Risk and compliance are top of mind for financial institutions of all sizes — and for good reason. Keeping up with new regulatory requirements continues to be a challenge.
A recent example is the Consumer Financial Protection Bureau’s final version of 1071, the small business lending data collection rule. This new rule requires additional reporting on commercial and small business loan applications, similar to Home Mortgage Disclosure Act reporting.
Meanwhile, regulators are cracking down, particularly around fair lending. In 2022 alone, the CFPB levied approximately $3.7 billion in civil money penalties as a result of its enforcement actions. From operational and fraud risk to liquidity and market risk, financial institutions are also facing greater threats than ever before.
Adding to these challenges, third-party vendor management is also getting more scrutiny, in part because of the growing banking-as-a-service trend. In June, the Interagency Guidance on Third-Party Relationships was finalized (two years after it was initially proposed). This aligns vendor management requirements across the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp. and the Federal Reserve and replaces previous guidance.
How are bank and credit union leaders coping with all of these demands? And what strategies they are using to ensure their institutions stay in line?
In a survey of nearly 150 executives at U.S. banks and credit unions, several major trends emerged related to staffing, vendor management and technology, among other things.
Risk and Compliance Efforts on the Rise
To keep their heads above water, financial institutions are investing more heavily in governance, risk and compliance efforts, known collectively as GRC. Yet approaches vary across financial institutions, and these approaches yield different results.
The survey, which Ncontracts conducted with CBANC, offers insight into the intricacies of risk management in the current environment and gives a sense of how satisfied executives are with various approaches they are taking.
Particularly relevant given the latest guidance on third-party vendor relationships, it assesses the factors affecting the evaluation and selection of fintech partnerships. The use of vendors for risk and compliance and the effectiveness of different approaches in data collection are also covered. So, too, is examiner scrutiny.
About 40% of the financial institutions participating in the survey have more than $1 billion of assets, with the rest being smaller. The breakdown in terms of asset size is as follows: 6.8%, more than $10 billion of assets; 33.3%, $1 billion to $10 billion; 19.7%, $500 million to $1 billion; and 40.1%, less than $500 million.
Read more: Key Takeaways from the Regulatory Guidance on Partnerships
Most Are Hunting for Fintech Partnerships
More than half of banks and credit unions participating in the survey (52.9%) report plans to evaluate fintech partnerships in the next one to two years.
As for the types of fintech partnerships they are interested in, lending is the most popular, but payments and risktech also are getting attention. Regtech is on the list for some as well. There were seven different types of fintechs listed in all. 
Not surprisingly, financial institutions that are on the hunt for fintech partners are prioritizing compliance management (72.2%) and cybersecurity (62%) when evaluating partnerships. The importance of a fintech partner’s compliance posture cannot be underestimated.
If a fintech can’t demonstrate a strong compliance management program, no bank or credit union will want to touch it. The risk of compliance violations and regulatory trouble is just too high.
Evaluating Which Fintech Partners to Work With
As risk and compliance remain top of mind, most financial institutions (54.7%) report using a vendor management program to evaluate potential fintech partners. This means they have documented policies and procedures in place — which is good news, given the heightened regulatory scrutiny in this area.
However, an astounding 28.4% do not have a vendor management program. This is most common among the banks and credit unions with less than $500 million in assets.
Meanwhile, 80% of the survey respondents report that the fintechs they’ve reviewed have a solid understanding of regulatory requirements and other key factors.
Competent in Compliance:
The percentage of fintechs displaying a solid understanding of regulatory requirements:80%
This is not to suggest that fintechs in general are doing well in terms of regulatory compliance. What it means is that financial institutions are only seriously considering fintechs that have mastered risk management, compliance and other key areas.
The world of banking is small and word spreads fast. So fintechs without mastery in these areas aren’t even getting meetings.
