Debevoise & Plimpton Discusses Regulatory Developments in FinTech

In this update, we review a number of recent regulatory developments that may impact firms engaged in the industry of new and innovative financial technology (“FinTech”). First, we discuss the Federal Deposit Insurance Corporation’s (“FDIC”) new guidance on examining third-party lenders, including the risks and potential takeaways for parties to marketplace lending (“MPL”) arrangements. Second, we examine the Office of the Comptroller of the Currency’s (“OCC”) recent proposed rule outlining a receivership framework for non-FDIC insured national banks, focusing particular attention on the implications for FinTech firms. We conclude with takeaways for MPL and FinTech firms to consider as they survey the current regulatory environment.

The FDIC’s Guidance for Third-Party Lending

On July 29, the FDIC released its Proposed Examination Guidance for Third-Party Lending (the “Guidance”).[1] The Guidance is meant to supplement the FDIC’s 2008 guidance on managing risk in third-party vendor relationships. In addition to providing steps by which FDIC-regulated institutions should manage third-party lending risk, the Guidance reflects the FDIC’s increasing focus on MPL activities, especially in light of recent judicial decisions.[2] Comments on the Guidance are due by October 27, 2016.

Overview of the Guidance

In 2008, the FDIC released its Guidance for Managing Third-Party Risk focusing primarily on depository institutions’ responsibilities for understanding and managing third-party relationships. According to the FDIC, institutions are responsible for implementing an appropriate third-party risk management program that includes: (1) risk assessment; (2) due diligence in selecting a third party; (3) contract structuring and review; and (4) oversight.[3]

The Guidance uses these measures as a baseline by which institutions engaged in the third-party lending market mitigate any potential risks involved. The Guidance contemplates a variety of structures, e.g., online platforms that match borrowers to lenders, as well more traditional third-party lending activities through third-party finders.

Structure of the Guidance

The Guidance defines “third-party lending” as an arrangement that relies on a third party to perform a significant aspect of the lending process. This includes institutions that originate loans: (i) for third parties; (ii) through or jointly with third parties; and (iii) when using platforms developed by third parties.

Assessing Risk. Under the Guidance, an institution’s risk management program should include a strategic plan allowing the institution to ensure the necessary operational capacity to oversee the relationship, as well as appropriate third-party lending policies and procedures. The FDIC’s Guidance instructs institutions to consider four risk factors as part of developing a third-party lending program:

  • Strategic Risk. This factor looks towards whether the institution has appropriately considered the risks arising from adverse business decisions and has implemented appropriate business decisions in line with the institution’s strategic goals.
  • Operational Risk. By turning to third parties for help in the lending process, institutions import another organization’s operational systems, which may not function in tandem with the institution’s own system. This category considers potential losses from inadequate or failed internal processes or external events, including transaction, pipeline and liquidity and model risk.
  • Credit Risk. This risk factor considers situations where a third party is unable to meet their contractual obligations. For example, the FDIC instructs institutions to pay particular attention to third-party fee structures that are transaction-based, as such structures could skew incentives away from maintaining appropriate loan quality.
  • Compliance Risk. In addition, institutions may be subject to the risk that its third-party lending partners could be subject to alternative regulatory schemes or operate outside of the ambit of traditional financial regulators, which could expose the institution to further risks.

Evaluating Third-Party Relationships. Once an institution considers the various risks involved in engaging in third-party lending activities, the FDIC expects a review of third-party relationships to manage those risks. This review should include:

  • Risk Assessment. Conducting a risk assessment, prior to developing the relationship, to fully inform the institution of the risks in engaging with the third-party—including how the new relationship fits into the institution’s strategic plan and whether the vendor appropriately meets safety and soundness considerations.
  • Due Diligence and Ongoing Oversight. A thorough review by senior management or the board of directors, including initial due diligence and ongoing oversight, should enable the institution to understand how the third party is executing its lending activities. This review should include a strong understanding of the third party’s liquidity and funding sources; any models used in determining consumer credit; and any vendors on which the third party relies.
  • Contract Structuring and Review. Any third-party lending contracts should include provisions to limit the institution’s exposure to credit risk, provide termination rights and allow access to relevant information, g., related to consumer borrowing through a lending platform.

Exam Expectations. Institutions with significant third-party lending activities should expect FDIC examinations of these practices at least yearly, concurrent with risk management and consumer protection examinations. Periodic “targeted” exams also will occur, which may include risk management and policy implementation analyses. The areas on which institutions should expect the FDIC to focus include:

  • Credit Underwriting and Administration. Credit underwriting standards are a key feature of the Guidance, and the FDIC expects the institution to establish credit underwriting and administration standards that comply with existing safety and soundness principles commensurate with the institution’s risk appetite. As part of these standards, institutions particularly senior management—should closely monitor compliance with these standards and should also promptly charge off any uncollectible loans.
  • Liquidity and Capital Adequacy. Regulators, including the Department of the Treasury and the OCC, have discussed concerns regarding the maintenance of funding sources and liquidity for MPL firms. In conjunction with this risk, the FDIC asks institutions to assess concentrations in their funding sources and maintain back-up funding arrangements to address any pipeline risk in these third-party arrangements. Further, institutions engaged in these relationships should determine the amount and level of capital needed, given the risk of such programs.
  • Legal Compliance. Ongoing compliance with federal and state consumer financial protection laws by an institution and its third parties will be a primary focus of the FDIC’s examination of an institution. In addition, institutions should ensure that third parties have policies and procedures in place with respect to the Bank Secrecy Act, anti-money laundering regulations and the legal regimes surrounding the safeguarding of consumer financial data.

