Banks need to conduct a thorough due diligence review to understand how the fintech company intends to provide services and products to bank customers and that they can meet regulatory expectations. Generally, this means assessing the project’s impact on the following risk categories:
Every fintech is different, but most fintech projects present medium to high levels of operational and compliance risk.
This is due to the technologically innovative nature of fintech projects and the uncertainties that often surround the application of compliance laws to new fintech products and modes of service.
Third-party relationships are an outgrowth of the bank. Particularly where a third-party relationship with a fintech company involves bank-critical functions (e.g., payments, clearing, settlements, custody) or shared services (e.g., information technology), banks need to evaluate the extent to which a failure of that relationship entails significant risk to the bank or the bank’s customers.
For that reason, regulators expect banks to promote high standards of compliance and vendor management when using third parties to provide services and products directly to consumers. At the outset, banks must develop and implement a vigorous compliance management system (CMS) to mitigate third-party risk and address regulatory obligations. A good CMS will address nine pillars:
In particular, the FDIC, the Federal Reserve and the OCC all have issued guidance regarding third-party risk and vendor management. A key consideration for banks is the level of due diligence information available from newly established fintech startups.
If unable to receive in-depth information from the fintech company, banks need to develop alternative ways to analyze such relationships—particularly when the relationship with the fintech company supports a bank-critical activity.
Another key consideration is whether the potential fintech partner utilizes any other third-party vendor to offer its product and services. If the answer is yes, the bank will need to assess to what extent due diligence is required to be comfortable with those derivative third-party relationships.
These guidance expectations equally apply to banks’ relationships with fintech companies and should be incorporated in their CMS. Moreover, banks will want to make sure their fintech partners have equally effective CMS in place. As explained in more detail below, a good CMS is the first line of defense against consumer and regulatory concerns.
"Financial institutions themselves are responsible for providing innovative financial services safely...While ‘run fast and break things’ may be a popular mantra in the technology space, it is ill-suited to an arena that depends on trust and confidence...
There are more serious and lasting consequences for a consumer who gets, for instance, an unsustainable loan on his or her smartphone than for a consumer who downloads the wrong movie or listens to a bad podcast.”
- Federal Reserve Board Governor Lael Brainard, Speech: The Opportunities and Challenges of Fintech (December 2, 2016).
Strategic Plan: It is critical that banks that are considering a strategic plan that includes investment in the right people and processes to mitigate these risks.
Invest in People: A strong chief technology officer and a strong chief compliance officer will greatly help reduce risks and build credibility and goodwill with regulators.
Monitoring: after onboarding, the bank must implement a comprehensive monitoring process. All due diligence activities and third-party risk assessments must be documented in a consistent, uniform and easy-to-understand manner in writing, and should include:
The best way to meet these points is to make sure they are set out in a written contract
As part of their risk assessment and due diligence of fintech projects, banks should also consider
The bank may want to consider test-running the project with a smaller subset of customers before making it more widely available, and should ensure that the marketing plan for the project reflects the profile of the target customer. As the bank progresses through the life-cycle of a new fintech project, the bank may need to adjust the project’s staffing needs. For example, more technology and compliance resources at the beginning of the project lifecycle, and a switch to more business line resources will likely occur as the project matures, automation occurs, and economies of scale begin to kick in.
The bank will need to establish (or if existing, enhance) its ability to audit both the fintech partner as well as its own compliance and enterprise risk management systems, to include policies, procedures and staffing levels to address, facilitate and operate the venture. Regular documented reviews of this system must occur at both the bank and the fintech partner. If necessary, the bank may need to employ specialized staff in this regard and insist that the fintech company do the same.
Similar to the banking world, the current regulatory environment for fintech is complex, varying from company to company. To determine which regulations apply to their business, fintech companies must ask three questions:
The financial products and services offered by a fintech company will determine which regulators, if any, have jurisdiction over the company when it participates with a bank:
Fintech companies that partner with existing regulated entities (e.g., a bank or an SEC-registered investment advisor) may not have to directly comply with all of their partner’s applicable regulations, but often must, by contract, agree to comply
with certain regulations and a degree of regulatory oversight as a condition of the partnership.
All fintech companies located in America (and U.S. citizens operating overseas) must abide by the trade sanctions rules promulgated by the federal government. These rules are based on U.S. foreign policy and national security goals with respect to targeted foreign countries, terrorists and other threats to the United States. The Office of Foreign Assets Control (“OFAC”) administers and enforces these rules.
The location of a fintech company and its customers also shapes the company’s regulatory environment. Each state has its own rules applying its regulatory regimes to companies located within the borders of the state. A state’s regulatory regime will also, generally, govern all companies (regardless of their location) that provide consumer financial services to residents of their state.
However, if a company operates with a federal banking license, at least some of these state rules may be preempted. Operating with a federal banking license can simplify the regulatory regime for fintech companies that operate in multiple states.
Functional regulation, that is assigning a company a regulatory regime based on the functions or services the company provides, has been the dominant financial regulatory model for some time (since Gramm-Leach-Bliley).
Therefore, to this point, the evolution of fintech regulation has consisted of existing regulators’ declaring that particular fintech business lines provide functional services that fall within their jurisdiction, and then applying established regulations for these functions to those fintech companies. This trend will likely continue, at least in the near future.
The evolving concept of what constitutes “money,” as well as the increasing integration of financial markets has impacted how (and the degree to which) the Federal Reserve can control the money supply and exercise monetary policy.
To the extent that fintech products and services are within expansive definitions of the money supply, the more likely it is that those products or services would be brought under the Federal Reserve’s jurisdiction or otherwise be subjected to bank-like regulation.
The evolving nature of transaction settlement services (e.g., blockchain technologies) will likely have a dramatic impact on the financial industry. The changes could make settlement faster, safer, more efficient and less costly.
It could also decouple the provision of settlement services and the provision of other financial services. If a fintech company achieves significant scale with a settlement service, it is possible that they could be regulated by the Federal Reserve as a designated financial market utility or a systemically important financial institution.
The global competition for fintech innovation has driven some jurisdictions to amend their regulatory framework in order to attract capital and people. This trend will continue, but holes in regulation could lead to detrimental economic consequences, which in turn could reverse deregulation trends.