Since the beginning of Michael Hsu’s tenure as Acting Comptroller of the Currency, bank/fintech partnerships have been a focus of OCC concern.  Although bank lending partnerships with fintechs continue to receive OCC attention, recent remarks by OCC officials indicate that OCC scrutiny is now also directed at partnerships outside of the lending arena.

In remarks yesterday to The Clearing House and Bank Policy Institute Annual Conference, Acting Comptroller Hsu discussed the growth “of banking-as-a-service (BaaS),” meaning arrangements in which a nonbank offers banking services to its customers as a way of adding value to its products and services.  He observed that “[d]igitalization has put a premium on online and mobile engagement, customer acquisitions, customization, big data, fraud detection, artificial intelligence, machine learning, and cloud management” and that “these activities require expertise and economies of scale that most banks do not have.”  Noting that BaaS is not an issue limited to large banks, he commented that banks and fintechs, “in an effort to provide a ‘seamless’ customer experience, are teaming up in ways that make it more difficult for customers, and regulators, and the industry to distinguish between where the bank stops and the tech firm starts.”

Mr. Hsu expressed significant concern about the safety and soundness implications of these developments.  He discussed the supervisory concerns raised in bank technology examinations, stating that a majority are related to “fundamental elements of risk management, e.g. board oversight, governance, and internal controls” and that common issues involve insufficient information security controls, change management issues particularly with emerging products and services, and IT operational resilience.”  Mr. Hsu also raised concerns about unknown risks or “nasty surprises” arising out of bank-fintech arrangements.  He indicated that to mitigate this risk, the OCC is currently working on a process to subdivide bank-fintech arrangements into cohorts with similar safety and soundness risk profiles and attributes.  This approach is expected to enable a clearer focus by the OCC on risks and risk management expectations.

According to a Law360 report, another OCC official who spoke at the Annual Conference also expressed concerns about bank/fintech partnerships. Kevin Greenfield, OCC Deputy Comptroller for Operational Risk, is reported to have warned banks that they can be liable for customer harm arising out of fintech partnerships, such as violations of consumer protection laws and unfair and deceptive practices.  He advised banks to closely monitor risk and compliance in these partnerships.  With regard to lending partnerships, Mr. Greenfield is quoted as having stated that a bank’s responsibility for compliance with consumer protection laws “doesn’t go away if [customers] click on a fintech app or if they walk into the bank branch to get that loan” and that “[i]f it’s [the bank’s] charter that’s providing that loan, [the bank needs to] understand what the risks are and how that’s operating, because, ultimately, it’s going to get traced back to [the bank] that provided the credit.”

We find it noteworthy that neither Mr. Hsu or Mr. Greenfield mentioned concerns about a bank using its charter to avoid state interest rate limits applicable to a nonbank partner.