Bank fintech partnerships, open banking, third party risk management, crypto
Transcript:
Kevin Greenfield (00:06):
So everyone, well, we're waiting for our moderator. I know we're sending between you all and lunch, so we're going to go ahead and get started on our own and go from there. But I'd like to introduce myself. My name is Kevin Greenfield. I am Deputy Comptroller for Operational Risk Policy for the Office of the Comptroller of the Currency. And essentially what my team is responsible for is development and publication of policies, examination handbooks, other references and guidance as it relates to areas including information technology, cybersecurity and critical infrastructure, payment systems, risk, as well as general governance and operational risk.
Drew Kohan (00:54):
Hey everybody, my name's Drew Kohan. I'm an associate director of the Federal Reserve Board. I have three teams that report up to me, supervisory policy and outreach, and that's how I get mixed up with TPRM, things like TPRM as well as Fair Lending Supervision and Enforcement and Udap, supervision and Enforcement. So I think between Kevin and I, we've got a lot of risks covered here, so hopefully we can touch on a bunch of them.
Kevin Greenfield (01:24):
So one of the things that our moderator had sent us a list of questions ahead of time to be prepared for. So we'll just go ahead and between Drew and I just speak to those and go back and forth. But also encourage, if there are questions, please ask them. You'll see Drew cringe as I say this, but please ask those questions that will make our respective bosses cringe when we answer. So with that, when looking at FinTech bank relationships, one of the big developments within the past week has been the publication of the interagency third party relationship management guidance. And we have several questions that we're going to address as part of that, but also really again, respond to questions you have from regulatory perspectives with banks and regulated financial institutions, engagement with FinTech organizations. So Drew, I don't know if you have any particular order you'd prefer to go in, but do you want me to kick off with the first question? Oh, she's here. She's here. Alrighty.
Penny Crossman (02:53):
I am so sorry. I got waylaid. We have a super interesting panel here. We have two regulators, as you can see. We have Kevin Greenfield, Deputy Comptroller for operational risk policy at the officer off office of the controller of the currency. He oversees development of policy and examination procedures, addressing operational risk, bank information technology, cybersecurity, critical infrastructure, resilience, payment systems and corporate and risk governance. So a lot, almost everything that a tech person would be concerned about. He assumed all these responsibilities in November, 2019. Before that, he managed a team that developed, communicated and interpreted policies for the OCC supervision of technology operations at financial institutions. And we have Drew Kohan who is Associate Director at the Federal Reserve Board, and he's responsible for supervisory policy and research fair lending enforcement, UDAP enforcement. He has been in this role for a year before joining the Fed. He was a senior compliance officer at Capital One and senior exam manager at the CFPB. So these are the people who know what's going on. So last week the Fed the OCC and the FDIC released final guidance on risk management of third party relationships for banks. What do you think are some of the most important elements of this guidance and things that banks should be keeping in mind?
Kevin Greenfield (04:33):
So I think one of the most fundamental things when it comes to third party risk management is for banks and banks, senior management bank board to understand that you can outsource the operation, the activity, the managing of the products and services. What cannot be outsourced is the responsibility for those products, services, or operations. At the end of the day, it's the bank's product or service. It's the bank's customers that are receiving it may be impacted if it's not delivered as designed and intended. So it's very important for bank management and bank boards to understand that when they're engaging with third parties.
Drew Kohan (05:19):
Yeah, A couple of things for me. The first is I think just a level set, and Kevin and I were talking about this out in the hallway. We have heard in conjunction with this guidance, the use of the word requirements. This is guidance. It is not a requirement. It is an effort for the agencies to set their supervisory expectations in a consistent, transparent way. So I think that is one thing I just wanted to level set everybody on. But the other thing too is I think what you'll notice is there's a lot of effort to tailor and simplify the language for community banks. And so I think that was a really concerted effort between the agencies was to think about how this would be digested by smaller community banks.
Penny Crossman (06:14):
So there was some, I guess, feedback about people who felt that community banks should not be held to as high of a standard that too much is being asked of community banks. Can you guys react to that?
