ICBA ThinkTECH: Roadblocks

Every fintech is different, but most fintech projects present medium to high levels of operational and compliance risk. Here are some ways to mitigate that risk.


Know the Road & Roadblocks

Banks need to conduct a thorough due diligence review to understand how the fintech company intends to provide services and products to bank customers and that they can meet regulatory expectations. Generally, this means assessing the project’s impact on the following risk categories:

  • strategic
  • credit
  • interest rate
  • liquidity
  • price
  • operational
  • compliance
  • reputational risks


Every fintech is different, but most fintech projects present medium to high levels of operational and compliance risk.

This is due to the technologically innovative nature of fintech projects and the uncertainties that often surround the application of compliance laws to new fintech products and modes of service.

How to Mitigate Third-Party Risk

Third-party relationships are an outgrowth of the bank. Particularly where a third-party relationship with a fintech company involves bank-critical functions (e.g., payments, clearing, settlements, custody) or shared services (e.g., information technology), banks need to evaluate the extent to which a failure of that relationship entails significant risk to the bank or the bank’s customers.

For that reason, regulators expect banks to promote high standards of compliance and vendor management when using third parties to provide services and products directly to consumers. At the outset, banks must develop and implement a vigorous compliance management system (CMS) to mitigate third-party risk and address regulatory obligations. A good CMS will address nine pillars:

  1. Board oversight (how the fintech relationship fits into the bank’s strategic plan, outlining the inherent risks, objectives, cost-benefit analysis and other considerations);
  2. Policies and procedures (the internal rules governing the use of the fintech solution);
  3. Risk assessment (operational, compliance, reputation, strategic, credit and contractual risk associated with the fintech solution);
  4. Due diligence (a full-scope evaluation of the fintech solution);
  5. Compliance officer (how the bank will execute the compliance framework with respect to the fintech solution);
  6. Training (up-to-date and tailored training specific to the fintech solution);
  7. Contract provisions and considerations (how the bank frames its legal expectations for the fintech solution);
  8. Monitoring (measuring performance metrics of the fintech solution),
  9. And Complaint management (the unofficial pillar of CMS).

In particular, the FDIC, the Federal Reserve and the OCC all have issued guidance regarding third-party risk and vendor management. A key consideration for banks is the level of due diligence information available from newly established fintech startups.

If unable to receive in-depth information from the fintech company, banks need to develop alternative ways to analyze such relationships—particularly when the relationship with the fintech company supports a bank-critical activity.

Another key consideration is whether the potential fintech partner utilizes any other third-party vendor to offer its product and services. If the answer is yes, the bank will need to assess to what extent due diligence is required to be comfortable with those derivative third-party relationships.

These guidance expectations equally apply to banks’ relationships with fintech companies and should be incorporated in their CMS. Moreover, banks will want to make sure their fintech partners have equally effective CMS in place. As explained in more detail below, a good CMS is the first line of defense against consumer and regulatory concerns.

"Financial institutions themselves are responsible for providing innovative financial services safely...While ‘run fast and break things’ may be a popular mantra in the technology space, it is ill-suited to an arena that depends on trust and confidence...

There are more serious and lasting consequences for a consumer who gets, for instance, an unsustainable loan on his or her smartphone than for a consumer who downloads the wrong movie or listens to a bad podcast.”

- Federal Reserve Board Governor Lael Brainard, Speech: The Opportunities and Challenges of Fintech (December 2, 2016).

Moving Forward

Strategic Plan: It is critical that banks that are considering a strategic plan that includes investment in the right people and processes to mitigate these risks.

Invest in People: A strong chief technology officer and a strong chief compliance officer will greatly help reduce risks and build credibility and goodwill with regulators.

Monitoring: after onboarding, the bank must implement a comprehensive monitoring process. All due diligence activities and third-party risk assessments must be documented in a consistent, uniform and easy-to-understand manner in writing, and should include:

  • Ongoing monitoring of the fintech company’s activities and performance;
  • Preparing contingency plans for terminating the fintech relationship in a manner beneficial to the bank;
  • Developing clear roles and responsibilities for overseeing and managing the relationship and risk management process with the fintech company;
  • Reporting lines that facilitate oversight and accountability, and
  • Conducting independent audits so that bank management can determine whether the fintech relationship aligns with its strategy.

The best way to meet these points is to make sure they are set out in a written contract

Umbrella Risk Assessment & Current Organizational Inventory

As part of their risk assessment and due diligence of fintech projects, banks should also consider

  • the project’s targeted customers,
  • how they will staff the project internally,
  • what internal systems will be necessary to support the project.

The bank may want to consider test-running the project with a smaller subset of customers before making it more widely available, and should ensure that the marketing plan for the project reflects the profile of the target customer. As the bank progresses through the life-cycle of a new fintech project, the bank may need to adjust the project’s staffing needs. For example, more technology and compliance resources at the beginning of the project lifecycle, and a switch to more business line resources will likely occur as the project matures, automation occurs, and economies of scale begin to kick in.


Because they do not take deposits and do not receive depository insurance from the FDIC, fintech companies are arguably not subject to the Community Reinvestment Act of 1977 (CRA). In addition, because fintech companies do not have traditional brick-and-mortar storefronts operating out of a defined neighborhood, measurement against a distinct CRA assessment area may prove to be difficult. For these reasons, bank collaboration with fintech companies is not, in the near term, likely to change the bank’s CRA assessment area. Nonetheless, fintech partnerships can influence CRA ratings. Regulators—in particular the OCC—have stated that they would like to see the evolving fintech environment meet the CRA’s goals. Namely, fintech companies—and the banks that partner with them—should expect regulators to ask for documentation as to how the product or service is being implemented in a safe and sound manner and how it meets the CRA’s goals of financial inclusion, fair access, and fair treatment.

Unfair, deceptive and abusive acts and practices (UDAAP) remain a central consumer protection issue for bank regulatory agencies as well as other state and federal regulators (e.g., the Federal Trade Commission, the CFPB and state attorneys general). Although UDAAP concerns often seem to be a nebulous catch-all for consumer compliance issues, heightened areas of compliance risk permeate banks’ third-party relationships—in particular those in the fintech space. Many fintech companies providing services to bank customers will directly interface with those customers without real-time bank oversight. Payments and mobile banking services may implicate, among other things, the Electronic Funds Transfer Act and Regulation E. Remittance rules impose significant duties on service providers (including banks involved in the transaction) and trigger pre-transaction disclosure requirements that explain the permissible fees, error resolution procedures and consumer rights. Understanding which rules apply to which transactions and what compliance responsibilities may be passed on from the bank to the fintech vendor is critical.

Every fintech product and service implicate Bank Secrecy Act and anti-money laundering (BSA/AML) issues. The consequences of a BSA/AML violation can seriously impair a bank’s ability to operate (as well as its market reputation) and cut across all service segments and accounts. Illicit actors are constantly pressing the edges of legality to conceal the sources and uses of funds from regulatory scrutiny. This is particularly true in the payments, mobile banking and remittances areas—where creative electronic transactions, multiple relay points and digital currencies are used. In many cases, fintech vendors may not be as sophisticated or experienced as internal bank staff. Furthermore, because banks are subject to new and heightened obligations to know and understand the beneficial owners and control persons of their fintech vendors, banks need to work with their fintech vendors (as well as monitor them) to meet BSA/AML compliance goals. That means rigorous due diligence, a comprehensive onboarding process and continued, active surveillance of the fintech relationship.

The bank will need to establish (or if existing, enhance) its ability to audit both the fintech partner as well as its own compliance and enterprise risk management systems, to include policies, procedures and staffing levels to address, facilitate and operate the venture. Regular documented reviews of this system must occur at both the bank and the fintech partner. If necessary, the bank may need to employ specialized staff in this regard and insist that the fintech company do the same.

Probably the most important single item in the fintech relationship is the contract between the bank and fintech company. This should never be a take-it-or-leave-it form. The contract sets forth which party has control over what and when in the relationship. Banks should have legal counsel closely review fintech contracts to make sure bank compliance needs and regulatory concerns are met. Even though some fintech services have standard default rules for banks and customers built in to the platform (e.g., card networks, the NACHA rules, etc.), a well-drafted contract will provide more detail with respect to legal and regulatory compliance and the parties’ obligations. Banks can also expand the obligations imposed on the fintech company, which can reinforce, and potentially alleviate, the bank’s compliance burden. Perhaps most importantly, the contract can address concerns not contemplated by regulatory schemes so that the bank’s obligations and rights are uniform and clear across the entire relationship.

