Third-party relationships: Due diligence guidance for community financial institutions engaging fintechs
This is one of five key articles featured in our 2022 Financial Institutions Advisor. Download the entire whitepaper here.
Today’s community financial institutions are seeing more opportunities than ever to enter into relationships with a new generation of financial technology (fintech) companies, including those that offer robotic process automation solutions. Community financial institutions are no strangers to engaging technology companies that assist with various business needs such as core systems and IT infrastructure, but these next-generation fintech partnership opportunities present new risks because the products and services they‘re offering are new to the marketplace.
Until recently, the regulatory guidance governing third-party risk management expectations for financial institutions has been spread across several different federal agencies. The expectations could vary depending on whether the institution was regulated by the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), or the Federal Deposit Insurance Corporation (FDIC). This year, the agencies released proposed interagency guidance on risk management for financial institutions entering into third-party relationships, followed shortly after by a guide for community banks that need to conduct due diligence on fintechs. Community financial institutions need to understand this recent guidance and take action to ensure that their third-party risk management programs properly address the relevant risks in fintech relationships.
A new type of third-party relationship
Partnering with a fintech can be a different risk management experience than partnering with other IT providers. Many community financial institutions have developed third-party risk management processes for their relationships with traditional technology partners — established tech companies like core processing providers FiServ and Jack Henry. These traditional technology partners have typically provided what can be thought of as “standard” IT solutions focused on basic day-to-day “back-office” functions like processing transactions. They usually offer these fundamental services to institutions for less than it would cost each bank to keep the process in house.
Partnering with a fintech can be a different risk management experience than partnering with other IT providers.
Fintech relationships are often (although not always) customer-facing partnerships. They enable community financial institutions to provide a new product or service, access a new customer base, or enhance efficiencies. Financial institutions can’t necessarily depend on their technology partners to educate them on the process of partnering with a fintech. These companies are nimble organizations that can change dramatically in short spans of time. As fintechs race to get their products to market ahead of their competition or launch a new version with the latest enhancements, compliance with federal banking regulations probably won’t be their top priority. Their culture and business processes may vary greatly from the community financial institutions with whom they partner and from the traditional technology companies that community financial institutions are used to working with.
Fintech relationships are often (although not always) customer-facing partnerships.
New guidance to manage these new relationships
In response to the rise of this new type of relationship between community financial institutions and fintech companies, the federal regulatory agencies that oversee America’s financial institutions issued proposed interagency guidance on managing risk in third-party relationships. That regulatory language was followed shortly thereafter by a guide focused specifically on helping community financial institutions understand how to conduct due diligence on fintechs under the new guidance. The guide offers relevant considerations, potential sources of information, and helpful examples on the following six key due diligence topics:
- Business experience & qualifications
- Financial condition
- Legal & regulatory compliance
- Risk management & controls
- Information security
- Operational resilience
This action by regulators should streamline the third-party due diligence expectations for all financial institutions. The guide should help community financial institutions understand how their processes may need to be modified in order to perform due diligence on their relationships with fintech companies.
Two types of community financial institutions
At this point, there are two types of community financial institutions in the United States; those that have relationships with third-party fintech companies and those that are going to have relationships with third-party fintech companies. For those that have existing contracts, this guidance serves as a wake-up call that the third-party risk management they‘ve used in the past for relationships with traditional technology partners needs to be reviewed to make sure that they’re properly vetting fintech providers. For those that don’t yet have relationships with fintech companies, the guide highlights six key due diligence areas in which their third-party risk management process should be reviewed and possibly enhanced before entering into agreements with these service providers.
For many community financial institutions that have been waiting for this guidance in order to start considering relationships with fintechs, the availability of these new expectations could be just the push needed to get them into the market. Still, many community financial institutions aren’t well versed in this relatively new guidance and the potential impact it could have on their third-party risk management programs.
Community financial institutions need to read and understand this new joint regulatory guidance, and many will need to update their third-party risk management programs to specifically address fintechs and the risks they present. Those that already have fintech relationships in place will need to determine how this guidance affects their existing relationships and take additional steps as necessary to address any gaps.
Plante Moran can help with this process, either by performing third-party compliance reviews of potential fintech companies or reviewing a financial institution’s third-party risk management processes for compliance with the new expectations. If you have any questions about the new guidance, please contact Plante Moran.