By Adam Hughes
The last decade has seen dramatic growth in the number of nonbank fintech firms offering innovative products in partnership with traditional financial institutions. This growth has spurred complex discussions among both stakeholders and regulators over how these new types of business relationships should be arranged and managed to adhere to regulatory obligations and to protect customers.
Meanwhile, the importance of these partnerships has become more evident over time, for both large organizations who often find it difficult to innovate from within and smaller organizations that lack internal expertise and resources to expand product and service offerings on their own.
If technology partnerships become even more important to banks’ innovation initiatives, a new nationwide set of requirements and a system for formal accreditation would even the playing field and establish controls that are better aligned with regulator expectations. My view is that such requirements would accelerate innovation and partnerships among banks and innovative fintech firms, particularly to provide confidence that regulatory expectations have been met. In the absence of this regulatory certainty, financial institutions and third parties will continue to operate in an inefficient ecosystem that lacks standardization.
Although scrutiny of third-party partners is critical to ensure safety, soundness and customer protection, the challenge is meeting existing regulatory expectations for the growing volume of the third-party relationships needed to offer next-generation financial services. While the objectives of third-party risk management oversight are similar for every bank, the implementation varies with each fintech relationship, based on their own interpretations of their regulators’ expectations. The lack of standardization has left banks to create their own third-party vendor management practices, which over time tend to become more and more complex and onerous as the bank responds to changes in the market and broader regulatory mandates.
For both parties, the cost, in terms of both time and resources, of onboarding and maintaining these relationships becomes more burdensome with each new partner. This uphill battle ultimately results in less choice and fewer options, particularly for smaller institutions, which face additional challenges in advancing their technology systems.
Since thousands of financial institutions across the country rely heavily on their core banking system providers to advance their digital goals, they naturally have fewer human and financial resources to pursue, procure, implement and manage technology relationships with multiple third-party providers. Moreover, most technology solutions available to banks, both large and small, have the greatest impact when they are integrated with the core operating systems of a bank. As a result, core providers are critical to any technology decision that their bank partners make and, subsequently, are the primary providers for many of the technologies used by banks today.
The data underscores this reality. According to a survey conducted by Bank Director in 2019, 68 percent of banks that relied on core providers said that API technology that is used to sync bank and fintech systems is provided by a core provider; 47 percent reported depending on a core provider for peer-to-peer payment technology; 43 percent reported that business process automation was provided by a core provider; and 42 percent indicated a core provider was responsible for enabling data aggregation.
Yet another challenge faced by many U.S. financial institutions is an overall lack of resources to vet and onboard new technology partners in a manner compliant with third-party risk management guidance issued by federal banking regulators. Certain institutions may lack in-house expertise regarding due diligence, knowledge of how to structure adequate contracts and resources for monitoring third-party compliance. Faced with these challenges, a natural response for these financial institutions can be to resist implementing certain technology tools altogether out of a perceived abundance of caution against non-compliance with regulatory requirements.
To help ease and streamline the procurement process for technology providers, a certification of adherence to third-party partner risk management requirements, either by a standards body or by a self-regulatory organization, would provide assurance that a third-party vendor meets the compliance requirements expected by prudential regulators. It’s important to emphasize that nothing like this should be proposed as a mandate; banks satisfied with their current TPRM practices should be able to choose to continue them.
This would provide an option for any supervised financial institution that wishes to work with that vendor with a significantly lower onboarding anxiety and expedite delivery of new financial products and services to their customers. This new regime should be particularly focused on creating a safe harbor that enables financial institutions beyond just the very largest in the country to partner with technology providers. The ultimate outcome of such a regime should be reduce the third-party risk management burdens on both banks and fintech firms and should be carefully designed not to add new compliance requirements for banks.
Banks, third-party providers of all sizes and, most importantly, customers would all benefit from a new oversight establishment for this rapidly evolving market. A new set of national standards and accreditation that formally integrates established best practices between banks and third-party fintech firms would meaningfully reduce the barriers to developing these critical and innovative relationships.
Adam Hughes is CEO of Amount, a digital banking solutions provider. He was previously president and COO of Avant, a digital consumer lending platform provider.
