09 June 2023 |

The OCC Knows What BaaS Is

By Alex Johnson

In September of last year, I wrote an essay in my newsletter titled – Does the OCC Know What BaaS Is?

The rationale for this cheekily-titled essay was a speech that Michael J. Hsu, the Acting Comptroller of the Currency, had given, in which he expressed concerns about the emergence of novel and complex bank-fintech partnerships. The way in which he described those partnerships and some of the questions about them that he posed in his remarks made me wonder if his bureau had a solid grasp on exactly what banking-as-a-service is and how it works.

Well, since I wrote that the OCC has created a new Office of Financial Technology and hired someone to run it, hosted office hours to encourage responsible innovation, shared its thoughts on open banking and financial inclusion, and, most recently and critically, released new guidance on third-party risk management (the regulatory bucket in which BaaS and all bank-fintech partnerships sit).

I now feel very confident in answering the question that I posed last year – yes, the OCC does indeed know what BaaS is.

And I thought it might be useful to read between the lines a bit on the new third-party risk management guidance (the full guidance, which can be found here, is 68 pages of rather dry reading) and make some educated guesses about what the OCC is focused on when it comes to BaaS and bank-fintech partnerships.

Other smart fintech folks are, I’m sure, going to be giving their thoughts on this topic soon, and many of them will have a much deeper background in regulatory compliance than I do, so I’ll limit my analysis to 12 quick observations.

#1: Interagency cooperation is a win.

What the guidance says:

The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the agencies) have issued this guidance to provide sound risk management principles supervised banking organizations can leverage when developing and implementing risk management practices to assess and manage risks associated with third-party relationships.

The agencies have each previously issued general guidance for their respective supervised banking organizations to address appropriate risk management practices for third-party relationships, each of which is rescinded and replaced by this final guidance … By issuing this interagency guidance, the agencies aim to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles for third-party risk management. 

My Takeaway:

As I will discuss a little later, this guidance has sparked some significant disagreements between banks and fintech companies. However, one thing that everyone in the industry seems to agree on is the wisdom of the OCC, FDIC, and Fed in collaborating to put out this guidance rather than continuing to issue their own individual guidance for third-party risk management.

It’s not perfect. The Connecticut Department of Banking asked the agencies to loop in the National Credit Union Administration (NCUA) so that credit unions would be covered as well, and that didn’t happen. There isn’t any coordination with the CFPB, which is going to cause some headaches (more on that in a minute). But overall, this is a big step forward.

#2: The guidance emphasizes a tailored approach to risk management.

What the guidance says:

Not all relationships present the same level of risk, and therefore not all relationships require the same level or type of oversight or risk management. As part of sound risk management, a banking organization analyzes the risks associated with each third-party relationship and tailors risk management practices, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of the third-party relationship. Maintaining a complete inventory of its third-party relationships and periodically conducting risk assessments for each third-party relationship supports a banking organization’s determination of whether risks have changed over time and to update risk management practices accordingly.

My Takeaway:

This is another area that everyone seems relatively happy about. Rather than offering very prescriptive guidance or narrowly defining the scope of third-party relationships (which may quickly become outdated, as prior guidance had become), the agencies’ latest guidance is very broad and encourages banks to evaluate and manage the risk of each third-party relationship on its own terms.

I suppose this could make for contentious examinations with bank supervisors down the road (what do you mean you don’t think this relationship is risky?), but overall I see a lot of value to all stakeholders in keeping the guidance vague and principles-based.

#3: The guidance seems to define BaaS through its impact on the end customer.

What the guidance says:

With respect to comments about technological advances and innovation, the agencies recognize that some banking organizations are forming relationships with fintech companies, including under new or novel structures and arrangements. Depending on the specific circumstances, including the activities performed, such relationships may introduce new or increase existing risks to a banking organization, such as those risks identified by some commenters. For example, in some third-party relationships, the respective roles and responsibilities of a banking organization and a third party may differ from those in other third-party relationships. Additionally, depending on how the business arrangement is structured, the banking organization and the third party each may have varying degrees of interaction with customers. 

My Takeaway:

This is as close as the guidance comes to specifically mentioning BaaS, but if we read between the lines a bit, I think it becomes clear that the distinguishing characteristic that the agencies are honing in on for BaaS (in comparison to traditional bank-vendor relationships) is the direct relationship that the third party has with the end customer.

