Bank Director | Technology Company Archives

In September 2021, JPMorgan Chase & Co. purchased the college financial planning platform Frank for a cool $175 million. For that price, the big bank expected to gain a purported five million potential new customers — students, parents and low-to-moderate income households. The bank kept Frank CEO Charlie Javice as head of student solutions as part of the deal, paying her a $20 million retention fee, according to The New York Times.

But JPMorgan said it didn’t get what it was promised. In a lawsuit filed in December 2022, the bank alleged Frank had fewer than 300,000 customers — roughly four million had been faked. JPMorgan shut down Frank’s website in early 2023.

Jamie Dimon, JPMorgan’s CEO, called the acquisition “a huge mistake” in the bank’s fourth quarter 2022 earnings call, and indicated that more details would be disclosed after the litigation has been resolved. JPMorgan didn’t respond to Bank Director’s request for information. Javice is suing JPMorgan; her lawyer told The New York Times that the bank realized it couldn’t work around student privacy laws and tried to “retrade” the deal.

The cost of the Frank acquisition seems eye-popping, but it’s a mere drop in the bucket for the big bank. JPMorgan reported $34.5 billion in net revenue in the fourth quarter 2022; that’s around $375 million earned daily. It’s an experienced fintech acquirer, with seemingly endless resources it can dedicate to vetting these deals. If a fintech company managed to trick the largest of the big banks, what does that mean for other banks looking to acquire tech companies in 2023?

The number of financial institutions acquiring technology companies remained few in 2021-22, according to an analysis from information from Piper Sandler & Co. using compiled for Bank Director with data from S&P Global Market Intelligence. Those buyers are primarily above $50 billion in assets. Crispin Love, senior research analyst at Piper Sandler, says those deals tend to complement the bank’s strategy, via deposit, lending or payments platforms, or niche services. “It tends to be the larger players buying some of these smaller fintech players to enhance solutions at the bank, rather than being [a] big transformational deal,” he says.

Sixteen percent of the bank executives and directors responding to Bank Director’s 2023 Bank M&A Survey, sponsored by Crowe LLP, say their institution is likely to acquire a technology firm in 2023. Due to last year’s drop in fintech valuations, it could be a great time to buy, says Crowe Partner Rick Childs. But price isn’t the only factor in an acquisition, and acquiring a technology company requires additional due diligence.

Dion Lisle, director of corporate ventures at $183 billion Huntington Bancshares, has more than 100 items on his due diligence checklist for any fintech the Columbus, Ohio-based bank may choose to invest in or acquire. At a high level, he and his team want to know:

Who are the founders, and what are their backgrounds? Who are the investors?
Is the tech stack modern, and will it fit with the bank?
How much technology has been outsourced?
Does the company own its intellectual property?
Have there been lawsuits against the company?
What about the company’s books? How much money do they have, and how have they spent it?

Lisle also seeks customer references. This was easy with Huntington’s recent acquisition of Digital Payments Torana, which worked with two of the bank’s customers. “We had assurance from that,” says Lisle. “We knew the people that said, ‘Yeah, this product uniquely solves this business case.’”

Code review is also part of Lisle’s checklist and is among the few items he’s willing to outsource. Most is covered by the bank’s ventures unit. “We’re a team of 10 folks with expertise around banking, venture investing, due diligence [and] compliance, so we’re able to do a pretty good job in house,” says Lisle.

Clayton Mitchell, a principal at Crowe, says banks should examine controls, processes and potential compliance gaps, particularly where the technology could pose significant regulatory, legal, financial or reputational risk, including potential fair lending or Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) violations. And he advises banks to build a team that includes the CFO and finance staff, relevant business leaders, technology and information security, and risk and compliance. “Don’t get enamored with the tech,” he cautions. “[Fintechs have] been pitching for money since the day they were born. It’s the only way they’ve existed. So, they’re really good at sales.”

Banks should also take time with due diligence, and shouldn’t cave in to FOMO, or fear of missing out. “That’s never a good way to do deals,” says Lisle. “You never skip basic DD [due diligence].”