Fintech is driven by innovative technology that optimizes, expands and replaces existing service capacity. To that end, successful fintech companies invest large amounts of time and money to develop proprietary intellectual property—including sophisticated algorithms and complex software that must be closely guarded to prevent competitors from eroding the value of that investment. Whether banks decide to buy, build or partner with fintech companies, there are several types of legal protection that can be employed to maintain a competitive edge for that technology. Identifying the proprietary intellectual property at issue and how to protect it is important, particularly for banks entering into agreements or licenses with fintech companies to codevelop, market or distribute cutting-edge products and services. Legal counsel can help banks address many of these concerns in the written contract with the fintech company or through ancillary agreements, such as nondisclosure agreements and noncompete/nonsolicitation agreements.

Fintech services implement new technologies, including artificial intelligence, machine learning and other dataanalytic innovations. These technologies generate enormous amounts of data, ranging from highly sensitive to nonconfidential, and business critical to irrelevant. The biggest and as-of-yet-unresolved issue is ownership of the data. Much of the customer-specific data is legally the property of the bank or its customer. But what about the data created from that data? Control over that data has enormous implications for fintech. Knowing how to sort through the data and which laws and regulations are implicated when obtaining, using, sharing and storing data is crucially important.

Cybersecurity is also of paramount importance. Depending on the scope, a single data breach has the potential to cause the greatest amount of damage to a bank. For that reason, regulators expect banks to have in place effective measures to counter cybersecurity breaches, including security monitoring, enterprise-wide risk assessments and third-party cyber risk. Furthermore, it’s not just that the bank or the fintech company could lose the data regarding a discrete set of customers who elected to use the service. The fintech company can itself be the conduit for a data breach intended to strike at the bank’s entire customer database, which gives rise to second- and third-order effects that may be even worse.
As banks know, many fintech products run APIs, which support critical bank functions connected to consumer deposit and account data access, payment systems, credit origination, and compliance management.

Governor Brainard of the Federal Reserve has recently highlighted safety and soundness issues with respect to aggregation of consumer financial data by APIs. In her opinion, because banks are more tightly regulated than fintech companies, consumer protection and safety and soundness are greater concerns than cutting edge innovation. In particular, data security and control over third party service providers are essential for banks to meet their safety and soundness obligations.

Governor Brainard also noted that regulators in the United Kingdom and continental Europe are moving forward to outline new approaches to facilitate connectivity in financial services, while attempting to mitigate the associated risks. Nine of the U.K.’s largest banks were required to create open APIs to share non-sensitive, non-consumer-specific information, like pricing, fees, terms, and conditions as well as branch and automated teller machine locations. This initial limited sharing of information has started communication and collaboration across the industry on areas like data standards and organizational governance, which will facilitate work on more contentious questions. Beginning in 2018, EU member states will be required to implement revised Payment Services Directive (PSD2). Among other elements, PSD2 has created licensing regimes for third parties that access bank accounts for purposes of initiating payment orders or consolidating information with consumers’ consent. PSD2 mandates that banks allow these licensed third parties to access their consumer accounts (with consumer permission) without premising such access on contractual agreements with the banks.

A community bank’s core system remains a top infrastructure element, and as such, drives many opportunities and challenges for community banks. With core integration playing a key role in whether community banks consider potential fintech partnerships, over 60 percent of ICBA’s Fintech Survey respondents noted they rely on their core providers for fintech opportunities. Of those same respondents, 44 percent of them consider their core service provider an obstacle to partnering with a fintech provider. This data would seem to indicate that while the core may present itself as a reasonable fintech connector, some community banks are looking outside their core for solutions. For those community banks that are working with or considering working with their core providers on new fintech projects, cost, integration fees, ongoing subscriptions, and implementation time appear to be the greatest hurdles to entry.

For community banks the focus is, and always has been, on the customer. Today, changing customer preferences and demands for a modern banking experience are influencing the products and delivery methods community banks offer. The same drivers are persuading banks to initiate partnerships with fintech vendors to offer new services. How a bank delivers its brand value and vision to its customers is likely to be impacted by the confluence of fintech and a bank. New marketing and financial branding strategies may be necessary. Customers may demand more universal banking automation and transformed branch experiences, which will all need to be communicated through a bank’s messaging.