Kevin Greenfield (06:30):
Sure, absolutely. So community banks as well as any other large size or any other sized institution are currently engaging with third parties for different activities. And it's very important to understand that one, this is guidance, it's communication of effective practices. It's not a checklist, it's not a set of requirements that a bank has to go through and check the box on. It's designed to be risk-based. It should be applied based on the risk of the activity, the complexity of the institutions be involved, as well as what is the potential impact to customers. But I think it's very important that this is a resource for community banks. This is something they can use as they engage with their third parties and also communicate to those third parties. These are the expectations in the banking system. So this very much has been seen as a resource, and this guidance was based on the prior OCC 2013 dash 29 third party risk management. And again, there was a lot of value found by community banks having access to these resources and being able to use that while they engage in third with third party. So I think it's important to remember that this is a tool not just for regulators, this is a tool for the banks themselves.
Drew Kohan (07:55):
Yeah, the guidance acknowledges that this is a challenge for community banks. I think it's important to note that this challenge is not brought on by this guidance. This challenge is exists today with a number of FinTech partners that are out there and their relationships with community banks. So there is already a lot on the shoulders of community banks and as Kevin pointed out, this guidance is an effort to help those community banks peer through that haze. And I think what the guidance acknowledges is that there are aids coming, that there is more work to be done on specific tools that community banks can use when thinking about practicing effective third party oversight. But the point remains that this is an effort to give these banks, especially the smaller community banks, a roadmap for how to think about effectively managing third party risk.
Penny Crossman (09:05):
And can you paint a picture of what due diligence and monitoring, especially monitoring would look like? I mean, do you have to be visiting these your third parties all the time? Do you have to be access to their system so you can go inside and see what they're doing? And do you have to secret shop them so that what they're doing with like KYC, AML type stuff, what are some of the kinds of things that go in you think need to go into due diligence and monitoring?
Kevin Greenfield (09:42):
So again, there, it's very much a risk-based approach. A non-complex community institution engaging with a known core service provider, speaking with your peers to get feedback on what's the services they received going out and getting either Moody's s and p, but financial reports on the financial capacity and getting the copies of the SSA 18 or some of the independent, that should be sufficient. Again, depending on it's always tough to give specific examples, but if a bank is engaging with complex products going to and say crypto products going to consumers through a firm that has limited history, you're probably going to want to apply more oversight. Where a large nationwide bank engages with a third party for wholesale payment operations, they're going to want to keep a closer eye on that. So it's very much risk-based and sometimes it's just step back, what makes sense, what is the risk to the institution for engage based on the delivery of this service? Also very important, what is the risk or potential impact to the customer? Because we have seen banks of all sizes. If a customer is adversely impacted, if there's unfair deceptive practices, violation of fair lending or other consumer, that's ultimately the responsibility the banks. So the banks should, needs to tailor it's oversight based on the risk of the activity and again, the risk of the bank operation itself.
Drew Kohan (11:31):
Yeah, I'll answer just sort of wearing my fair lending hat. I think if an institution were to engage, so conversely to the example Kevin shared with the non-complex bank using a known core service provider, if an institution were to engage in it with a third party that had its own underwriting system handled the customer relationship, I mean that would elevate the risk because then at that point that third party is making underwriting decisions facing off with the customer. And so those things would elevate the risk. And as supervisors, we would expect more from the institution when performing that oversight of that third party, including onboarding, regular monitoring, which is what the guidance talks about and things like that. So I think it's really facts and circumstances specific, but I will say that one of the things we are more cognizant of with each passing day is who is interacting with, especially on the compliance side, who is interacting with the consumer? What does the consumer see? Who does the consumer think they're actually working with? Because often sometimes in these relationships they don't even aware that they're working with a supervised institution. They're actually, a lot of the material is from the FinTech. So those are things that really elevate the risk from a compliance standpoint.
Penny Crossman (13:06):
Based on what you both have seen in the world, what are some of the biggest gaps between what banks are actually doing and the guide?
