Close
Article

Are Fintechs Regulator Ready? Part I: Internal Controls

Ken Tays explores the OCC’s new operational charter and how it will impact fintech companies. Article one of three in the series.

Are Fintechs Regulator Ready? Part I: Internal Controls

In July 2018, the Office of the Comptroller of the Currency (OCC) updated within the Licensing Charter Supplement a new charter specifically applicable to fintech companies. The updated charter allows fintech companies to operate on a national basis and take in non-FDIC-insured deposits, which will put them on the same competitive playing field as other state and national banks. The July 31, 2018, OCC policy states that these companies will face the same regulatory scrutiny as banks of similar size and complexity. In particular, the OCC highlighted “capital, liquidity, and risk management.” This series is focused on the last element, risk management.

To date, fintech companies were regulated by the states, which mandated business licensure for each state they operate in and do not require the application for bank charters. In order to obtain an OCC bank charter, the fintech company must pass the OCC license process in which the company demonstrates how they will comply with OCC regulation 12 CFR 30 Appendix A, which establishes the interagency standards for safety and a sound internal controls environment.

Appendix A is fairly prescriptive as it mandates the internal controls and information systems to provide for:

  1. An organizational structure that establishes clear lines of authority and responsibility for monitoring adherence to established policies
  2. Effective risk assessment
  3. Timely and accurate financial, operational and regulatory reports
  4. Adequate procedures to safeguard and manage assets
  5. Compliance with applicable laws and regulations

Entities in less or unregulated industries often have these elements, but may not be sufficiently defined at the requisite level of this new mandated regulatory regime. The level of development within policies and procedures, along with the review and approval process, is more onerous with regulated entities, especially financial services. For example, banks are required to evidence the following:

  • A fully developed organizational structure with clear roles and responsibilities;
  • A demonstrated segregation of duties

The risk governance framework will be driven by the size and complexity of the organization. However, the company will need to demonstrate:

  1. The desired risk appetite
  2. Ability to identify, measure, monitor and control risk
  3. Senior management risk reporting
  4. Evidence of the having the right talent with sufficient knowledge and experience in risk management

Risk management has always been more art than science and it will take more than rolling out a couple of models to get regulatory approval. Larger fintech companies listed on an exchange will have financial reporting structures in place but setting up systems for reporting the Call Report will prove more challenging. The Call Report is built on schedules and dissects the balance sheet and income statement in various ways. New banks often find this process the most difficult to achieve as the mapping of each schedule items can be cumbersome. For companies that are not already reporting financial data, this process will be even more challenging.

Data privacy and customer information is always important. The OCC is focused both on consumer privacy and reputational risks of their regulated entities. When breaches occur, it damages the reputation of the bank and the OCC. For fintech businesses, the visibility and review of data governance and protection will be more paramount given their innate business models.

Of all these categories, compliance may have the biggest impact on the fintech company applying for a charter. Consumer advocacy groups are focusing on the fintech charters and looking for fully functional and well documented/vetted compliance departments as they are subject to all consumer regulations. Obtaining an OCC charter will provide fintech companies benefits but, as De Novo institutions, they will go through many years of elevated scrutiny before they are accepted by regulators as well-established.