This point comes up repeatedly. Here is a section talking about what banks should look at when evaluating potential third-party relationships:

Assessing a potential third party’s impact on customers, including access to or use of those customers’ information, third-party interaction with customers, potential for consumer harm, and handling of customer complaints and inquiries  

Again, notice that the “customers” that the guidance is referring to are the bank’s customers, not the third party’s customers. At no point do the agencies even entertain the idea that these aren’t the bank’s customers. But they do acknowledge that the third parties may have more of a direct and sustained relationship with the end customers, which is a pretty big shift.

#4: A stern reminder that all problems are the bank’s problem.

What the guidance says:

Importantly, the use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations, including but not limited to those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive or abusive acts or practices) and those addressing financial crimes.

My Takeaway:

This one feels very targeted at BaaS. The first thing that popped into my head when I read it was the recent consent order between the FDIC and Cross River Bank.

In the old world of third-party risk management, in which the third parties were almost all vendors selling technology and other products and services to banks, this was less of an issue. Banks just logically assumed that they wouldn’t be able to foist off responsibility for an AML failure onto the tech vendor they were using for transaction monitoring.

In the modern world of third-party risk management, in which many of the third parties are fintech companies that the bank provides products and services to, this is a much bigger issue. And clearly, the regulatory agencies wanted to send a message to banks that any safety and soundness issues or compliance failures, even if they were the result of decisions made by those third parties, are, in fact, the banks’ problem.  

#5: The agencies don’t have a lot of sympathy for the compliance burden on smaller banks.

What the guidance says:

Several commenters requested some form of acknowledgment that smaller banking organizations may lack the necessary resources to thoroughly vet third parties, and thus should be afforded some form of “safe harbor” relating to third-party risk management to allow them to compete in the digital era. In response to these comments, the agencies reiterate that the guidance is relevant to all banking organizations.

My Takeaway:

This one made me laugh.

Several companies and industry lobbyists submitted comment letters to the agencies asking them to find ways to reduce the amount of work entailed in all this tailored third-party risk management on smaller banks, who (so their argument goes) are less able to bear the burden and less deserving of it also.

The agencies basically said, “Nope.”

I’m happy about this. Small banks can complain about burdensome regulations all they want, but the reality is that it is small banks that are the primary instigators of all of these “new and novel arrangements” with third parties, especially fintech companies.

You don’t get to reap the benefits of BaaS and get a safe harbor from the associated compliance costs.   

#6: The agencies want banks to scrutinize third parties’ financials.

What the guidance says:

An assessment of a third party’s financial condition through review of available financial information, including audited financial statements, annual reports, and filings with the U.S. Securities and Exchange Commission (SEC), among others, helps a banking organization evaluate whether the third party has the financial capability and stability to perform the activity. Where relevant and available, a banking organization may consider other types of information such as access to funds, expected growth, earnings, pending litigation, unfunded liabilities, reports from debt rating agencies, and other factors that may affect the third party’s overall financial condition. 

My Takeaway:

This is another area that stuck out to me when thinking about how this guidance applies to BaaS. This comes from the section on due diligence and third-party selection, and it clearly contemplates the types of information that a bank might want to ask for if they are evaluating a small private company that doesn’t have the same standard information available that a larger public company would have.

Given the tightening in fintech funding that we’ve been seeing over the last 18 months or so (and are likely to keep seeing), this seems like an area that banks will want to pay close attention to.

#7: Watch out for pivots!

What the guidance says:

Another consideration may include whether there have been significant changes in the activities offered or in its business model. Likewise, a review of the third party’s websites, marketing materials, and other information related to banking products or services may help determine if statements and assertions accurately represent the activities and capabilities of the third party.

My Takeaway:

Another due diligence item that seems aimed at fintech. 

Do these guys actually do what they say they do? Are they likely to stick with that, or will they pivot into something entirely different (and perhaps more risky) as soon as they hit any speed bumps?

