Know the Road & Roadblocks
Banks need to conduct a thorough due diligence review to understand how the fintech company intends to provide services and products to bank customers and that they can meet regulatory expectations. Generally, this means assessing the project’s impact on the following risk categories:
- interest rate
- reputational risks
Every fintech is different, but most fintech projects present medium to high levels of operational and compliance risk.
This is due to the technologically innovative nature of fintech projects and the uncertainties that often surround the application of compliance laws to new fintech products and modes of service.
How to Mitigate Third-Party Risk
Third-party relationships are an outgrowth of the bank. Particularly where a third-party relationship with a fintech company involves bank-critical functions (e.g., payments, clearing, settlements, custody) or shared services (e.g., information technology), banks need to evaluate the extent to which a failure of that relationship entails significant risk to the bank or the bank’s customers.
For that reason, regulators expect banks to promote high standards of compliance and vendor management when using third parties to provide services and products directly to consumers. At the outset, banks must develop and implement a vigorous compliance management system (CMS) to mitigate third-party risk and address regulatory obligations. A good CMS will address nine pillars:
- Board oversight (how the fintech relationship fits into the bank’s strategic plan, outlining the inherent risks, objectives, cost-benefit analysis and other considerations);
- Policies and procedures (the internal rules governing the use of the fintech solution);
- Risk assessment (operational, compliance, reputation, strategic, credit and contractual risk associated with the fintech solution);
- Due diligence (a full-scope evaluation of the fintech solution);
- Compliance officer (how the bank will execute the compliance framework with respect to the fintech solution);
- Training (up-to-date and tailored training specific to the fintech solution);
- Contract provisions and considerations (how the bank frames its legal expectations for the fintech solution);
- Monitoring (measuring performance metrics of the fintech solution),
- And Complaint management (the unofficial pillar of CMS).
In particular, the FDIC, the Federal Reserve and the OCC all have issued guidance regarding third-party risk and vendor management. A key consideration for banks is the level of due diligence information available from newly established fintech startups.
If unable to receive in-depth information from the fintech company, banks need to develop alternative ways to analyze such relationships—particularly when the relationship with the fintech company supports a bank-critical activity.
Another key consideration is whether the potential fintech partner utilizes any other third-party vendor to offer its product and services. If the answer is yes, the bank will need to assess to what extent due diligence is required to be comfortable with those derivative third-party relationships.
These guidance expectations equally apply to banks’ relationships with fintech companies and should be incorporated in their CMS. Moreover, banks will want to make sure their fintech partners have equally effective CMS in place. As explained in more detail below, a good CMS is the first line of defense against consumer and regulatory concerns.
"Financial institutions themselves are responsible for providing innovative financial services safely...While ‘run fast and break things’ may be a popular mantra in the technology space, it is ill-suited to an arena that depends on trust and confidence...
There are more serious and lasting consequences for a consumer who gets, for instance, an unsustainable loan on his or her smartphone than for a consumer who downloads the wrong movie or listens to a bad podcast.”
- Federal Reserve Board Governor Lael Brainard, Speech: The Opportunities and Challenges of Fintech (December 2, 2016).
Strategic Plan: It is critical that banks that are considering a strategic plan that includes investment in the right people and processes to mitigate these risks.
Invest in People: A strong chief technology officer and a strong chief compliance officer will greatly help reduce risks and build credibility and goodwill with regulators.
Monitoring: after onboarding, the bank must implement a comprehensive monitoring process. All due diligence activities and third-party risk assessments must be documented in a consistent, uniform and easy-to-understand manner in writing, and should include:
- Ongoing monitoring of the fintech company’s activities and performance;
- Preparing contingency plans for terminating the fintech relationship in a manner beneficial to the bank;
- Developing clear roles and responsibilities for overseeing and managing the relationship and risk management process with the fintech company;
- Reporting lines that facilitate oversight and accountability, and
- Conducting independent audits so that bank management can determine whether the fintech relationship aligns with its strategy.
The best way to meet these points is to make sure they are set out in a written contract
Umbrella Risk Assessment & Current Organizational Inventory
As part of their risk assessment and due diligence of fintech projects, banks should also consider
- the project’s targeted customers,
- how they will staff the project internally,
- what internal systems will be necessary to support the project.
The bank may want to consider test-running the project with a smaller subset of customers before making it more widely available, and should ensure that the marketing plan for the project reflects the profile of the target customer. As the bank progresses through the life-cycle of a new fintech project, the bank may need to adjust the project’s staffing needs. For example, more technology and compliance resources at the beginning of the project lifecycle, and a switch to more business line resources will likely occur as the project matures, automation occurs, and economies of scale begin to kick in.
The bank will need to establish (or if existing, enhance) its ability to audit both the fintech partner as well as its own compliance and enterprise risk management systems, to include policies, procedures and staffing levels to address, facilitate and operate the venture. Regular documented reviews of this system must occur at both the bank and the fintech partner. If necessary, the bank may need to employ specialized staff in this regard and insist that the fintech company do the same.
As banks know, many fintech products run APIs, which support critical bank functions connected to consumer deposit and account data access, payment systems, credit origination, and compliance management.
