When fintechs first came on the scene many of them made it plain they were out to eat traditional financial institutions’ lunch — and dinner and breakfast. Seemingly unfettered by the same sets of rules governing traditional players, and rich in venture capital, many of them seemed like they could do it, too.
Then reality set in. While there are a good number of fintech players who still represent strong new competition for banks and credit unions, many more are building at least part of their future on “coopetitition” — partnerships formed with these institutions.
Research by Cornerstone Advisors released in 2021 indicates that about half of the banks surveyed and two out of five credit unions had partnered with fintechs over the previous three years. Indications are that such relationships will continue to grow, even while some fintechs are acquiring banks and vice versa.
The nature of these relationships has caused some to question where the difference lies between an actual partnership and something more familiar, a vendor relationship with the financial institution.
From the viewpoint of federal banking regulators, it appears the distinction may not matter. While the industry and its observers see things through the filters of innovation and competition, regulators see things in terms of risk management.
In July 2021 the Federal Reserve, the Comptroller of the Currency and FDIC issued proposed interagency guidance for third-party relationships overall. Something notable about that proposal is that it represents the first time the three regulators have issued joint guidance on managing third-party risk.
While that document remains out for public comment until late September 2021, ahead of that time the three regulators issued “Conducting Due Diligence on Financial Technology Companies.”
The regulators state that use of the guide is voluntary and that it is meant to be tailored to each relationship. The one thing no institution can do is pretend the risks aren’t there.
“Engaging a third party does not diminish a bank’s responsibility to operate in a safe and sound manner and to comply with applicable legal and regulatory requirements, including federal consumer protection laws and regulations, just as if the bank were to perform the service or activity itself.”
— Federal regulators’ guide to fintech due diligence
This is classic federal compliance policy — if you buy the labor, the analysis, the lending or otherwise, you buy any compliance and performance problems and risks with it. In fair-lending enforcement, for example, delegating aspects of credit evaluation to an auto dealer was no defense if the result was discriminatory lending.
Regulators have been scrutinizing third-party risk harder over the last decade or so, as use of third parties has become a more significant factor in many aspects of banking.
- Community Bank Builds Future on ‘Banking as a Service’ & Google Plex
- How Should Banking Respond to Embedded Finance Model?
Where to Dig for Fintech Due Diligence and What to Look for
Most of the guidebook follows a format where narrative about an aspect of due diligence is presented on the left of each page. On the right, appears a bulleted list of where the financial institution can research each section’s issues.
The booklet is designed for community banks contemplating relationships with fintechs. But nonbanks can turn the document around and learn about banking compliance and risk management practices to prepare for on their side of the deals.
In its own guide to such relationships, the law firm Venable LLP observes that in these partnerships, the fintech gains a customer base and avoids licensing issues — at a price.
“The tradeoff for the fintech comes in the form of the bank partner requiring the fintech to comply with various compliance and risk management practices, including requirements applicable to the bank that would not otherwise be applicable to the fintech,” the firm states.
The federal guide frequently urges community banks to consider that the fintech may not be familiar with operations of small financial institutions and to probe whether the fintech will make an appropriate partner.
How to Handle Startups:
The guidance acknowledges that some younger fintechs won’t have systems in place that would make due diligence straightforward. The regulators suggest some alternatives, such as bankers making site visits to get a “feel” for things.
The guide is divided into these major sections:
- Business experience and qualifications, including the fintech itself as well as company directors and principal officers.
- Financial condition, including funding and financial depth.
- Legal and regulatory compliance issues.
- Risk management and controls, and a frank evaluation of whether the fintech’s processes synch with the banks risk appetite, policies and procedures.
- Information security and systems.
- Operational resilience, including business continuity plans and incident response plans. (Consider some of the complaints lodged about some of the big name fintechs such as Chime and Robinhood.)
In its analysis of the booklet, Ballard Spahr LLP notes that this is another step-up of federal focus on third-party deals. “Whether this increased attention and guidance will translate to a heavier emphasis on such topics in the course of regulatory examinations remains to be seen,” it states.