“The crux of the issue is that ultimately the bank has to have a strong oversight and management system.”
By John Hintze
Banks’ measured and controlled approach to adopting new products and services is being tested now as they aggressively pursue partnerships with nonbank fintech companies—all as regulators step up their scrutiny.
Nearly two-thirds of banks and credit unions had entered into at least one fintech partnership over the previous three years and 35 percent invested in a fintech firm, reports a 2021 survey by Cornerstone Advisors. And of those that hadn’t yet partnered or invested, respectively 37 percent and 18 percent planned to do so in 2022.
The Consumer Financial Protection Bureau has taken notice. In April, it invoked authority under the Dodd-Frank Act to examine nonbank companies posing risks to consumers, including fintech firms, and it issued a procedural rule to make its process to determine entities’ riskiness more transparent. In December, it requested information from major buy-now-pay-later, or BNPL, firms, an early step in proposing regulations.
In short, the CFPB has stepped up its oversight of fintech firms, and so must banks must be spot on with oversight of these relationships as well, noted participants in a session about building a compliance risk management framework for fintech partnerships at ABA’s recent Regulatory Compliance Conference.
That oversight starts with fintech onboarding, which requires upfront due diligence similar to onboarding any high-risk vendor and implementing an ongoing monitoring process. Consumer financial service providers must be especially vigilant, session participants said, regarding UDAAP and fair lending regulations. And banks must ensure fintech partners understand and observe them.
Some upfront testing—before inking a partnership—may be necessary, says Chris Lucas, chief compliance officer at MVB Bank, pointing to customer complaints as particularly relevant. Given that fintech firms are not examined and are often startups, bankers must be sure that these companies that directly contact customers have the ability to capture complaints, and the bank and fintech “stack hands” on how complaints are defined and the risk they pose.
“And you want a good flow of those complaints, on at least a monthly basis, for the bank’s own analysis,” Lucas says.
Juan Azel, chief compliance officer and deputy general counsel at Cross River Bank, which serves many fintech firms as a banking as a service provider, adds that banks must view fintech vendors as a delivery channel and ultimately take responsibility for the product.
“Whether it’s BNPL, crypto or whatever product, it’s ultimately the bank’s,” Azel says And it is important to convey that message not only to the bank’s management and board but also to regulators. “The crux of the issue is that ultimately the bank has to have a strong oversight and management system.”
When considering a new relationship with fintech firms, banks should also consider reputational risk, especially if the fintech firm has faced penalties before, and whether the fintech has a compliance management system in place. An early-stage fintech firm’s CMS may be wanting, requiring the bank to establish a baseline for what is required and even help the fintech establish key components, such as a compliance staff, training and risk assessment.
“Once they’ve established that baseline, the bank can come back and do a phase-two due diligence,” Lucas says.
Banks deploy compliance management systems focused on their traditional bank businesses, including branches, commercial real estate and small business loans, and they must decide whether a separate CMS is appropriate for fintech partnerships and the accompanying rules and guidance from banking regulators to manage third-party risk. To make that decision, Azel says, a bank can look at its current products and services and prepare a feasibility analysis and perhaps an obligations register to determine which laws and regulations are applicable as a bank as well as providing products and services through a fintech firm.
“Are you going to have individuals monitoring and testing just the bank-side products and others monitoring third-party partners and those products and services?” asks Azel. “You can double your [compliance department] size pretty quickly.”
Both MVB and Cross River decided to merge the functions into one group. Azel said that Cross River created a team of analysts called CMS Support that reviews complaints received by the bank and the fintech firms and liaisons with the compliance professionals on either side to identify trends, resolutions, or whatever is necessary.
MVB’s CMS sits over and monitors its traditional and fintech partnerships, viewing the latter as “essentially another business line,” Lucas says.
He adds that his compliance team has subject matter experts dedicated to the fintech activities as well as a dedicated “risk onboarding team” that he described as a “jack of all trades in terms of risk disciplines,” covering compliance, operations, anti-money launching, fraud and other risks.
“One CMS works much more seamlessly from a governance and reporting perspective,” he says, noting the importance of providing senior management and the bank’s board as well as regulators with the “whole risk spectrum.”
Fintech firms’ innovative and ever-changing ideas can rub against the grain of how some banks are used to working. A fintech firm’s product may change soon after the bank onboards it, for example. That requires the bank to have a change management process, Azel notes, and perhaps also a formal change request process similar to Cross River’s that defines material changes and establishes a review process. In some cases, he says, the obligations register may clarify that the bank simply can’t currently offer the new product.
“It triggers a readiness or feasibility gap analysis for what the bank needs in terms of resourcing, policies and procedures, and controls to be able to offer that product through that specific platform,” he said.
Lucas points out that key to balancing fintechs’ speed and banks’ more methodical approach is wrapping governance around the change-management processes. MVB, for example, has a committee that oversees the bank’s new products and services process, and any fintech firm requests for product changes or to launch a new product runs through that committee.
“We work with the fintech to make sure they understand what they need to do,” Lucas said. “Then we track the build out on the bank and the fintech sides and report up through the appropriate reporting channel.”
Governance smooths the change-management process, and employing dedicated personnel is another lubricant. Lucas also points to “playbooks” that the bank builds out with the fintech early in the relationship to detail the steps in the process. “So we’re operating with speed, but we’re not abandoning our existing compliance and control infrastructure,” he says.
Azel agreed that a playbook to deal with UDAAP concerns because BNPL fintechs, for example, are not only marketing on their own web pages but entering into agreements with multiple merchants, and they may be unfamiliar with UDAAP or the Trust in Lending Act’s Reg Z requirements. A playbook can stipulate how they can advertise their products and the types of terms to use or not.
Monitoring playbook compliance can be difficult, Azel acknowledges, but it is important to emphasize that if the fintech wants to go outside the playbook, “We need to review and consent to the marketing sheet before it can do that.“
John Hintze is a frequent contributor to ABA Risk and Compliance.