Third Party Risk Management

The OCC and Your Fintech Partnerships

On August 29, 2022, the OCC entered into an agreement with Blue Ridge Bank, NA, a 22-year-old Virginia based institution.  Blue Ridge is required to make considerable reforms to their compliance program. Until then, Blue Ridge is restricted from pursuing some new business opportunities without OCC approval.

The OCC has demonstrated that they will step in and exercise their controls when an institution fails to adhere to the rules. Could your institution be next?

What went wrong and what is there to learn?

Lack of Board Accountability and Board Involvement

At the end of the day, the Board is responsible and accountable for (among many items): receiving and reviewing compliance reports on a periodic basis (suggesting monthly or quarterly) and approval of new fintech relationships. These activities must be documented, i.e., policies, procedures, and meeting minutes.

Loose Third-Party Risk Management

Since OCC Bulletin 2013-29 and as recently as OCC Bulletin 2021-40, when entering a third-party relationship, a financial institution is expected to have a third-party risk management and oversight program that is commensurate with level of risk and complexity of that relationship. Is it documented? Proportional to your environment? Repeatable?

Inadequate BSA/AML

The BSA/AML program must include an effective plan and assessment of compliance risk across the entire institution, all products, services, customers, entities, and partnerships. Partnerships include third party fintech relationships. Is the BSA/AML program fully staffed and appropriately trained?

Incomplete Customer Due Diligence

Does the institution’s policies, procedures and processes support the appropriate collecting, maintaining, and understanding of a client’s due diligence materials and beneficial ownership data from individuals and various fintech’s?

Weak Suspicious Activity Reporting

Does the institution’s policies, procedures and processes assist with incident identification, filing a report and monitoring of suspicious activity across the institution? Has the staff been recently trained and know how to identify suspicious activity?

Lack of IT Controls

IT controls that specifically address data storage, processing, and security risks both within the institution and fintech engagements. Are the IT controls documented? Proportional to your environment? Repeatable?


If your institution has partnered with fintech, learn from Blue Ridge Bank’s experience. Fortrex Technologies is here to help your organization sort out what your exposure may be. Reach out today. Please let us know how we can help you continue to have an effective and efficient third party risk management program.