Written by: Cristina Palladino
As more financial institutions engage with technology-forward vendors like fintech companies, there are many key considerations for organizations to keep in mind. At the forefront of these considerations, strong regulatory and compliance practices are non-negotiable. Fintechs that want to partner with financial institutions must demonstrate commitment to vendor management as well as responsible compliance practices. However, it’s up to financial institutions to perform due diligence, ensuring that fintechs have proper controls in place to mitigate potential risk.
Here, we’ll dive into one of the top questions that both financial institutions and fintech partners must weigh when establishing a relationship.
Question
What are the top considerations for financial institutions to keep in mind when establishing and maintaining third-party relationships with fintech companies?
Short Answer
Third-party fintech relationships differ from other vendors given the nature and utilization of their operations. Therefore, it’s essential to perform due diligence procedures and establish monitoring controls to ensure the relationship is providing value to the institution, not creating unacceptable risk.
Consider the following categories of risk while implementing a strong compliance environment between your financial institution and a fintech partner:
- Bank Secrecy Act (BSA)/Anti-Money Laundering (AML)
- Compliance Management Program
- Vendor Management
Not every fintech risk perception and the risk of each customer will be the same; therefore, implementing a risk-based approach must be applied to every customer and process.
Answer Details
Bank Secrecy Act (BSA) / Anti-Money Laundering (AML)
Given the products offered by fintech companies, the most pervasive regulation a fintech should familiarize themselves with is BSA/AML. As a financial institution, ensuring that your fintech partner has a monitoring program in place to identify suspicious transactions is crucial. Controls like this compare senders and/or recipients against the Office of Foreign Asset Control (OFAC) list and ensure Know Your Customer (KYC) and BSA/AML regulatory compliance. The breadth and depth of the program will depend on the fintech’s operations.
Additionally, it is important that a risk assessment is performed to identify the requirements and level of risk associated with the types of transactions and activities the fintech is performing. This will be a foundational element to support the establishment and execution of the monitoring program including the associated policy, procedures, and training program. Lastly, documentation of BSA responsibilities between the financial institution and fintech will form the responsibility of BSA/AML compliance and mutual agreement between the two organizations.
Compliance Management Program
Fintech is often perceived as a single, risky industry rather than one that offers a broad range of products and risks. In the fintech industry, risk varies based on a company’s products, the delivery of products, its customers, and its jurisdiction. Having a strong handle on your fintech partner’s process will prevent headaches, missed opportunities, and potential monetary penalties. Creating an inventory of those requirements and testing against them will ensure that controls are in place and working effectively.
Fintech compliance is an ever-evolving landscape, so it is critical to establish a process to monitor regulatory change and make necessary changes to operations. For a more in-depth discussion of how to establish an effective compliance program, read our Compliance Change Management Process article.
Vendor Management
A financial institution’s compliance requirements extend to its third-party providers. Therefore, validating that a fintech partner can comply with applicable laws and regulations is essential. In fact, the Consumer Financial Protection Bureau (CFPB) recently announced that it will increase its nonbank supervision.
Vendor management programs vary in size depending on the number, maturity, reliance, and criticality of the third-party relationship, but at a minimum, you should have the following:
- A risk-based process for requiring and obtaining due diligence material from your third parties prior to beginning and periodically throughout your relationship.
- Contract requirements that outline service obligations and protect your company. A contract review process should also be established to verify that contracts met those requirements.
- Due diligence material for critical vendors, including support that the third party is strong enough to maintain operations and protect data. Additionally, the material should provide evidence that critical controls are in place and working as intended. The best way to get information about a company’s control is by obtaining and reviewing System and Organization Controls (SOC) reports.
With the development of fintech, regulators began to express their expectations from the evolving market and regulatory risk. It is important for financial institutions to define and document a risk framework of its fintech partnership that is compatible with regulatory and operational risks. Furthermore, all aspects of the risk must be considered as new services are developed and new relationships with external parties are established.
For help establishing a risk management process or an analysis of the regulatory requirements for your financial institution, reach out to our team. If you’re a fintech looking for help with regulatory compliance, assurance, audits, or something else entirely, we can help.
