The term fintech is a broad definition, and I’ve heard that some firms offering software to process a data point for a financial institution, also define themselves as "fintech". In some of these cases, you can usually agree to disagree, but the consensus is that fintech is really defined as a firm who processes, offers or lends capital in an alternative manner from the typical bank, credit union or non-depository lender.
The OCC’s proposed fintech charter remains just that - a proposal. The turf war between state regulators and the OCC continues since the former argue that the OCC does not have the jurisdiction to offer such a charter and that it would allow a fintech company to bypass state licensing requirements. State regulators argue convincingly that they are much more in tune with consumer protection laws as they aim to serve their constituents. It does make for a very compelling argument.
The 4 Areas of Third Party Risk Likely to Be Affected By the New OCC Fintech Charter
There’s no question that any form of financial transaction deserves a level of regulation, and for the fintech firms who would apply for the special charter, those regulations should also apply. It’s important for them to realize that there will be some guaranteed costs involved in acquiring and maintaining such a charter.
Here are some areas of third party risk likely to be affected:
- Financial Health - Obtaining the charter would allow the fintech company to operate more closely as a bank operation. It’s too early to tell about the usury requirements, but it would make sense from a risk management perspective that the financial health of a fintech would be deeply scrutinized.
- Operational Analysis - Many of the consumer protection laws automatically come into play and there would be a certain degree of attention on the fintech’s ability to develop, manage and execute on a robust compliance management system. This one area alone increases the burden of identifying the right expertise to lead such a program and the deep knowledge of items such as Anti-Money Laundering, Bank Secrecy Act and the ability to perform Suspicious Activity Reports...collectively known as AML, BSA and SAR.
- Regulatory Compliance - The list of regulatory compliance requirements goes on but under the charter, the OCC is likely to require additional areas of oversight to include third party risk management. The guidance is necessary in the fact that the reliance of third party vendors for most financial services is rarely performed within the single entity and, based on experience, many vendors use third or fourth party vendors.
Maturity levels found within traditional financial services are on the incline, and that's a positive for the industry as a whole. However, in the fintech and vendor space, maturity levels are identified as needing some investment into the fundamentals of third party risk management. This has been reiterated with fellow industry professionals and is validated by our own assessment in regulatory compliance and operational analysis reviews that we perform on vendors.
Ironically, some of these vendor services aren’t new entities to the financial services industry, yet the maturity levels of these programs could still use some attention. Simply put, if your fintech organization is using third or fourth parties, you should have a third party risk program in place. Even without an official regulator, the chances are that other partners will require evidence of how you manage this risk verticals.
- Company Policy and Procedures - The challenge for fintech to gain any charter regardless if it is issued by the state, the OCC or other government agency is the ability to demonstrate that their robust policy, procedures and internal infrastructures are in place to protect the consumer.
A great example of this is the recent $70 million fine levied by the OCC against Citi for failure to operate a compliant AML/BSA program. If a giant such as Citi can get it wrong, either from a lack of investment into such programs or worse still a poor corporate compliance culture, then this should be a warning to exactly what a fintech may find themselves at the mercy of. The need for a solid understanding of regulatory compliance will become a prerequisite for operating in such a fashion.
Looking into the Future
The future is blurry on this issue and it’s one that many are following closely. Regardless if this gathers any traction, there are some important points to consider as fintech grows into a space which is historically highly regulated.
Playing in the majors will have the need for investment into systems and the focus on consumer protection despite the current climate of deregulation chatter. No one can predict the level of power and authority federal agencies may have in the long term, but based on the enthusiasm displayed at the state regulatory level in staking a claim to supervise fintech firms, the possibility of regulation at some level is unlikely to change.