A Third-Party Oversight Program That Works

By Matthew Van Buskirk

It is no secret that the community banking sector has experienced increased pressure in recent years. Economic uncertainty, growing regulatory complexity and aging technology have eaten into profitability. According to the FDIC, the most important factor contributing to the earnings gap between community and non-community banks is the ability to generate non-interest income from “activities that are typically not part of the traditional community banking business model.” Community banks are increasingly looking for ways to improve the bottom line, diversify income streams and present a more modern image.

Meanwhile, the upheaval caused by the COVID-19 pandemic helped spur massive growth in businesses that provided access to financial services electronically. Fintech firms collectively raised $41.7 billion in funding in 2020, the second-largest total over the past decade. While some of the largest fintech companies have started to apply for bank charters, the rest of the consumer-facing fintech breed often rely on a behind-the-scenes partner bank to serve customers.

As noted in ABA Bank Marketing last year, community banks have realized the need and developed new fintech-bank partnership models to capitalize. These partnerships can be a win-win for everyone involved, but they carry many challenges and risks for institutions that do not plan ahead.

The key to proving that the bank knows what it is doing is in its fintech oversight program. Funneling new partnerships through a standard third-party risk management program won’t cut it. Most were designed on the assumption that third parties would help the bank deliver services to its customers and the services offered were generally familiar. Fintech partnership models are significantly more complex. They move the bank to a behind-the-scenes position with less direct customer interaction. Also, the fintech may be using new and untested models and there may be many more channels to monitor depending on the number of partnerships. A dedicated function with new tools, training and skills is necessary for effective oversight.

They inspire confidence in regulators. Banks managing multiple fintech relationships can show they are capable and aware of the risks presented across the entire partner portfolio. Regulators gain confidence through a combination of concrete and subjective factors. Banks can expect regulators to want concrete details on issues like the comprehensiveness of documentation, quality of risk assessments, external auditor validation, the robustness of the audit trail and the bank or bank staff’s track record in fintech oversight. Beyond this information, banks and their teams must have credibility and trust with the regulators.

The unofficial maxim of all regulators is “trust but verify.” When a bank is doing something novel, it is reasonable for the regulator to come to the table with a degree of skepticism—especially when it could be the first time the regulator sees anything like a certain program.

The ability to inspire confidence comes down to how well you deliver on the concrete pieces above in relation to your track record of performing similar activities in the past. If this is entirely new to both the bank as a whole and the individuals on your team, you should over-deliver on the concrete to compensate for any perceived shortcomings. If the bank has a strong history of partnership oversight in other areas or it has hired a leader with extensive experience in the space and provided them with appropriate resources, it is less necessary to over-deliver.

They are repeatable. With this kind of oversight, banks can process new partners quickly without needing to modify the program based on the idiosyncrasies of each partnership. It is ok to have a program geared toward a particular type of fintech partner (such as payments money services businesses or point-of-sale lenders) so long as partners outside of that category are rare exceptions. If your bank finds itself regularly running other business types through a program designed for a particular partner type, it will be worth the effort to rethink the program to make it more flexible. The gains in efficiency should be meaningful in and of themselves, but the visible alignment of the program with the business models of your partners will also boost regulator confidence.

They leverage technology to the maximum degree possible. The aim is to enable seamless scaling, to reduce the opportunity for manual error and to make the bank more appealing to fintech companies that vastly prefer partners with a high degree of technical connectivity over those that rely on emailing spreadsheets around.

Most compliance teams think of technology from the perspective of the tools they use themselves, such as case management and transaction monitoring platforms, as stand-alone solutions that tick a particular requirement box rather than components of a larger system. This model is adequate in covering the minimum expectations of a regulator but imposes a ceiling on both the effectiveness and efficiency of a compliance program.

Taking a systems-orientated and modular approach is the key to maximizing for both. In practice, this means focusing on three elements:

  • Uniform data. Do the engineering work needed to ensure that all of the tools used speak the same language. Compliance analysts should not need to copy and paste from one system to another. The bank should have its own database structure linked to each tool. The efficiency benefits are obvious, but it is also a key to enabling more advanced technologies like machine learning.
  • Modularity. Your program should not be built around an external vendor’s design. Treat any vendors that you use as modular components of your program. Many vendors try to build comprehensive solutions for all program needs. This seems to be a good idea on the surface, but in practice, it results in a one-size-fits-none model that requires each bank to conform to the vendor’s product structure. The result is essentially a “barbed hook” model in which the vendor is not meeting the bank’s needs but has become too difficult to extract, so the bank chooses to live with it. If you build your program with the goal of treating any vendors as replaceable pieces of a larger whole, you should be able to select the best-fit solution for each of your needs and swap out the solution when it ceases to be the best.
  • Automation. When low-value tasks are automated, you can better empower your people to focus on high-value decision making. An industry survey performed by PwC found that compliance analysts typically spend 90+ percent of their time gathering the information needed to do their work, leaving very little time for the actual work. Fundamentally, this is the result of compliance programs built to address regulatory expectations that may have been set decades in the past where the work could only be done manually. When making decisions on how to design your compliance program, keep an eye out for any steps that rely on a person to run queries or move information from one place to another, as these are clear opportunities for automation. The more time that you can save for your analysts, the better they will be able to stay on top of risks.

Matthew Van Buskirk is the co-founder and co-CEO of Hummingbird, a regtech Company. He can be reached at [email protected].