Banking Agencies’ Guide to Conduct Due Diligence on Financial Technology Companies

Financial technology (fintech) companies currently do not have to adhere to the same compliance regulations or standards that banks, including community banks, face from a risk and regulatory perspective. Due to limited formal regulatory structure alignment, it is up to the banks to utilize a comprehensive due diligence process before entering into agreements for services from a fintech company. Considering the “uneven playing field” from a regulatory perspective, banks partnering with fintech companies can increase the level of unforeseen risk based upon differences in risk management fundamentals and interpretation of regulatory requirements. With innovation and increasing partnerships occurring, the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency on August 27, 2021 issued a guide for community banks to conduct due diligence on their third-party relationships to meet legal and regulatory requirements.

What's New?

While the regulators have released this guide to assist community banks, it is relevant for all financial institutions in performing a robust due diligence review on prospective fintech companies before entering a relationship. Through the utilization of this guide, quality due diligence can help mitigate unforeseen risk in six key areas detailed below.

6 Key Due Diligence Focus Areas

1. Business Experience and Operational History: Community banks should determine if the prospective fintech has experience working with community banks or if their leadership has the expertise to navigate the proposed activity. Understanding the fintech’s strategic plans, such as establishing joint ventures or launching new products, provides insight regarding the future direction of the fintech company.
2. Financial Conditions: Community banks should evaluate the capability of the prospective fintech to fulfill their intended obligation and potential vendor risks. Analysis performed on financial statements, origin of funding, and future projections provide insight on the current condition and outlook of the fintech. Community banks should also evaluate client and subsidiary involvement to determine if vulnerabilities exist related to geopolitical or revenue risk based upon political and economic instabilities and supplier quality impacts that could hinder the performance of their obligation to the bank.
3. Legal and Regulatory Compliance: It is essential to ensure the fintech has appropriate processes in place and is operating in a manner that is in adherence to regulatory requirements, including security, privacy, Bank Secrecy Act/Anti-Money Laundering, and consumer protection, such as fair lending and fair credit reporting, among others. Community banks should review the history of any lawsuits, remediation, and enforcement actions to understand the key areas of risk and the fintech’s past response to such issues.
4. Risk Management and Controls: Community banks should evaluate a fintech against their risk appetite to ensure business is conducted in an appropriate manner and does not expose the bank to undue risk. Community banks should review audit reports, self-assessments, training materials, key performance indicators, key risk indicators, and relevant reporting to understand the ability of the fintech to adhere to the bank’s risk tolerance. Lastly, it is important to understand the reporting mechanisms, including what is reported to the board of directors and other governing bodies.
5. Information Security: Community banks should ensure the integrity of handling sensitive and confidential information by evaluating the prospective fintech’s security and privacy policy and procedure framework and training programs (e.g., phishing exercises). This will help confirm that the bank’s data provided is properly safeguarded and the company can handle current and future security and privacy obligations. Lastly, banks should ensure the fintech’s incident management and response program is able to comply with their own incident response requirements.
6. Operational Resilience: Community banks should evaluate the fintech’s business resiliency capabilities, including evidencing quality business continuity, incident response, disaster recovery, and backup processes are in place. Evaluating the fintech’s approach to changing conditions, threat detection and threats, or incidents, will indicate how well the company can resume business after such an event. Additionally, checks should include if there is insurance for loss of property or if there is a contingency plan to meet the service-level needs of the bank and their commitment to customers.

What You Should Start Doing

Here are some key considerations for community banks considering a partnership with a fintech company:

• Determine if the third-party relationship aligns with the community bank’s goals and risk appetite.
• Gauge the third party’s ability to complete their commercial obligation over the course of the relationship.
• Assess the third party’s knowledge of legal and regulatory compliance and whether they are calibrated with the community bank’s policies and standards.
• Evaluate the risk and benefits of the third party and that the appropriate infrastructure is in place to manage business resiliency, performance, and protocols to address areas such as issue escalation and consumer complaints.

How Guidehouse Can Help

Performing appropriate due diligence on prospective fintech partners/suppliers can be challenging. Understanding the need for a comprehensive due diligence program, including scope and scale of reviews, is necessary to appropriately assess the risk and benefits of these relationships. Guidehouse has extensive experience working with financial institutions of all types and sizes, including banks and their fintech partners, and performing due diligence and supporting solutions across these relevant programs:

• Compliance Management Program/System (CMP/CMS)
• Compliance Monitoring & Testing
• Third-Party Risk Management and Sub-Servicer Oversight
• Enterprise and Compliance Risk & Impact Assessment
• Vendor Rationalization and Contract Compliance Services
• Information Protection and Data Privacy
• Bank Secrecy Act/Anti-Money Laundering
• Business Resiliency