Q: Is a fintech company arrangement considered a critical activity?
A: A bank’s relationship with a fintech company may or may not involve critical bank activities, depending on a number of factors. OCC Bulletin 2013-29 provides criteria that a bank’s board and management may use to determine what critical activities are. It is up to each bank’s board and management to identify the critical activities of the bank and the third-party relationships related to these critical activities. The board (or committees thereof) should approve the policies and procedures that address how critical activities are identified. Under OCC Bulletin 2013-29, critical activities can include significant bank functions (e.g., payments, clearing, settlements, and custody), significant shared services (e.g., information technology), or other activities that
- could cause the bank to face significant risk if a third party fails to meet expectations.
- could have significant bank customer impact.
- require significant investment in resources to implement third-party relationships and manage risks.
- could have major impact on bank operations if the bank has to find an alternative third party or if the outsourced activities have to be brought in-house.
The OCC expects banks to have more comprehensive and rigorous management of third-party relationships that involve critical activities.