Kevin Greenfield (13:19):
So I'll speak in general from my experience, do you do an effective job of third party risk management? Again, applying the fundamental concepts of risk assessment or as I said, what is it and should it be outsourced or should it be engaged with a third party? What then the due diligence of doing the assessment of who you should engage with contract management, what are you engaging for and how is that defined monitoring, are you actually receiving it? And then the other thing that's very important is what is the exit strategy or exit plan? All relationships come to an end. How are you planning for that? And that's where sometimes we see some gaps, especially with community banks. I know one of the challenges bank community banks often face, especially with some of the large providers or the big tech firms, is a lack of negotiating power. So the one thing I advise for all community banks is understand the contractual terms, work with your peers to set expectations for some of the contractual terms. And again, some of the lock in or the availability to sign up for ancillary services of your choosing. So that's sometimes where we see challenges on the community banks is around that contract management. And it's really where some of this guidance can be very helpful for community banks of here are some of the key things you should consider. Again, not every aspect of what's in the guidance is required. It's not required, but here are some of the terms you should consider as you do this. So that's for community banks and smaller banks. Some of our larger banks, one of the challenges, keeping track of who you're actually establishing relationships with. Large complex organizations typically have risk management groups dedicated to third party or supply chain management. But keeping track that all units are following those processes, not going out independently engaging and then not following the bank's policies and procedures and risk management practices. That can be a challenge for some of the more larger, more complex where you're talking hundreds if not thousands of relationships.
Drew Kohan (15:47):
So Kevin used the word contracts and I think from my perspective, one of the things that we see is there is written into the contract language that the third party will ensure compliance with laws and regulations. And we have never found that to be sufficient. We think the institution, even if it's written in a contract, the financial institution still has, as Kevin pointed out earlier, an obligation to ensure compliance. And so that is something that I think this guidance really sort of moves the needle on. The other thing too is, and Kevin could probably talk about this for several hours, but I think data is a really pivotal part of this. What data is the institution getting access to ensure compliance? And that goes back to the point he just raised about bargaining power, negotiating power. But I think the guidance does mention several ways that community banks, smaller banks, can improve their leverage by working with other banking organizations or working with third parties that specialize in due diligence. But access to data to verify that what you think is happening is actually happening is another thing that we hope this guidance helps move the needle on.
Kevin Greenfield (17:07):
And actually, I'd just like to add something here because as part of my role and in some way, shape or form for the past 20 years I've been involved with the Federal Reserve, the FDIC and the OCC. The three federal banking agencies have a program where we'll actually go out and examine third party service providers under the bank service company act. And in 20 plus years of being involved in that program, I can tell you I have never seen a service provider fail to execute on a banking transaction or be in with a banking consumer law or consumer protection law. Never once seen that. I can list many examples where the bank has failed to process the transaction or the bank is now in non-compliance. And with consumer protection law, their service provider helped them get there and the bank paid a fee along the way. So it goes back to ultimately the third party may be doing the work, but it's the bank's product, it's the bank's service, it's the bank's customer. The bank is ultimately going to be responsible for the outcome, both positive and negative. So that's very important. You can write in the contract that the service provider will be responsible for compliance. That's not actually how the law reads.
Penny Crossman (18:43):
So another thing that a lot of regulators have been talking about is bank FinTech partnerships where the FinTech is interacting with the customer. Maybe it's an online lender or a challenger bank, something of that nature. And I think I've seen, without getting into any specific names, I think I've seen attention being paid lately to online where a bank is partnering with an online lender and the online lender is using maybe an underwriting system or has fees that maybe questionable the bank is, it seems like the bank is being held accountable for those practices. Am I right in thinking that?
Drew Kohan (19:30):
Yes, you are, and this gets back to the financial institution is responsible for ensuring compliance. So it goes back to what I said elevates really elevates the risk in these third party relationships is if you are partnering as a bank, if you are partnering with a third party who sort of says to you, we will take it from here, we just need the funding and they handle the marketing and disclosures and the underwriting, I mean that is a very high risk situation for an institution to be in and it's not insurmountable. And we've talked about ways that the guidance can help smaller institutions navigate those relationships, but the institution needs to be aware that that is a very different relationship than just using a very known core service provider. And especially if that the underwriting implements any kind of AI that's like, there's a bunch of elephants in this room, but AI is another elephant in this room, which the agencies are working on to try to provide more clarity to the industry. But things like that really elevate the risk and the institution just needs to be aware of what it's getting into.
Kevin Greenfield (20:46):
Yeah, and I'll add that all the agencies, but I'll speak for the OCC, that support responsible innovation and there are opportunities for community banks especially to expand their services, get to wider customer bases, offer better and more effective services, as well as reach the unbanked and increase access to the banking system. So again, we very much support responsible innovation. The important part is that responsible aspect of partnering with these fintechs can be good, but the bank needs to know what they're entering into and have the capacity to manage that. Because in the example, provided the partner can engage with the customer, the partner can do all the disclosures, the partner can set the underwriting standards, the partner is not making the loan. The national or state chartered depository or financial institution has the authority to make the loan and they are making the loan. They are responsible for making that loan. So that's very important. While these can be, relationships can be very beneficial to both banks and customers, they need to be managed and banks need to understand the products and services because ultimately it's the bank that's making the loan, it's the bank that's making the pay or processing the payment. It's the bank that's taking and managing the deposit. I was going to say they're partnering with the FinTech to better provide access to those services.
