As fintech companies begin to explore an application for an OCC charter, they will need review their compliance department to ensure it meets the requirements in 12 CFR 30 Appendix A, which state that an institution should have internal controls and information systems that are commensurate to the size of the institution and the nature, scope and risk of its activities, and that provide for:
- An organizational structure that establishes clear lines of authority and responsibility for monitoring adherence to established policies;
- Effective risk assessment;
- Timely and accurate financial, operational and regulatory reports;
- Adequate procedures to safeguard and manage assets; and;
- Compliance with applicable laws and regulations
Presently fintech companies are regulated by the states and even by the Consumer Financial Protection Bureau (CFPB) from a compliance standpoint. Fintechs will generally have requisite controls in place to ensure they are abiding by the laws pertaining to consumer lending and Section 5 of the FTC Act for unfair, deceptive or abusive practices (UDAAP). When it comes to migrating to a federal banking charter, fintech companies should experience little change in regulatory oversight.
However, the OCC handbook for Compliance/Anti-Money Laundering (AML) indicates that the regulator expects the company to have a Compliance Management System (CMS), which the handbook indicates would include “policy, procedure, processes, monitoring and testing programs and a compliance audit function.” Fintech companies may need to enhance their CMS in order to meet these regulatory requirements.
The OCC handbook outlines the minimal requirements for an adequate CMS. Please note that the CMS must be tailored to the size and complexity of the organization.
Board and Management Oversight
- Oversight and commitment, including oversight of third parties
- Change management
- Comprehension, identification and management of risks
- Self-identification and corrective action
Fintech companies may need to focus change management, self-identification and corrective actions. Management will need a demonstrated process in place that identifies when regulations are changing, how they assess the business impact, and action-plan formulation and execution. Fintech companies may have less formal processes in place that will need to be supported with a sound structure.
Management will need to ensure they have an effective check and challenge process that includes an annual Compliance Monitoring Plan. These plans need to include effective testing as well as remediation and verification. As with audit, regulators will expect this testing to be fully documented and all conclusions fully supported.
Consumer Compliance Program
- Policies and procedures
- Consumer compliance training
- Monitoring and audit
- Consumer complaint response
Many fintech companies will already have implemented each of these areas to some extent. However, they may need to expand them to fully cover the organization. While policies and procedures may be fully developed, compliance training may not be as complete as required. Regulators will not only review completion and attendance logs, they also will review the material to ensure it contains the most up-to-date information.
When it comes to meeting the requirements of 12 CFR 30 Appendix A, compliance is most likely an area in which fintechs may need the least work. Nonetheless, companies applying for a charter will need to review their compliance programs to ensure they can meet the CMS requirements in the OCC handbook. Given the type of lending in which many fintech companies engage, a well-established and fully supported CMS will be required to ensure the company complies with all laws and regulations.