These aren’t just questions for the initial due diligence. The agencies want banks to continually monitor third parties for pivots:

Depending on the degree of risk and complexity of the third-party relationship, a banking organization typically considers the following factors, among others, as part of ongoing monitoring: 

Changes to the third party’s business strategy and its agreements with other entities that may pose new or increased risks or impact the third party’s ability to meet contractual obligations;

If we wanted, we could probably call this one “The Evolve Rule.”

#8: What happens to the customer if the fintech company fails?

What the guidance says:

An assessment of a third party’s operational resilience practices supports a banking organization’s evaluation of a third party’s ability to effectively operate through and recover from any disruption or incidents, both internal and external. Such an assessment is particularly important where the impact of such disruption could have an adverse effect on the banking organization or its customers, including when the third party interacts with customers. It is important to assess options to employ if the third party’s ability to perform the activity is impaired and to determine whether the third party maintains appropriate operational resilience and cybersecurity practices, including disaster recovery and business continuity plans that specify the time frame to resume activities and recover data. To gain additional insight into a third party’s resilience capabilities, a banking organization may review (1) the results of operational resilience and business continuity testing and performance during actual disruptions; (2) the third party’s telecommunications redundancy and resilience plans; and (3) preparations for known and emerging threats and vulnerabilities, such as wide-scale natural disasters, pandemics, distributed denial of service attacks, or other intentional or unintentional events. Other considerations related to operational resilience include (1) dependency on a single provider for multiple activities; and (2) interoperability or potential end of life issues with the software programming language, computer platform, or data storage technologies used by the third party. 

My Takeaway:

It’s that last bit that really jumped out to me – “potential end of life issues with the software programming language, computer platform, or data storage technologies used by the third party.”

Translation for BaaS: make sure the ledger that the fintech company is using to keep track of individual customer accounts within your master FBO account is robust and the data is constantly updated so that you can easily unwind everything if the fintech company suddenly disappears.

#9: Community banks will need help with due diligence and ongoing monitoring.

What the guidance says:

A banking organization may use the services of industry utilities or consortiums, consult with other organizations, or engage in joint efforts to supplement its due diligence.

And:

To gain efficiencies or leverage specialized expertise, banking organizations may engage external resources, refer to conformity assessments or certifications, or collaborate when performing ongoing monitoring.

My Takeaway:

This came up in a lot of the comments submitted during the process by companies and industry groups, and the agencies listened!

The concern is that smaller banks won’t be able to conduct the level of due diligence and ongoing monitoring required by this new guidance on their own. So, while they’re not getting a safe harbor if they screw up, the agencies are open to allowing banks to collaborate on these tasks and to rely (to an extent) on industry consortiums and certifications, where available.

The interesting part to me is that while these consortiums and consulting services exist in the traditional bank vendor landscape (my old employer, Cornerstone Advisors, helps community banks with vendor selection, to give just one example), this support infrastructure for due diligence and ongoing monitoring doesn’t exist in BaaS … yet.

I’m guessing that we will see a lot of new developments in this area over the next five years. Maybe BaaS banks will team up to assist each other with due diligence? Maybe the BaaS platforms that survive will start playing a more active role (I could see this, especially on the transaction monitoring side)? Maybe this will become an emergent feature for one or more of the new compliance infrastructure companies that are starting to get traction in the BaaS space? Maybe we’ll finally get some new industry consortiums that welcome rather than exclude fintech companies? 

All I know is that this is a gap that will get filled.      

#10: BaaS completely flips the leverage in third-party contract negotiations.

What the guidance says:

In difficult contract negotiations, including when a banking organization has limited negotiating power, it is important for the banking organization to understand any resulting limitations and consequent risks. Possible actions that a banking organization might take in such circumstances include determining whether the contract can still meet the banking organization’s needs, whether the contract would result in increased risk to the banking organization, and whether residual risks are acceptable. If the contract is unacceptable for the banking organization, it may consider other approaches, such as employing other third parties or conducting the activity in-house. In certain circumstances, banking organizations may gain an advantage by negotiating contracts as a group with other organizations.

My Takeaway:

Small banks have been dealing with this problem forever. If you’re a tiny little community bank trying to buy software from Fiserv, the experience can feel more like a hostage negotiation than a contract negotiation – please, just give us an opt-out in year 10 as a show of good faith!

That said, the fundamental dynamic is still the bank as the buyer. They’re not trying to make the sale. They can walk away.

