New third-party oversight guidance issued by the OCC should spur increased financial innovation at national banks. On March 5, the OCC issued OCC Bulletin 2020-10, Frequently Asked Questions to Supplement OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance. The new bulletin replaces OCC Bulletin 2017-21, which had the same name, and carries over all 14 frequently asked questions (FAQs) contained in the earlier bulletin while adding 11 new FAQs. It breaks new ground in a number of ways, including by clarifying that a national bank’s lack of in-house expertise, e.g., due to its small size, may not preclude it from being able to utilize innovative services offered by fintech companies. In both its intended purpose and its content, the bulletin markedly differs from the FDIC’s Guide for Fintechs and Third Parties, which was published in February. The stated intent of the FDIC guide is to educate nonbank fintech service providers about “regulatory requirements unique to banking” by summarizing existing requirements for bank third-party oversight programs.

The new FAQs contained in OCC Bulletin 2020-10 address the following topics:

• meaning of the terms “third-party relationship” and “business arrangement”

• when cloud computing providers are in a third-party relationship with a bank

• when data aggregators are in a third-party relationship with a bank

• risk management when the bank has limited negotiating power in contractual arrangements

• critical activities and how a bank can determine the risks associated with third-party relationships

• bank management’s responsibilities regarding a third party’s subcontractors

• reliance on and use of third party-provided reports, certificates of compliance, and independent audits

• risk management when a third party has limited ability to provide the same level of due diligence-related information as larger or more established third parties

• risk management when using a third-party model or when using a third party to assist with model risk management

• use of third-party assessment services in managing third-party relationship risks

• approval of contracts by the board of directors

• risk management when obtaining alternative data from a third party.

Most of the above topics are discussed in conjunction with one or more FAQs repeated from OCC Bulletin 2017-21. For example, the new FAQ titled “What is a ‘business arrangement?’” elaborates on the existing FAQ titled “What is a third-party relationship?” Furthermore, in addition to repeating what had been FAQ No. 11, discussing the applicability of OCC Bulletin 2013-29 to relationships with third-party mobile payments providers, the new OCC Bulletin 2020-10 contains FAQs that address relationships involving cloud computing services, data aggregators, and the use of alternative data. As with mobile payments, the foregoing services are becoming increasingly commonplace for all banks regardless of size — hence, the need for direction from the OCC regarding expectations for due diligence, contracts, monitoring and audits.

A number of the new and repeated FAQs set forth in OCC Bulletin 2020-10 should facilitate the ability of community banks to utilize innovative services offered by fintechs. For example, a new FAQ discussing model risk management clarifies that a bank may bridge gaps in its in-house abilities and expertise by hiring external resources to perform certain activities, including “model validation and review, compliance functions, or other activities in support of internal audit.” To this end, repeated FAQ 12 continues to address the ability of banks to “outsource some or all aspects of their compliance management systems to third parties, so long as [these] banks monitor to ensure that third parties comply with current and subsequent changes to consumer laws and regulations.”

In addition, a new FAQ endorses the use of “third-party assessment services” (aka third-party utilities) to conduct both initial due diligence and ongoing monitoring. Regarding these services, the FAQ cautions that bank management may need to supplement information it receives from these services by obtaining additional information directly from the third-party service provider being monitored, and that bank management needs to understand how general information provided by an assessment service relates to services that are directly relevant to the bank.

OCC Bulletin 2020-10 also addresses the ability of banks to collaborate with each other in meeting expectations for third-party oversight. In this regard, a new FAQ addresses the ability of community banks to pool their resources by participating in “user groups” that offer these banks opportunities to “collaborate with their peers on innovative product ideas, enhancements to existing products or services, and customer services and relationship management issues with service providers.” This new FAQ augments previous FAQs 4 and 6, which address collaboration generally and within the narrow context of managing cybersecurity threats, respectively.

Last, a new FAQ discussing the use of “alternative data” (i.e., information not typically included in a consumer’s credit report from one of the nationwide credit reporting agencies) is important not only because of the guidance provided regarding third-party oversight, but as an endorsement of national banks’ use of this information, including in credit underwriting decisions. In this regard, third-party underwriting models provided by fintechs rely on alternative data to parse creditworthy borrowers from the broader pool of consumers whose poor or “thin” credit histories would otherwise preclude them from receiving a loan. Because these consumers do not satisfy bank underwriting standards, they are increasingly turning to nonbank fintech lenders to meet their credit needs. The new FAQ addressing alternative data, coupled with previous FAQs 9 and 10, both of which address providing services to underbanked consumers, could help to stem or reverse that trend.

Key Points

• It is not surprising that OCC Bulletin 2020-10 goes well beyond the FDIC’s recently issued fintech third-party guidance with respect to the types of third-party relationships it addresses and by implicitly endorsing certain activities, such as marketplace lending and uses of alternative data. Unlike the FDIC, the OCC charters banks and has broad statutory authority to define their permissible powers. In addition, the FDIC’s guidance, which was issued by that agency’s FDiTech laboratory, is written for nonbank fintech who are interested in learning about bank requirements for third-party relationships.

• By allowing national banks to rely heavily on third parties to perform lending activities and assist with monitoring and oversight to the extent of permitting community banks to outsource “all aspects of their bank’s compliance management systems,” the OCC bulletin offers potentially strong defenses to “true lender” lawsuits alleging that the nonbank party to a loan program relationship with a bank is the actual lender. These lawsuits focus on how responsibilities for the program’s activities are allocated between the bank and the nonbank. Consistent with the new bulletin, the nonbank could be charged with performing the lion’s share of activities without running afoul of supervisory expectations for a permissible third-party relationship.

• Both the OCC and the FDIC have publicly stated their respective opposition to loan program arrangements between banks and nonbank lenders where the primary motive for the relationship is an intent to circumvent state usury laws. The breadth and extent to which OCC Bulletin 2020-10 allows national banks to rely on third-party service providers should make it harder for persons challenging “bank sponsor” lending programs between banks and nonbanks to infer such impermissible intent from focusing on which party is responsible for the majority of the program’s activities.