A bank’s staff, culture, and overall strategic plan will play a considerable role in how effective fintech efforts will be at an institution. Banks with nimble, customer-focused staff will generally fare better than institutions with more hesitant operations. Success has also been linked to overt use and knowledge of the new products and services by staff. This activity is often driven by an organization whose passion for innovation and advancement begins at the top with senior management and is disseminated throughout its organization’s culture.

It is important to note that community banks believe nearly 22 percent of the fintech challenges facing banks today hinge on the customer impact, qualified staffing, and the cultural fit to an organization. In confronting these challenges, banks need to invest in rigorous self-examination. What measures does the bank have in place to protect its data from a breach? What remedies are available to the bank with respect to the fintech company’s management of the breach? Does the bank have cyberinsurance? Will the fintech company be able to indemnify the bank for its losses? How will the bank meet its regulatory obligations? These and other questions need to be answered before the fintech relationship starts.

Fintech Regulatory Environment

Fintech Planning

Similar to the banking world, the current regulatory environment for fintech is complex, varying from company to company. To determine which regulations apply to their business, fintech companies must ask three questions:

"What do we do?"

The financial products and services offered by a fintech company will determine which regulators, if any, have jurisdiction over the company when it participates with a bank:

  • For broker-dealers, investment companies and registered investment advisors, the SEC, and perhaps FINRA.
  • For money service businesses or money transmitters, the Financial Crimes Enforcement Network (or FinCEN) and one or more state regulators.
  • For consumer lenders (but not a bank), possibly a state banking regulator.
  • For partnerships with payment network (e.g., NACHA or MasterCard or Visa payment networks), the private membership rules established by that network.
  • For nonbank fintech companies offering consumer financial products or services, the Consumer Financial Protection Bureau (the CFPB).

Fintech companies that partner with existing regulated entities (e.g., a bank or an SEC-registered investment advisor) may not have to directly comply with all of their partner’s applicable regulations, but often must, by contract, agree to comply with certain regulations and a degree of regulatory oversight as a condition of the partnership.

All fintech companies located in America (and U.S. citizens operating overseas) must abide by the trade sanctions rules promulgated by the federal government. These rules are based on U.S. foreign policy and national security goals with respect to targeted foreign countries, terrorists and other threats to the United States. The Office of Foreign Assets Control (“OFAC”) administers and enforces these rules.

"Where are we and our customers located?"

The location of a fintech company and its customers also shapes the company’s regulatory environment. Each state has its own rules applying its regulatory regimes to companies located within the borders of the state. A state’s regulatory regime will also, generally, govern all companies (regardless of their location) that provide consumer financial services to residents of their state.

However, if a company operates with a federal banking license, at least some of these state rules may be preempted. Operating with a federal banking license can simplify the regulatory regime for fintech companies that operate in multiple states.

Functional regulation, that is assigning a company a regulatory regime based on the functions or services the company provides, has been the dominant financial regulatory model for some time (since Gramm-Leach-Bliley).

Therefore, to this point, the evolution of fintech regulation has consisted of existing regulators’ declaring that particular fintech business lines provide functional services that fall within their jurisdiction, and then applying established regulations for these functions to those fintech companies. This trend will likely continue, at least in the near future.

The evolving concept of what constitutes “money,” as well as the increasing integration of financial markets has impacted how (and the degree to which) the Federal Reserve can control the money supply and exercise monetary policy.

To the extent that fintech products and services are within expansive definitions of the money supply, the more likely it is that those products or services would be brought under the Federal Reserve’s jurisdiction or otherwise be subjected to bank-like regulation.

The evolving nature of transaction settlement services (e.g., blockchain technologies) will likely have a dramatic impact on the financial industry. The changes could make settlement faster, safer, more efficient and less costly.

It could also decouple the provision of settlement services and the provision of other financial services. If a fintech company achieves significant scale with a settlement service, it is possible that they could be regulated by the Federal Reserve as a designated financial market utility or a systemically important financial institution.

The global competition for fintech innovation has driven some jurisdictions to amend their regulatory framework in order to attract capital and people. This trend will continue, but holes in regulation could lead to detrimental economic consequences, which in turn could reverse deregulation trends.