Earlier in his career, Lisle worked for Citigroup, which sent him to Brazil to check out a payments company that boasted a million signups. The company even paid soccer star Ronadinho Gaúcho $5 million to be its spokesperson. But Lisle dug deeper and uncovered just $10,000 in transactions — a low figure given the large user base the fintech claimed to have. Citi pulled the plug on the deal.

Lisle says it took 24 hours to pull the plug on the multi-million-dollar transaction. Problems aren’t always hard to spot, he explains. At JPMorgan, a few thousand emails would have quickly revealed the authenticity of Frank’s user base. “[It’s] literally two days of due diligence.”

In January 2018, the Revised Payment Services Directive (PSD2) takes effect in the European Union, requiring banks there to open their payment infrastructure and data to third parties. The consumer-focused initiative is intended to give individuals control over their financial data while simplifying the payments ecosystem. Belgium, Germany and Italy have had a common protocol for providing third-party access to account information since the 1990s, and Australia is considering measures similar to the EU’s PSD2 initiative, according to a report from McKinsey & Co. With so much momentum behind the concept of open banking, should the United States explore a similar uniform data sharing policy?

Currently, the U.S. sees data sharing between banks and third parties take place through a patchwork of one-off deals. Often, agreements are struck between a financial institution and an intermediary that aggregates data from several institutions and provides that information to third parties, such as personal financial management apps, lending platforms or other consumer-facing service providers. These types of agreements do little to further a holistic national agenda of financial innovation and inclusion.

Many stakeholders—banks and technology companies alike—believe that these one-off data sharing agreements are not enough. For banks, current methods used by technology companies to gather data from their systems can result in security breaches, and carry the potential for brand or reputational risks. These issues illustrate the need for a uniform protocol that addresses both the technical aspects of connecting with third parties and the liability issues that can arise in cases of consumer financial loss.

What’s more, while the demands of secure API implementation are huge expenditures for a financial institution, the shift to open banking can also lead to new opportunities. (An application program interface, or API, controls interactions between software and systems.) As an example, PSD2 requires that banks provide access to data, but it does not prohibit an institution from monetizing its data in ways that go beyond the statute. Banks can capitalize on this mandate by providing more detailed data than is required by PSD2, or by providing insights to accompany the raw data for a fee. In addition, the development of API expertise will move institutions closer to offering many different financial services through a digital platform. Leveraging APIs can allow institutions to efficiently provide advice and services that customers demand today. (For more on this, read “The API Effect” in the May 2017 issue of Bank Director digital magazine.)

For technology companies that require access to bank data to operate, open APIs offer more reliable, accessible data. Without a direct line to bank data, technology companies must often resort to “screen scraping” to gather needed information. This technique requires a bank customer to provide log-in credentials to the third party. Those credentials are then used to collect account information. This method is much less secure for banks than controlling an API interface would be, and it’s a lot less smooth for bank customers that want to provide the technology company with access to their data.

Also, the process of entering into data-sharing agreements with multiple financial institutions is a daunting task for even the most sophisticated technology companies. Connectivity requirements vary from bank to bank, as do security protocols. Add to that a significant price tag for each deal, and the task of building a customer’s financial profile across multiple institutions is a significant barrier to entry that prevents the delivery of innovative financial services to consumers.

While the U.S. has been slow to act on open banking initiatives, there have been some signs of life. In October of 2017, the Consumer Financial Protection Bureau released its principles on data sharing and aggregation and confirmed its view that individuals, not the companies they work with, own their financial data. While this is only guidance coming from an embattled regulator, it hints at American interest in the open banking movement.

“Innovation, enhanced security and the drive for greater competition are the golden triptychs at the heart of PSD2,” wrote Alisdair Faulkner of the digital identity company ThreatMetrix, based in San Jose, California, in August 2017. Those would seem to be values that every government should strive to uphold, and with benefits for both incumbents and new technologies, perhaps exploration of a PSD2-like initiative can take hold in the U.S.