The OCC’s Proposed  Rule on Receiverships for Uninsured National Banks

On September 13, the OCC published proposed rules (“Proposed Rule”) detailing a receivership framework for uninsured national banks under the National Bank Act (“NBA”), rather than through the FDIC’s receivership framework.[4]  The receivership framework is the first building block for a potential charter on new and innovative financial technologies (“FinTech”), as this would provide a mechanism by which the OCC could resolve such companies in material financial distress, if such a charter was granted.

In the Proposed Rule, the OCC clarifies that the NBA provides such authority separate from the FDIC receivership under the Federal Deposit Insurance Act (“FDIA”) and the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (“FIRREA”). In particular, the OCC notes that until the creation of the FDIC in 1933, the OCC maintained receivership authority for all national banks under the NBA. The OCC then explains that given changes made to the FDIC receivership model, including under FIRREA, the FDIC is not required to be the receiver of an uninsured national bank and that the receivership of such a bank would occur under the NBA.

The Proposed Rule provides a framework for receivership, including provisions to appoint a receiver, submit and prioritize claims, designate a receivership period and distribute assets. Currently, the Proposed Rule would apply to only the 52 uninsured national trust banks under OCC supervision, but the OCC plainly states that it could also apply to a limited purpose FinTech charter.

Implications for FinTech Firms

  • In Question 1 of the Proposed Rule, the OCC describes its ability to charter various types of “special purpose banks” that are engaged in “core banking functions [such as] . . . receiving deposits, paying checks or lending money,” which could exclude certain types of FinTech firms. The OCC then directly asks whether this receivership framework would raise any unique considerations for “innovative special purpose banks.”
  • While the receivership framework is an initial step towards a FinTech charter, such a charter would be conditioned on rigorous safety and soundness examinations. In a speech made on the same day as the Proposed Rule, Comptroller Thomas Curry stated: “If [the OCC] decides to grant limited-purpose charters in this area, the institutions who receiver the charters will be held to the same strict standards of safety, soundness, and fairness that other federally chartered institutions must meet,” although this regulation may help “provide a more level playing field for financial services offered on a national scale.” Comptroller Curry also suggested that “federal charters could help [FinTech firms] better navigate the existing regulatory landscape by consolidating oversight, reducing licensing burden, and applying a single uniform set of rules.”[5]
  • In addition, the OCC continues to conduct outreach to nonbanks as part of its FinTech activities. In recent remarks, Kay Kowitt, Deputy Comptroller for the Western District, a leader of the OCC’s FinTech initiative, stated that by speaking with nonbanks, the OCC hopes to understand both the risk and opportunities in encouraging innovation in financial services. The timeline for recommendations from this outreach will be sometime in the next three months, and may include a recommendation to offer a national charter for FinTech firms.[6]

FinTech firms interested in the future of the industry may want to consider submitting comments to the OCC during the proposed rule’s notice and comment period, which ends November 14, 2016.

Takeaways for MPL and FinTech Firms

  • The FDIC Guidance reflects enhanced scrutiny of the MPL industry, particularly on those banks involved in MPL origination or servicing.
  • Further, the FDIC Guidance emphasizes third-party lending company legal compliance. Thus, MPL firms should consider their current contracts and relationships with institution partners and assess whether they may be impacted by the Guidance with respect to their own compliance with regulations, including consumer protection, anti-money laundering and sanctions requirements, among others.
  • The OCC’s receivership proposal, if adopted, could lay the groundwork for a potential OCC FinTech charter. While a FinTech charter may be further down the road, the potential signal in the OCC’s proposal is to adopt a framework by which financial innovation may be incorporated into the traditional banking model.


[1]      Federal Deposit Insurance Corporation, Proposed Examination Guidance for Third-Party Lending (July 29, 2016) available at

[2]      See, e.g., CFPB v. CashCall Inc., CV 15-7522-JFW (C.D.C.A. Aug. 31, 2016). In CashCall a federal judge found that CashCall’s so-called “tribal lending” model was not sufficient to allow the online firm to avoid state usury laws by making loans through an institution located in Native American lands.

[3]      Federal Deposit Insurance Corporation, Third-Party Risk Guidance for Managing Third-Party Risk (June 6, 2008) available at

[4]      Office of the Comptroller of the Currency, Notice of Proposed Rulemaking: Receiverships for Uninsured National Banks (Sept. 13, 2016) available at

[5]      Commissioner Thomas Curry, Speech to the Marketplace Lending Policy Summit (Sept. 13, 2016) available at

[6]      Greg Roberts, “OCC Reaches Out to Nonbanks as Part of Innovation Project,” Bloomberg BNA (Sept. 22, 2016).

This post comes to us from Debevoise & Plimpton LLP. It is based on the firm’s client update, “Regulatory Developments in the FinTech Space,” dated October 7, 2015, and available here.