What the OCC-Blue Ridge Agreement Really Means
Implications for Fintech, BaaS, banks, and beyond #BaaS #AnchorageDitigal #DataInfra #Alloy #Nova
I love regulated industries. The complexities are intriguing to me. After starting my career in the highly regulated healthcare investment banking industry, I found myself knee deep in another highly regulated industry, fintech.
In the latest installment of fintech regulation, the OCC and Blue Ridge ($BRBS) entered into a highly prescriptive agreement, regarding Blue Ridge’s practice in third-party (read: fintech) risk management, among other related areas. So naturally I read through the 19-page agreement. Below is my breakdown of the 19-pager and the its long-term implications. (disclaimer: nothing within is legal advice or investing advice)
File under “what did you think would happen?”
Before anyone cries “over regulation”, many improvements within this agreement read like common sense and basic requirements. For example:
Within sixty (60) days of the date of this Agreement, the Board shall adopt and Bank management shall implement and thereafter adhere to a written program to effectively assess and manage the risks posed by third-party fintech relationships.
For another example:
Within ninety (90) days of the date of this Agreement, the Board shall ensure that the Bank’s BSA Department is appropriately staffed with personnel that have requisite expertise, training, skills, and authority.
It’s shocking that a bank with almost $3bn of assets was running naked without a written third-party risk management program and with few BSA employees.
How understaffed is Blue Ridge’s compliance department?
A quick LinkedIn search reveals that only 4% of BRBS’ employees work in compliance, compared to almost 10% at Bancorp, another popular-albeit bigger-fintech sponsor bank.
While the extent of the agreement may be surprising, no one seemed surprised by the fact that some sort of agreement came forward.
Why Blue Ridge, why now?
No one on the outside knows for sure, although some are linking the OCC’s scrutiny to BRBS’ recent M&A spree and complaints filed against BRBS regarding its income-sharing fintech partnership program.
For me, another clue is found in the recent Consent Order entered into between the OCC and Anchorage Digital. Naturally I read through the 25-page Consent Order, dated April 2022. Reviewing the Anchorage Consent Order side by side with the Blue Ridge Agreement, one could see many parallels: similar focus on BSA/ AML, similar order to establish a board-level compliance committee specifically addressing the OCC’s requests, similar order to staff up each bank’s BSA office, similar order to operationalize a risk-based customer due diligence program, similar order for each bank to submit retroactive and go-forward suspicious activity reports; the list goes on.
BSA/AML seems to be the regulatory saveur du jour. Blue Ridge might have been an “easy” and top-of-mind target 🤷🏼♀️
Major changes ahead for fintech-bank partnerships
One stipulation in the agreement could set a different tone and a new precedent for fintech-bank partnerships going forward. Specifically, the OCC now has sweeping authority to object any new products and services coming out of any Blue Ridge sponsored fintech programs (Section III (3)):
“Prior to onboarding new third-party fintech relationship partners, signing a contract with a new fintech partner, or offering new products or services or conducting new activities with or through existing third-party fintech relationship partners, the Board shall obtain no supervisory objection from the OCC. At a minimum, the bank shall submit the due diligence package including supporting documentation, any proposed contract, and any management or board committee minutes approving the relationship.”
The interpretations and implications of Section III (3) will sure be felt throughout the fintech industry for years to come:
First off, what is considered new? Each season, I look forward to new flavors from my local coffee shops. To a consumer, a new flavor is “new”. To the regulator, is a new flavor of an existing financial product considered “new”? Or is a line extension of an existing product considered “new”? Or is starting a new line of business considered truly “new”? Where is the line drawn?
When may Blue Ridge resume current fintech activities? The Agreement doesn’t explicitly call for a cease and desist, but it’s an open secret that little fintech sponsorship activity has been happening over there. So the next question is, when may BRBS resume current activities with existing fintech partners? One read can be that current activities are not “new”, so BRBS doesn’t need to obtain no objection letters from the OCC to resume such activities, as long as BRBS satisfies other requirements in the agreement, such as by submitting a Suspicious Activity Report and obtaining no supervisory objection from the OCC; another read can be that BRBS has decided/been asked to take a conservative stance, and that no fintech activity will resume until the bank has implemented its new Customer Due Diligence program.
Will no-objection become the new normal? Perhaps the most profound impact is yet to be felt. BRBS is not the first, and likely won’t be the last sponsor bank to be under the OCC’s scrutiny. The OCC, a division of the U.S. Treasury Department, oversees all banks with national bank charters, including Column Bank, which I wrote about previously. For other nationally chartered sponsor banks, now is time to proactively shore up their respective BSA/AML programs, before they get swallowed by another no-objection arrangement.
Further implications
Time to invest in your data infrastructure
In both the Blue Ridge Agreement and the Anchorage Consent Order, the OCC made data governance a board level imperative. Specifically, in the Consent Order:
“This data governance program shall include effective data governance processes to help ensure that risk management related management information systems are reliable, including information such as transaction volumes, customer risk ratings, customer business types, and suspicious activity monitoring data including alert volumes.”
I’ve worked with enough fintechs to appreciate how under-invested the industry is in data infrastructure. No single source of truth? Common. Conflicting definition of the same concept within the same company? Yup. Don’t know which customer is late in paying you while you continue to service them? Seen that before.
Let this Agreement be a wakeup call to start investing in your company’s data infra.
To go further, data infrastructure should not just be used to window dress before a regulator exam.
Used smartly, a solid data infrastructure enables smart business decisions, supports top-notch customer experiences, and supercharges your next round of fundraising. On the last point, I’ve helped several early-stage fintechs to secure $150mm+ capital by upgrading/creating their data infrastructure from scratch.
Curious how to make your fintech’s data infra as your competitive advantage? Drop a comment below.
Tailwind for KYC, KYB, and alternative credit vendors
Lastly as a silver lining, this agreement and the OCC’s recent posture should serve as tailwind for identity verification vendors. Specifically, section VII (1) (f) of the Agreement stipulates that:
“The Program, at a minimum, must include for the fintech business … policies, procedures, and processes for determining how customer information, including beneficial ownership information for legal entity customers, is used to meet relevant regulatory requirements, including but not limited to, identifying suspicious activity, identifying nominal and beneficial owners of banking accounts, and determining OFAC sanctioned parties.”
There’s bound to be more demand for initial KYC/KYB solutions, and for on-going account review solutions, which is great news for identity vendors such as IDology and Middesk, KYC/KYB aggregators such as Alloy and GDS Link, and credit-file important vendors such as Nova Credit.
What’s your read of the Agreement? Drop a line below.