A recent action by the Office of the Comptroller of the Currency (OCC) highlights how banks need to ensure that they have robust compliance programs for managing risks posed by their banking as a service (BaaS) partnerships with third-party fintechs.
On August 29, 2022, the OCC entered into an agreement with Blue Ridge Bank, N.A. (Blue Ridge Bank), a Virginia-based community bank, that requires Blue Ridge Bank to make serious reforms to its compliance practices (the Agreement). The existence of this agreement was revealed to the public through a Securities and Exchange Commission (SEC) Form 8-K filed by Blue Ridge Bank's holding company. The Agreement is the result of the OCC finding that Blue Ridge Bank had been engaged in unsafe or unsound practice(s).
In the Agreement, the OCC identified Blue Ridge Bank's practices related to board accountability and involvement, third-party risk management, Bank Secrecy Act (BSA) / Anti-Money Laundering (AML) risk management, suspicious activity reporting, and information technology (IT) control and risk governance as sources of concern. The OCC did not provide any further details on the issues it took with Blue Ridge Bank's compliance practices, but the terms of the Agreement make it clear that the OCC did not approve of how Blue Ridge Bank was operating its BaaS partnerships with non-bank fintech companies. As a result, Blue Ridge Bank must now implement extensive changes to the bank's fintech policies, procedures, and operations concerning these areas to bring them into conformity with OCC directives.
The BaaS business model allows a bank to offer selections of its products and services to a broad base of consumers and small businesses by leveraging a fintech's internet-based capabilities and marketing expertise. Entering into BaaS partnerships with fintechs can be highly profitable for banks, but these partnerships necessitate both the bank and fintech partner adhering to the bank's compliance obligations.
The BaaS business model has come under scrutiny by regulators in recent years as they attempt to understand the complex nature of some of these novel and evolving arrangements. In his remarks to The Clearing House and Bank Policy Institute's (TCH + BPI) 2022 annual conference, the Acting Comptroller of the Currency, Michael J. Hsu, discussed how the OCC plans to continue studying bank-fintech partnerships to identify how the digitalization of banking services has affected the banking landscape from a regulatory perspective. In this context, Mr. Hsu likened certain bank-fintech arrangements to the complex series of relationships involved in the 2008 financial crisis, and analogized the disruption caused by the emergence of BaaS programs to that caused by the globalization of manufacturing in the 1980s and the disintermediation of credit and liquidity risks in the banking system during the 1990s and 2000s.
With respect to Blue Ridge Bank, it has been reported that the bank's partnerships with fintechs account for a significant portion of its business. It is not clear why the OCC took an interest in Blue Ridge Bank from among the many other community and specialized banks that have embraced BaaS. While some speculate that Blue Ridge Bank came onto the OCC's radar because of its BaaS business model, there has been conjecture that the Agreement is the result of the OCC addressing regulatory concerns with Blue Ridge Bank it identified while reviewing the bank during an attempted merger between Blue Ridge Bank and FVCBankcorp, Inc. in 2021. That merger was called off in January of 2022.
What remains clear, though, is that the OCC is growing increasingly skeptical of whether some banks are sufficiently aware of the risks posed by their fintech relationships, let alone whether banks are adequately monitoring for and responding to those risks. Risks to the safety and soundness of banks remain the focus the OCC's attention, but mitigating the risks to consumers using services provided through BaaS programs is also an important priority.
The OCC's Terms and Conditions
The Agreement requires Blue Ridge Bank to implement a major overhaul of its compliance programs. The OCC has required the bank to improve its (i) board of directors' involvement in the bank's compliance efforts; (ii) third-party risk management compliance program, (iii) BSA/AML monitoring and compliance program, (iv) customer identification programs, (v) suspicious activity report (SAR) monitoring and filing program, and (vi) IT control programs. Additionally, the bank must also improve the accountability of its board members for the bank's compliance with applicable laws and regulations, and increase the transparency between its board members and compliance departments.