Governor Brainard of the Federal Reserve has recently highlighted safety and soundness issues with respect to aggregation of consumer financial data by APIs. In her opinion, because banks are more tightly regulated than fintech companies, consumer protection and safety and soundness are greater concerns than cutting edge innovation. In particular, data security and control over third party service providers are essential for banks to meet their safety and soundness obligations.
Governor Brainard also noted that regulators in the United Kingdom and continental Europe are moving forward to outline new approaches to facilitate connectivity in financial services, while attempting to mitigate the associated risks. Nine of the U.K.’s largest banks were required to create open APIs to share non-sensitive, non-consumer-specific information, like pricing, fees, terms, and conditions as well as branch and automated teller machine locations. This initial limited sharing of information has started communication and collaboration across the industry on areas like data standards and organizational governance, which will facilitate work on more contentious questions. Beginning in 2018, EU member states will be required to implement revised Payment Services Directive (PSD2). Among other elements, PSD2 has created licensing regimes for third parties that access bank accounts for purposes of initiating payment orders or consolidating information with consumers’ consent. PSD2 mandates that banks allow these licensed third parties to access their consumer accounts (with consumer permission) without premising such access on contractual agreements with the banks.
A bank’s staff, culture, and overall strategic plan will play a considerable role in how effective fintech efforts will be at an institution. Banks with nimble, customer-focused staff will generally fare better than institutions with more hesitant operations. Success has also been linked to overt use and knowledge of the new products and services by staff. This activity is often driven by an organization whose passion for innovation and advancement begins at the top with senior management and is disseminated throughout its organization’s culture.
It is important to note that community banks believe nearly 22 percent of the fintech challenges facing banks today hinge on the customer impact, qualified staffing, and the cultural fit to an organization. In confronting these challenges, banks need to invest in rigorous self-examination. What measures does the bank have in place to protect its data from a breach? What remedies are available to the bank with respect to the fintech company’s management of the breach? Does the bank have cyberinsurance? Will the fintech company be able to indemnify the bank for its losses? How will the bank meet its regulatory obligations? These and other questions need to be answered before the fintech relationship starts.
Fintech Regulatory Environment
Similar to the banking world, the current regulatory environment for fintech is complex, varying from company to company. To determine which regulations apply to their business, fintech companies must ask three questions:
"What do we do?"
The financial products and services offered by a fintech company will determine which regulators, if any, have jurisdiction over the company when it participates with a bank:
- For broker-dealers, investment companies and registered investment advisors, the SEC, and perhaps FINRA.
- For money service businesses or money transmitters, the Financial Crimes Enforcement Network (or FinCEN) and one or more state regulators.
- For consumer lenders (but not a bank), possibly a state banking regulator.
- For partnerships with payment network (e.g., NACHA or MasterCard or Visa payment networks), the private membership rules established by that network.
- For nonbank fintech companies offering consumer financial products or services, the Consumer Financial Protection Bureau (the CFPB).
Fintech companies that partner with existing regulated entities (e.g., a bank or an SEC-registered investment advisor) may not have to directly comply with all of their partner’s applicable regulations, but often must, by contract, agree to comply
with certain regulations and a degree of regulatory oversight as a condition of the partnership.
All fintech companies located in America (and U.S. citizens operating overseas) must abide by the trade sanctions rules promulgated by the federal government. These rules are based on U.S. foreign policy and national security goals with respect to targeted foreign countries, terrorists and other threats to the United States. The Office of Foreign Assets Control (“OFAC”) administers and enforces these rules.
"Where are we and our customers located?"
The location of a fintech company and its customers also shapes the company’s regulatory environment. Each state has its own rules applying its regulatory regimes to companies located within the borders of the state. A state’s regulatory regime will also, generally, govern all companies (regardless of their location) that provide consumer financial services to residents of their state.
However, if a company operates with a federal banking license, at least some of these state rules may be preempted. Operating with a federal banking license can simplify the regulatory regime for fintech companies that operate in multiple states.
Functional regulation, that is assigning a company a regulatory regime based on the functions or services the company provides, has been the dominant financial regulatory model for some time (since Gramm-Leach-Bliley).
Therefore, to this point, the evolution of fintech regulation has consisted of existing regulators’ declaring that particular fintech business lines provide functional services that fall within their jurisdiction, and then applying established regulations for these functions to those fintech companies. This trend will likely continue, at least in the near future.
The evolving concept of what constitutes “money,” as well as the increasing integration of financial markets has impacted how (and the degree to which) the Federal Reserve can control the money supply and exercise monetary policy.
To the extent that fintech products and services are within expansive definitions of the money supply, the more likely it is that those products or services would be brought under the Federal Reserve’s jurisdiction or otherwise be subjected to bank-like regulation.
The evolving nature of transaction settlement services (e.g., blockchain technologies) will likely have a dramatic impact on the financial industry. The changes could make settlement faster, safer, more efficient and less costly.
It could also decouple the provision of settlement services and the provision of other financial services. If a fintech company achieves significant scale with a settlement service, it is possible that they could be regulated by the Federal Reserve as a designated financial market utility or a systemically important financial institution.
The global competition for fintech innovation has driven some jurisdictions to amend their regulatory framework in order to attract capital and people. This trend will continue, but holes in regulation could lead to detrimental economic consequences, which in turn could reverse deregulation trends.