.