Reviewing Potential Fintech Vendors

Traditionally, credit risk is a bank’s number one liability, and bankers tend to learn the ins and outs early in their career. But over the last several years, third-party risk management has become a regulatory priority – with many banks facing new processes, policies and, in many cases, new departments.

Two important papers from financial institution regulators detail their expectations for necessary due diligence on critical vendors that may expose banks to cyber and reputational risks.

The first is a joint paper published in August 2021 from the Federal Deposit Insurance Corp., the Federal Reserve and the Comptroller of the Currency, titled, “Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks.” The second is the Federal Reserve’s “Community Bank Access to Innovation Through Partnerships,” released a month later.

These papers explore how banks are handling current fintech partnerships and offer due diligence considerations for pursuing future fintech connections, recognizing banks’ increasing use of fintech providers as useful sources of innovation. When considering a fintech vendor relationship, review these documents carefully to help reduce risk for your bank. Additionally, senior management and the board should answer these five critical questions before signing on the dotted line in a fintech partnership.

1. Is there strategic alignment?
A potential fintech partner must align with your bank’s overall strategy and goals. Although growth may be a driver, it is important to make sure your bank is getting into the fintech space for the right reasons. You may be looking for operational efficiencies or how to better serve a specific customer base. Bank strategy should be a primary driver in your choice of vendor.

2. Do you have the internal know-how to make this decision?
Community banks may not have sufficient internal ability to assess fintech vendors or handle due diligence expectations. Working with outside professionals may allow the bank to more accurately assess providers, negotiate contracts and make connections in the fintech space. But even with outside guidance, the bank is ultimately responsible for compliance with banking regulations and laws. The management team and board need to feel comfortable with the process of choosing and vetting fintech companies.

3. Do you understand how the fintech company uses and protects data?
Fintech companies have access to a trove of your customers’ data. Where will the fintech provider store this data, how does it plan to use it, and how will it keep that data secure? In some unfortunate cases, they may want to use it themselves or even sell it to third parties.

Set clear boundaries about data use and make sure these are written into your contracts. Also, find out if the fintech uses subcontractors and whether they have access to your data. If so, ask further questions about the subcontractors’ data use, cybersecurity and risk practices.

4. What is the financial sustainability of the company?
Building long-term relationships with your providers can have substantial benefits. But fintechs are often startup companies with little track record of success. They may be funded by private equity firms that could have plans for an exit after a few years, leaving future plans uncertain.

As startups, many fintech companies may not have several years of audited financial statements, which could complicate the due diligence process and leave your bank with unanswered questions about long-term viability. Before signing a contract, determine the fintech’s financial sustainability, including the goals of its investors.

5. What are the fintech’s cybersecurity practices?
Cyberattackers target financial institutions more than almost any other industry, and bankers know how critical data security is to their livelihoods.

Banks can, and should, access numerous sources of information including security controls assessments, security policies, incident management and response policies, as well as incident reports with post-mortem and remediation activities. Be sure to ask how the fintech trains its staff and how it addresses relevant privacy laws and regulations.

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader.