On March 5, 2020, the OCC issued a revised set of FAQs designed to supplement OCC Bulletin 2013-29 (Third-Party Relationships: Risk Management Guidance) issued on October 30, 2013. The updated FAQs, issued via OCC Bulletin 2020-10, are intended to clarify the OCC’s existing third-party relationship guidance and reflect evolving industry trends.
The new bulletin rescinds OCC Bulletin 2017-21 (Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29), which was issued on June 7, 2017. With the exception of one FAQ that was updated to reflect current American Institute of Certified Public Accountants Service Organization Control report information, the FAQs from OCC Bulletin 2017-21 have been incorporated without change into the new bulletin. For ease of reference, the OCC has helpfully provided FAQ numbers from the rescinded OCC Bulletin 2017-21 that are noted in parentheses throughout the new bulletin to distinguish them from the FAQs containing new topics.
The topics addressed by new FAQs include the following:
- Relationships with data aggregators that collect customer-permissioned data from banks. The OCC discusses third-party risk management expectations for such relationships and provides examples of different types of interactions that banks might have with data aggregators, including where aggregators engage in screen scraping activities. The OCC appears to place risk management responsibilities upon banks for such activities conducted by third-party data aggregators. A new FAQ states “[w]hile screen-scraping activities typically do not meet the definition of [a] business arrangement, banks should engage in appropriate risk management for this activity. Screen-scraping can pose operational and reputation risks. Banks should take steps to manage the safety and soundness of the sharing of customer-permissioned data with third parties.”
We note that typically, no direct relationship exists between banks and data aggregators. Banks do not receive services from a data aggregator; instead, the relationship is between the data aggregator and the bank customer in which the customer gives the aggregator permission to “scrape” information from his or her bank account by using the customer’s credentials. By placing risk management responsibilities upon banks for screen-scraping activities, the OCC’s guidance appears to contravene the CFPB’s expectations regarding Section 1033 of the Dodd-Frank Act concerning the banking industry’s responsibilities for consumer-permissioned data sharing with data aggregators, however. For example, Principle 5 (Security) of the Bureau’s Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (Oct. 18, 2017) places obligations on “all parties that access, store, transmit or dispose of [consumer] data” to protect consumer data against security breaches. Principle 5 also implies that financial institutions should only transit consumer data to third parties that also have secure protections and processes. The CFPB’s recent symposium on Consumer Access to Financial Records, held on February 26, 2020, could be a step towards the Bureau’s issuance of an advance notice of proposed rulemaking on data aggregation. If so, the CFPB could establish a different set of regulatory expectations for bank risk management practices vis-à-vis data aggregators and screen-scraping activities.
- Use of third-party assessment services. A new FAQ describes bank use of third-party assessment services (which are sometimes referred to as third-party utilities). Such services assist banks with third-party risk management, including due diligence and ongoing monitoring. The FAQ discusses the OCC’s expectations for the use of reports provided by such services by bank management.
- Handling third party risk management when obtaining alternative data from a third party. For purposes of this new FAQ, “alternative data” is defined as “information not typically found in the consumer’s credit files at the nationwide consumer reporting agencies or customarily provided by consumers as part of applications for credit.” The FAQ discusses the OCC’s expectations for the steps bank management should take when contemplating a third-party relationship involving the use of alternative data. Those steps include “analyz[ing] relevant consumer protection laws and regulations to understand the opportunities, risks, and compliance requirements before using alternative data.”
- Risk management practices for third parties (such as a start-ups and fintechs) with limited ability to provide due diligence-related information. A new FAQ discusses the type of due diligence and ongoing monitoring that banks should apply to third parties, such as fintechs, start-ups, and small businesses that are limited in their ability to provide the same level of due diligence-related information as larger or more established third parties.
Other topics addressed in new FAQs include the following:
- Guidance on what is a “business arrangement” for purposes of when a bank has a “third-party relationship”
- Determining when cloud computing providers and data aggregators are in a third-party relationship with a bank and risk management expectations for such relationships
- Risk management practices when a bank has limited negotiating power in contractual arrangements
- Determining the risks associated with third-party relationships in critical bank activities
- Bank management’s responsibilities regarding risk assessment of a third party’s subcontractors
- Reliance on, and use of, third party-provided reports, certificates of compliance, and independent audits
- Risk management strategies when using a third-party model or when using a third party to assist with model risk management
- Guidance on board of directors’ approval of third-party contracts involving critical activities