Effective Oversight of Fintech Partnerships
Brought to you by Nelson Mullins Riley & Scarborough LLP
For today’s banks, the shift to digital and embracing financial technology is no longer an option but a requirement in order to compete.
Fintechs enable banks to deploy, originate and service customers more effectively than traditional methods; now, many customers prefer these channels. But banks are often held back from jumping into fintech and digital spaces by what they view as insurmountable hurdles for their risk, compliance and operational teams. They see this shift as requiring multiple new hires and requiring extensive capital and technology resources. In reality, many smaller institutions are wading into these spaces methodically and effectively.
Bank oversight and management must be tailored to the specific products and services and related risks. These opportunities can range in sophistication from relatively simple referral programs between a bank and a fintech firm, which require far less oversight to banking as a service (often called BaaS) which requires extensive oversight.
A bank’s customized third-party oversight program, or TPO, is the cornerstone of a successful fintech partnership from a risk and compliance perspective, and should be accorded appropriate attention and commitment by leadership.
What qualifies as an existing best-in-class TPO program at a traditional community bank may not meet evolving regulatory expectations of a TPO that governs an institution offering core products and services through various fintech and digital partners. Most banks already have the hallmarks of a traditional TPO program, such as reviewing all associated compliance controls of their partner/vendor and monitoring the performance on a recurring basis. But for some banks with more exposure to fintech partners, their TPO need to address other risks prior to onboarding. Common unaccounted-for risks we see at banks embarking on more extensive fintech strategies include:
- Reviewing and documenting partners’ money transmission processes to ensure they are not acting as unlicensed money transmitters.
- Reviewing fintech deposit account’s set up procedures.
- Assessing fintech partner marketing of services and/or products.
- Ensuring that agreements provide for sufficient partner oversight to satisfy regulators.
- Procedures to effectively perform required protocols that are required under the Bank Secrecy Act, anti-money laundering and Know Your Customer regulations, and capture information within the bank’s systems of record. If the bank relies on the fintech partner to do so, implementing the assessment and oversight process of the fintech’s program.
- Assessing the compliance and credit risks associated with fintech partner underwriting criteria such as artificial intelligence, alternative data and machine learning.
- Assessing the impact of the fintech strategy on the bank’s fair lending program and/or Community Reinvestment Act footprint.
- The potential risk of unfair, deceptive or abusive acts or practices through the fintech partner’s activities.
- True lender risks and documenting the institution’s understanding of the regulations surrounding the true lender doctrine.
- Assessing customer risk profile changes resulting from the expansion of the bank’s services and or products and incorporating these changes into the compliance management system.
- Revising your overall enterprise risk management program to account for the risks associated with any shift in products and services.
Finally, regulators expect this shift to more fintech partnerships to become the norm rather than the exception. They view it as an opportunity for banks to provide greater access to products and services to the underbanked, unbanked and credit invisible. Over the last couple of years, we have seen a number of resources deployed by bank regulators in this space, including:
- Regulators creating various offices to address how banks can best utilize data and technology to meet consumer demands while maintaining safety, soundness, and consumer protection. The Federal Deposit Insurance Corp. has built FDITECH, the Office of the Comptroller of the Currency has an Office of Innovation, as does the Federal Reserve Board. The CFPB has aggregated their efforts to deploy sandboxes and issue “No-Action Letters” through its own Innovation Office.
- The Federal Reserve issued a guide for community banks on conducting due diligence on financial technology firms in August 2021.
- OCC Acting Comptroller Michael Hsu gave remarks at the Fintech Policy Summit 2021 in November 2021.
- In November 2021, the OCC issued a release clarifying bank authority to engage in certain cryptocurrency activities, as well as the regulator’s authority to charter national trust banks.
Adopting best practices like the ones we listed above, as well as early communication with regulators, will place your bank in a great position to start successfully working with fintechs to expand and improve your bank’s products and services and compete in today’s market.