Read more:
- What the Federal Crackdown on Bank-Fintech Partnerships Means
- Banks Tap Fintech Partners to Address Embedded Banking Threat
Staffing Up in Risk and Compliance
Not a single financial institution in the survey plans to reduce headcount across its compliance and risk management departments — which is telling.
Just over 40% plan to add to their risk and compliance teams, more so in compliance (27.6%) than risk (13%). The rest are holding steady in terms of staffing.
A look at where examiners have had questions and concerns in the last 18 months casts some light on why many banks and credit unions are feeling the need to bulk up. Survey participants report that their examiners showed extra interest in risk management (30.4%), compliance management (33.7%), audit and findings (34.7%), IT/data security/cybersecurity (30.5%) and third-party vendor management (29.5%), all of which play an essential role in compliance.
However, adding compliance staff isn’t just a matter of budgeting for the additional expense. While finding talent is increasingly difficult across many areas of banking, hiring risk and compliance specialists has been especially challenging. Community banks and credit unions in remote parts of the country are struggling the most with this.
Read more:
- 3 Ways to Solve for Sneaky Credit & Deposit Concentration Risks
- The Hidden Risks of Artificial Intelligence in Bank Marketing
Many Still Using Manual Processes — a Risky Approach
The survey also found that many financial institutions still rely on manual processes for risk and compliance. That is, they track everything manually using spreadsheets, emails and other less-than-ideal tools.
This is most common among banks and credit unions with less than $1 billion of assets, a sign that as an institution grows, manual processes simply can’t keep pace.
Nearly a quarter (24%) of financial institutions that leverage manual processes report being dissatisfied with the approach, citing gaps in their data, systems and tools.
Manual processes are also red flags for regulators. In fact, the survey found that banks and credit unions with a manual approach were 16.8% more likely to experience examiner questions and concerns about compliance management.
“Even some large institutions with more than $10 billion of assets use manual processes for risk and compliance. But it is far more common among those with less than $1 billion of assets.”
The smaller institutions with a manual approach include 36.4% of those with less than $500 million in assets and 40% of those with $500 million to $1 billion of assets.
Also, 13% of the institutions with more than $10 billion of assets use manual processes. Notably, none of those with between $1 billion and $10 billion of assets do.
Read more:
- Where Do Bankers See Fintech Partnerships Going Now?
- Banking as a Service May Be Best Community Bank Survival Strategy
Juggling Multiple Risk Management Vendors
Manual processes are clearly not ideal. But having too many vendors also appears to be problematic.
According to the survey, financial institutions that use multiple vendors are less likely to be “very satisfied” with their risk and compliance efforts compared with those that leverage a single vendor — by a factor of nearly three.
Among the banks and credit unions that leverage a single solution from a single vendor, 30% are satisfied. This is defined as having a full understanding of their risk and compliance status and the ability to easily report such information to inform strategy.
Their satisfaction level is substantially higher than those using multiple vendors (13.3%) and those with manual processes (10.3%).
In addition, those using multiple solutions from different providers were 68.1% more likely to have examiners raise issues with third-party vendor management and 60% more likely to get examiner questions or concerns in the area of IT, data security and cybersecurity.
See all of our latest coverage of banking as a service.
Gaining a Competitive Advantage
The risks that banks and credit unions must navigate are getting increasingly complex, and so is the regulatory environment.
Using manual processes to manage these risk and compliance challenges is no longer a sustainable approach. This approach results in gaps in data, systems and tools, which leaves institutions without the insight needed for strategic decision-making.
An automated solution is an investment in an institution’s resilience and future success. Banks and credit unions that adopt more sophisticated, integrated solutions will have the most valuable data and business insights and the strongest compliance positions, creating the opportunity to gain a competitive advantage.
About the author:
Rafael DeLeon is the senior vice president of industry engagement for Ncontracts, which provides risk management and compliance solutions to banks, credit unions and mortgage lenders. He was a bank regulator with the OCC for more than 30 years.