FinTech service providers and traditional banks are leveraging each other’s resources and infrastructure to deliver enhanced customer experiences, thanks to BaaS platforms and related technological advancements. In recent years, the fusion of FinTech’s innovative solutions with the extensive customer base of banks has facilitated more opportunities for financial inclusion.
However, overseeing bank and FinTech partnerships has become an important responsibility for regulators to promote transparency and fairness. Regulators especially require banks to do due diligence and facilitate a system for third-party risk management when dealing with FinTechs and their innovative products.
From the current analysis of events, it’s important for banks to periodically gather and evaluate information from FinTech companies to determine if the relationship is regulatory-compliant. The recent Consent Order issued by the Federal Deposit Insurance Corporation (FDIC) to Cross River Bank (CRB) is a stark warning to other community banks in the US to tighten up their internal controls.
Moreover, some requirements imposed on the bank through the Consent Order align with existing regulatory guidance for (community) bank and FinTech partnerships. In this article, we look at some of these desirable checks recommended by federal regulators, like the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC).
Board Oversight
Oversight functions performed by the board and senior management are incredibly important in every area of the financial sector. Their significance cannot be overstated for bank-Fintech partnerships. As a result, one of the FDIC’s priorities identified was increased scrutiny from the board concerning the “Bank’s system of internal controls, information systems, credit underwriting practices, and internal audit systems related to consumer protection laws and regulations.”
In fact, compliance with all the requirements in the Consent Order is to be monitored and supervised by the board of parties involved. This required commitment from the board sends a clear message that both parties (banks and FinTech companies) should understand the importance of board oversight functions in maintaining the integrity of their operations and protecting the interests of their customers and stakeholders.
As a proactive measure, bank and FinTech boards should periodically review their structure to ensure it is suitable for risk and compliance oversight. In this case, it’s often recommended that board members include risk management and compliance experts. So, banks may consider this before agreeing with FinTech service providers.
Legal and Regulatory Compliance
Banks must assess the FinTech company’s understanding of the legal and regulatory obligations linked to its intended business operations. A bank seeking partnership must also examine the company’s past experience operating within the legal framework to ensure it can meet the required legal standards and regulatory obligations.
KYC/AML compliance, security deposits at central banks, and proper licenses are among the critical areas of consideration for this type of due diligence. Other information to look out for is official records documenting customer complaints and any information showing its regulatory standing regarding the activities undertaken in the contractual agreements.
Risk Management and Controls
It is highly recommended to conduct regular evaluations of risk management policies and controls of both parties concerning the terms of the agreement. This evaluation ensures that all activities, regardless of further modifications, align with the bank’s risk appetite or tolerance and comply with applicable regulations. It’s on this note that FDIC included in the Consent Order for CRB, saying:
“Conduct a risk assessment of all CRB Credit Products and Third Parties on the current lists to identify fair lending risks, including any risk associated with an “application” or “Credit Transaction” as defined in Regulation B, conducted by, through, or in conjunction with the Bank, and engage an independent, third party acceptable to the FDIC to conduct a fair lending resources study.”
It further stated: “Develop fair lending internal controls that must be reviewed periodically on a risk basis but not less than annually and adjusted appropriately.
Information Security
It is essential to understand the very fabric of security frameworks adopted by FinTech companies to manage cybersecurity risk. This includes assessing their policies and tools for data protection as well as incidence management and response plans to determine if they support the bank’s regulatory obligations.
In the Consent Order in question, FDIC described this type of due diligence as Information Systems Review. Accordingly, it mandated CBR to undertake a comprehensive assessment of all third-party information systems, as well as its own, and submit a report outlining the status of these systems. Furthermore, CBR was required to develop a plan outlining the necessary steps to be taken within a specified timeframe to address any identified gaps or vulnerabilities.
Operational resilience
To gain a comprehensive understanding of the operational resilience of FinTechs, banks must delve deeper into various aspects such as business continuity plans, disaster recovery plans, cybersecurity audits, and incident response time.
To accurately measure FinTechs’ operational resilience, banks must also frequently quantify and track specific metrics related to their risk profile and product offerings. Common metrics include Mean Time to Recover (MTTR), which measures the average time it takes to recover from disruptions.
In addition, monitoring system availability metrics provides visibility into the reliability and uptime of critical systems and services offered by FinTechs. It indicates their ability to maintain consistent access and functionality. This should not be overlooked.
Talk to Us
In light of the recent Consent Order issued to CBR, bank and FinTech relationships necessitate a more diligent and rigorous approach. At RADD LLC, we look forward to assisting you in navigating these evolving dynamics and ensuring compliance while maximizing the potential of your partnerships. With a diverse team of compliance experts boasting a combined experience of more than 250 years in fintech regulatory compliance, you can rest assured that you will get best-fit solutions. So get in touch today; it’s easy!