On October 20, 2017, the Office of the Comptroller of the Currency (OCC) issued Bulletin 2017-43 (the “Bulletin”) outlining principles that OCC-supervised banks should follow to prudently manage the risks associated with offering new, modified, or expanded products and services.
Acting Comptroller Keith Noreika, in recent remarks, confirmed the OCC’s efforts to explore and support responsible innovation, and the Bulletin indicates that it “is consistent” with that support. Observing the “breadth and speed of change” in banks’ use of new technology, the Bulletin underscores the need for “bank management and boards of directors [to] understand the impact of new activities on banks’ financial performance, strategic planning process, risk profiles, traditional banking models, and ability to remain competitive.
“New activities,” as defined in the Bulletin, include new, modified, and/or expanded products and services. Such products and services include those offered for the first time, previously discontinued but offered again, substantially altered, or expanded beyond a bank’s customer base, financial markets, venues or delivery channels.
The OCC expects bank management to establish appropriate risk management processes for new activity development and to measure, monitor, and control the risks associated with new activities. The bank’s board is expected to oversee management’s implementation of the risk management system. The OCC highlights the primary risks that arise in developing and introducing new activities, consisting of strategic risk, reputational risk, credit risk, operational risk, compliance risk, and liquidity risk. The OCC also describes various circumstances that can increase each of such risks.
The OCC discusses the four main components that a bank should include in its risk management system for new activities consisting of the following:
- Due Diligence and Approvals. Before implementing a new activity, management should conduct adequate due diligence to understand the rationale for engaging in new activities and how proposed new activities meet the bank’s strategic objectives. Due diligence should include determining the requirements of applicable laws and regulations, identifying potential conflicts of interest, conducting research on third-party service providers, determining the expertise and operational infrastructure requirements needed to effectively manage and support the new activities, and developing a business and financial plan.
- Policies, Procedures, and Controls. Management should establish and implement policies and procedures that provide guidance on risk management of new activities. Management should take other steps such as: expanding or amending existing policies and procedures to address new activities, developing a management information system to, among other things, properly evaluate the performance of new activities, and incorporating new activities into the bank’s independent risk management, compliance management system, and audit processes to ensure adherence with bank policies and procedures and adequate customer safeguards.
- Change Management. Management should have effective change management processes to manage and control the implementation of new or modified processes, as well as the addition of new technologies. Such processes should include employee training, proper testing, and an exit strategy to limit adverse effects in the event of failed or flawed implementation of new activities.
- Performance and Monitoring. Management should have appropriate performance and monitoring systems to assess whether new activities meet strategic expectations and legal requirements and are within the bank’s risk appetite. Such systems should include limits on the size of risk exposure that is acceptable to management and the board, identification of specific objectives and performance criteria to evaluate the success of new activities, and periodic testing of the effectiveness of operational controls and safeguards and compliance with applicable laws, regulations, and bank policies and procedures, with such testing to consider potential risks for unfair or deceptive acts or practices.
- Third-Party Relationship Risk Management. The OCC states that “unique risks” are created when a bank engages in new activities through third-party relationships and stresses the need for management to understand such risks and conduct adequate due diligence on third-party service providers. Observing that fintech companies “continue to grow significantly in importance,” the OCC indicates that a bank should include fintech companies in its third-party risk management process and outlines steps consistent with prudent risk management that a bank should take if it partners or contracts with a fintech company to offer new products or services.
With regard to supervision, the OCC states that its examiners review new activities consistent with OCC risk-based supervision, which considers the effect of new activities on a bank’s risk profile and the effectiveness of the bank’s risk management system. The OCC also encourages management, before engaging in new activities, to discuss its plans with the bank’s OCC portfolio manager, examiner-in-charge, or supervisory office, particularly if such activities would constitute a substantial deviation from the bank’s existing business plans.