BaaS is different. The bank is the seller, not the buyer. They can try to create leverage by having great tech or a streamlined go-to-market process, but fundamentally they are at a disadvantage when negotiating with fintech companies.

This is a new dynamic in the world of bank third-party risk management, and I would have liked to see the interagency guidance go even further in acknowledging this fact and finding ways to plan for its impact. 

When Fiserv gets too desperate in a contract negotiation with a bank, its shareholders and executives lose a little money. When a bank gets too desperate in a contract negotiation with a fintech company, it can introduce a lot of new risk into the financial industry. Regulators should treat the latter scenario with a lot more urgency.

#11: Third-party risk management becomes the new open banking battleground.

What the guidance says:

Some commenters raised particular risks presented by data aggregators and suggested a range of approaches to address these risks. Suggestions included interagency coordination on a Consumer Financial Protection Bureau (CFPB) rulemaking on consumer access to financial records. In addition, some commenters expressed concern that the discussion on third-party risk management expectations related to data aggregators may unintentionally result in outsized burdens on banking organizations.

My Takeaway:

The agencies are understating this.

It’s not some commenters raising concerns about data aggregation; it’s the majority of them, including Plaid, The Clearing House, the Consumer Bankers Association, the Financial Technology Association, and the Financial Data and Technology Association of North America.

I did not have “third-party risk management guidance becomes the contentious new front in the battle between banks and fintech over open banking” on my bingo card, but here we are.

The basic question at issue here is – should data aggregators, working on behalf of banks’ customers and their chosen fintech providers, be considered critical third parties that banks should monitor and manage?

The big banks think that they should! Here is The Clearing House:

The agencies should affirm that FIs have the right to conduct appropriate due diligence and impose reasonable restrictions on time, place, manner, and scope of data access by third parties as well as periodic customer re-authorizations / re-authentications 

The data aggregators, fintech companies, and at least some small banks (who don’t have the same passion as big banks in waging war on open banking) disagree. Here is Plaid:

In any final guidance, the description of third-party relationships should be clarified to recognize that consumer-chosen relationships–such as relationships between financial institutions and fintech companies that do not directly integrate with those financial institutions, but instead rely on a data aggregator to establish connectivity for consumers–denote an indirect relationship, not subject to bank risk management activities.

My overall takeaway from this is that everyone seems to expect the CFPB’s rulemaking on 1033 to be mostly positive for fintech companies and the data aggregators. The big banks, who are quietly not happy about 1033 or the progress of open banking in the U.S. generally, viewed this updated third-party risk management guidance as a way to shoot the moon and get a regulator-approved path to hamstring the data aggregators.

The OCC, FDIC, and Fed, for their part, decided to just stay out of it entirely:

The agencies considered other comments in relation to specific types of third-party relationships but decided not to exclude any specific third-party relationships from the scope of the guidance; rather, the guidance is relevant to managing all third-party relationships.

#12: How do indirect BaaS platforms fit in?

What the guidance says:

Third-party relationships may involve subcontracting arrangements, which can result in risk due to the absence of a direct relationship between the banking organization and the subcontractor, further lessening the banking organization’s direct control of activities. The impact on a banking organization’s ability to assess and control risks may be especially important if the banking organization uses third parties for higher-risk activities, including critical activities. 

My Takeaway:

In traditional bank-vendor relationships, this is all standard stuff. Ohh, you deliver your software via the public cloud? Which public cloud provider(s) do you use? Do they have all the certifications that we require?

Every RFP template covers this, and it’s generally not a huge deal for banks to manage the risks associated with the subcontractors that their vendors use.

But, once again, BaaS is different!

Specifically, I’m curious about how the BaaS middleware platforms that connect banks with fintech companies fit in. Some of these platforms act as matchmakers, connecting the fintech companies directly with their banking partners. This model shouldn’t pose much of an issue from a risk management perspective. However, the other model, in which the BaaS platform sits between the bank and the fintech company, might be a bit more concerning.

In this indirect model, the BaaS platform would be the third party, and the fintech company would be the subcontractor, I guess? It’s unclear from my reading of the guidance, but this is an important question to get answered. The fintech company is absolutely providing “critical activities” in this arrangement, so I would think that the agencies would want banks to be closely vetting and monitoring them.