Under the Agreement, Blue Ridge Bank is required to address the deficiencies the OCC identified in these areas by:
- Reforming its policies, procedures, and practices to include the board of directors in certain aspects of the decision-making processes within Blue Ridge Bank's compliance programs, including by creating a board compliance committee which monitors Blue Ridge Bank's compliance efforts and makes quarterly reports to the board of directors as a whole on the bank's efforts to comply with the Agreement and requiring the board of directors to approve new fintech partnerships before Blue Ridge Bank may enter into them;
- Developing and adhering to a comprehensive third-party risk management program to monitor and respond to risks posed by the bank's fintech relationships;
- Improving its BSA/AML compliance programs, which must now include (a) an effective BSA program that assesses the bank's BSA/AML compliance risks "across all products, services, customers, entities, and geographies, including all activities provided by or through the [b]ank's third-party fintech partnerships," (b) a BSA audit program that address the BSA/AML risks posed by its fintech partnerships, and (c) a plan to staff Blue Ridge Bank's BSA compliance department adequately with competent, properly trained staff;
- Improving its policies, procedures, and processes for collecting and maintaining customer due diligence (CDD) information, enhanced due diligence (EDD) information, and beneficial ownership information to include specific requirements for Blue Ridge Bank's fintech partners;
- Developing policies, procedures, and processes to improve the Bank's SAR filing and monitoring across all of Blue Ridge Bank's business lines, but most importantly those involving fintech partnerships, and conducting regular reviews of this program; and
- Developing an IT control program that addresses the data storage, processing, and security risks associated with its fintech partnerships, which must include an adequate business continuity plan.
The most significant requirement imposed on Blue Ridge Bank, however, is one that limits Blue Ridge Bank's ability to expand its BaaS partner programs going forward. Per the Agreement, Blue Ridge Bank must seek a "no supervisory objection from the OCC" before onboarding any new fintech partner, or offering new products or services or conducting new activities with or through existing third-party fintech relationship partners. Seeking the OCC's non-objection requires the bank to submit a complete due diligence package for the OCC to evaluate, which must include at least supporting documentation, a copy of any proposed contract, and minutes from any management or board committee meeting approving the relationship.
A Blueprint for a Third-Party Risk Management Compliance Program
The Agreement provides a blueprint for how banks should be thinking about their BaaS partnership programs, and the expectations that partners should be prepared to meet. As we've written in prior articles, a successful BaaS partnership requires the bank and fintech to work together to design and implement banking, lending, and payment services that comply with applicable legal and regulatory requirements. The recent OCC action against Blue Ridge Bank underscores the need to balance innovation with prudent compliance and risk management.
Generally, the OCC expects a bank providing services through third parties (i.e., fintechs) to have third-party risk management and oversight processes "commensurate with the level of risk and complexity of its third-party relationships." OCC Bulletin 2013-29; OCC Bulletin 2020-10; OCC Bulletin 2021-40. The terms of the Agreement provide insight into how the OCC would like to see its guidance on managing fintech partnership risks translated into banks' compliance practices.
Per the Agreement, banks should consider whether their existing third-party risk management compliance programs adequately address the following areas:
- Written policies and procedures governing how the bank operates its BaaS programs, which must address, at a minimum, how the bank will (a) identify the risks its third-party partners pose to the bank's compliance and safe and sound banking obligations, (b) assess and monitor third parties, (c) ensure that its third-party risk management and oversight program is sufficiently comprehensive and adequately funded, and (d) select and seek board approval of new fintech partners;
- A BSA risk assessment for each of the bank's fintech partners;
- Robust due diligence and risk assessment criteria for identifying whether a given fintech is an appropriate partner for a given BaaS program;
- A compliance oversight program for evaluating and monitoring each fintech partner's and BaaS program's compliance with applicable laws and regulations, which should include both internal and third-party monitoring capabilities and a reporting process that facilitates board and management oversight and accountability;
- A process for addressing or, if necessary, terminating a relationship with a fintech partner that puts the bank at risk of violating applicable laws and regulations;
- Audit plans for having a qualified third-party auditor conduct independent reviews and assessments of the bank's compliance programs, the financial reports illustrating the transactions being processed through its BaaS programs, and the operational risk associated with the bank's fintech partnerships;
- A plan for ensuring that the bank's compliance program is adequately staffed by experienced and qualified staff; and
- Annual testing of the bank's third-party risk management compliance program and policies, procedures, and processes for implementing any recommendations for improvements that might come from such testing.
While the OCC's "blueprint" for ensuring that fintech partners adhere to a bank's compliance requirements is thorough, it does not, unfortunately, give the underlying factual background to the Agreement. Nonetheless, the Agreement gives other banks with extensive fintech partnerships the opportunity to avoid a similar situation by reviewing their own policies, procedures, and processes against this list before a regulator does.