Fintech partnership risk: A checklist for financial institutions
Alliances with financial technology (fintech) companies can be transformative for financial institutions. But with benefits come significant risks, many of which may surprise you. Here’s a checklist for mitigating those exposures.
- Gain access to valuable tools and technologies without costly overhauls of legacy systems.
- Offer customers a broader range of online and digital transactions, boosting associated fee revenue.
- Expand capabilities in digital banking, digital lending, payments, and fraud/risk management, and grow revenues connected with them.
- Strengthen customer loyalty through these expanded services.
- Level the playing field against upstart digital competitors.
- Serve new customer segments and gain new market share.
Yet, while the future of banking lies in the kind of digital transformations these alliances make possible, financial institutions face an array of regulatory, reputational, and other risks and should proceed with caution. Banks must do their due diligence before striking these deals and monitor the relationships closely afterwards.
Banks must do their due diligence before striking these deals and monitor the relationships closely afterwards.
Key areas of risk
There are three broad areas of risk in fintech partnerships:
- Reputational risk: Financial institutions face reputational risk when any new product or service is introduced, regardless of whether it was developed in-house or by a third party. A single security breach as a result of a flaw in a fintech product could severely undermine the trust and loyalty that a bank has spent years nurturing. It could also directly impact profitability.
- Regulatory risk: Regulatory risk is a priority for financial institutions partnering with fintech companies. Fintech products are transforming the financial services industry, and lawmakers have fallen behind. It could be a long time before banking regulations are changed to address fintech products. In the meantime, regulators are scrutinizing fintech relationships to ensure financial institutions are still in compliance with traditional banking regulations.
- Unforeseen risk: Fintech companies have limited experience dealing with both regulations and regulators. For their part, banks and credit unions are unaccustomed to the changing, fast-paced environment in which fintech companies operate. There’s no telling what unforeseen risks may lie at the intersection of these two areas of uncertainty.
In order to mitigate these risks, financial institutions must manage their fintech relationships with great care, right from the start, and at every stage.
Do your due diligence (external and internal)
Before engaging in a relationship, make sure to:
- Determine if the fintech’s values align with those of your financial institution. Meet with the founders or executives. Are they planning a quick exit or making a long-term commitment to the industry and your customers?
- Learn all you can about how knowledgeable they are of their own compliance obligations, and how they will support yours.
- Reach out to your bank or credit union network. You may be able to connect with someone who’s worked with this fintech before. If so, what’s gone well? What weaknesses are there?
- Check on their track record. Are their any red flags to consider? Do they offer performance guarantees to financial institutions, subject to penalty? Ask for referrals.
- Research past regulatory infractions and negative news stories.
Likewise, turn the due diligence lens on your own organization. Do you have the capacity to deal with a new partnership? Do you have the IT, compliance, and other resources needed to integrate a new system or product effectively and efficiently?
Turn the due diligence lens on your own organization. Do you have the ... resources needed to integrate a new system or product effectively and efficiently?
Decide who owns the relationship
Well-managed fintech alliances need to be centrally led, with clear internal accountabilities and reporting lines. Some banks have one person managing each fintech provider, without any periodic process for conferring on their fintech program as a whole. Siloed environments can leave bank executives unaware of patterns or trends across fintech relationships.
Consider having one person in charge of each relationship. If you’re working with several fintechs, consider forming a committee. In larger financial institutions, it’s especially important for the compliance function to reach out across the different lines of business, keeping the channels of communication open, so that news of any potential issues travels fast.
Set the ground rules
Define your fintech’s obligations in the relationship precisely and be sure to include communications protocols. Financial institutions share risk with their fintech partners, yet often only learn after the fact of significant product changes affecting compliance or of significant litigation or regulatory pressure. Detail your expectations. Determine who needs to know what and by when. And then schedule a series of ongoing touch points to make certain each side is getting the information they need.
Monitor the relationship closely
Think of your fintech partnership as similar to a large technology or other investment. Your monitoring approach should be as robust as manageable. Do the upfront work of identifying key risks in the relationship, and ensure you regularly monitor and assess them. Conduct formal reviews of the relationship quarterly and annually. Consider a periodic independent review. Plante Moran can help with that.
Ensure risk management is robust
Financial institutions tend to assume that fintechs are well-versed in consumer deposit lending regulatory risk, and that they have well-established risk and compliance functions. Many do not. They may be less than fully aware of their own obligations and of the many ways they can support you in meeting yours.
Financial institutions tend to assume that fintechs are well-versed in consumer deposit lending regulatory risk, and that they have well-established risk and compliance functions. Many do not.
Ask fintechs about their current compliance program, adherence to state regulations, as well as any available risk assessments, policies, procedures, training programs, and audit programs. Determine how these will evolve into the compliance function you (and your regulators) need to see. Make sure the fintech understands their role and how they can help you address any regulatory examiner concerns.
A fintech, for example, may already have a risk management program in place that addresses risks posed by Anti-Money Laundering (AML) regulations, General Data Protection Regulation (GDPR), and other local or international regulations. It’s unlikely, though, that their risk management program includes financial regulatory compliance requirements. Not all fintechs have been able to support banks, for instance, in meeting the requirements of the Electronic Fund Transfer Act. The regulation provides guidelines for consumers and financial institutions on electronic funds transfers, and is designed to ensure timely resolution (and prompt refunds, if needed) in the case of unauthorized transactions in a bank account. Some fintechs’ inability to support banks in meeting this obligation has left some customers unaware of the appropriate channels for resolution and often as a result, out of pocket.
Risk mitigation is key to success
Many financial institutions believe their organization’s future depends critically on the kind of technology support that fintechs can provide. But many risks attend such relationships, which are necessarily complex, deeply interdependent, and require strong regulatory oversight. These exposures must be carefully mitigated, not only to avoid missteps but to maximize the chances of partnership success.