On September 7, Acting Comptroller of the Currency, Michael Hsu, discussed the long-term threats to trust in banking in remarks at the TCH + BPI Annual Conference. Hsu provided updates on key priorities at the OCC, including the impact of “fintechs and big techs” over their digitalization of banking through the advancement of crypto (we discussed Hsu’s previous remarks on crypto here and here). Hsu highlighted the OCC’s position of a “careful and cautious” approach to crypto. In doing so, he referred to Interpretive Letter 1179, which clarifies that national banks and federal savings associations should not engage in certain crypto activities unless they are able to “demonstrate, to the satisfaction of its supervisory office, that [they have] controls in place to conduct the activity in a safe and sound manner” (we discussed Letter 1179 in a previous blog post here). Hsu noted that the federally regulated banking system has been largely unaffected by the collapse of several crypto platforms because, at least in part, of the OCC’s careful and cautious approach.

Hsu also discussed the growth of the FinTech industry, of banking-as-a-service (BaaS), and of big tech forays into payments and lending, which is changing banking and its risk profile. Hsu remarked that the rapid growth of bank-FinTech partnerships is increasing the complexity and de-integration of banking services such as online and mobile payments, lending, and deposit-taking activities (we discussed Hsu’s similar concerns in a previous blog post here). Hsu expressed significant safety and soundness implications of this digitalization transition, including supervisory concerns raised in bank technology examinations, stating that a majority are related to “fundamental elements of risk management, e.g. board oversight, governance, and internal controls” and that common issues involve insufficient information security controls, change management issues particularly with emerging products and services, and IT operational resilience.”

Putting It Into Practice: The OCC continues to scrutinize banks and FinTechs and expects regulated banks to be accountable for any consumer harm as a result of poor risk management and controls. Indeed, a Virginia-based community bank disclosed in a recent public filing and agreement with the OCC that the agency found unsafe or unsound practices related to, among other things, the bank’s third-party risk management and BSA/AML risk management. As part of the bank’s agreement with the OCC, it pledged to obtain a nonobjection from the agency prior to onboarding new FinTech partners. The bank also agreed to implement and adhere to a written program to assess and manage the risks posed by its FinTech partnerships. With this recent action, community banks that partner, or are looking to partner, with FinTechs should review these recent filings, as well as guidance from the Federal Reserve, FDIC, and OCC on the types of due diligence community banks should engage in when contemplating arrangements with FinTechs (we discussed this guidance in a previous blog post here).