Penny Crossman (22:39):
And I think we've also seen attention being paid to BSA, AML, KYC, a lot of the things that happen in the onboarding of a new customer. How can a bank be super watchful of what a FinTech partner is doing on that front? How can they have the visibility into that?
Kevin Greenfield (23:07):
I think it's important, again, understanding the activity. And Drew had mentioned about the importance of getting data. So in the contract, how is that going to occur? How will the bank get sufficient information to ensure that the bank is able to comply with bank secrecy and anti-money laundering laws? But something else, the contract's essential because it sets the expectation of what will and will not be provided or what will then not be done or executed. But the contract in itself is not a control. Just because in the contract doesn't mean it's happening. And so backing up, making sure that the bank's BSA, AML officer or team is getting the information they need to monitor the bank's compliance with the rules and regulations.
Drew Kohan (23:59):
Yeah, one of the things we were talking about before we got on stage was especially at more mid-sized and larger banks, I mean these questions you're asking are also questions. Second line testing should be asking that the third line audit function should be asking. These are answers that if it's a really effective risk management program at an institution, second line and third line are asking these very difficult questions to the first line. So I think that's also another important thing to point out is a lot of this guidance can really be harnessed by second and third line at institutions, especially mid and larger sizes. I just want to call that out.
Penny Crossman (24:44):
Alright, so I know there was some guidance a while ago about cloud computing vendors specifically, and I remember some of it was that there's concentration risk that there's only a few cloud computing, large cloud computing vendors that everybody's using. I remember there was concern about the power that the large cloud computers have in the contract negotiation process that you're talking about concern that there could be an outage or a cybersecurity incident at a large vendor. Can you say anything about that? What some of your bigger, biggest concerns are about cloud computing and what people in the audience should be trying to think about and do when they adopt more cloud computing?
Kevin Greenfield (25:37):
Sure. It sounds like you're referring to the recent US treasury report of cloud services in the financial sector. Now we work very much with them along with many of the other banking and financial sector agencies. And when looking at cloud computing, first I'll start off with cloud is an architecture. It can be, and personally I think it, it's going to provide a lot of opportunities and it can be configured and implemented very well, very effectively and very much to the benefit of the bank with appropriate security, resilience and appropriate controls. It also can be implemented very poorly with no controls, no resilience and such. So it very much is when looking at from a regulatory, it's technology neutral. We are technology neutral, but how is the bank effectively engaging with the cloud service provider and effectively implementing appropriate controls. Like the one thing I'll say is when you sign up and put information operations data in the cloud, a lot of people automatically assume it's secure. No, actually you have to configure that security in the cloud environment. There are tools or resources you can do that very effectively, but it has to be done. Same with resilience. Just because in the cloud, don't assume everything is backed up and recoverable. You need to configure that, but it can be done and can be done very well and very efficiently. And there's a lot of resources and tools. So it's very much how you implement it and how it's a concentration. Yes, there are a handful of major cloud providers that many organizations are going with. I think we have to be careful that, again, being a financial regulator, when I started, I focused on loans, balance sheet management, liquidity concentration was a bad thing you had to set limits for, it's a risk when you look at cloud, but there are benefits and there are adverse potential. It's a risk that needs to be managed because you need to understand when you configure on the cloud, where within a bank, within a provider's cloud environment, how is that data being managed? Where is it being managed, where is the resilience? Do you have out of zone? You just need to be aware and manage that and understand what are the potential concentration risks and how you manage against those. Because similar to cloud providers, there are only a handful of telecommunication companies and that's been the case for many decades. But a lot of those risks are being managed by having resilient systems and operations. And that's the same for the cloud. You need to understand what that risk is and establish those controls.
Penny Crossman (28:49):
Okay. Unfortunately we're out of time, but thank you so much. This was really interesting and helpful, so I appreciate you both coming on the stage and telling us how you feel about these things. So thank you.
Regulator Panel: The intersections between fintech and consumer protection
June 28, 2023 3:22 PM
29:11