By John Hintze
All bankers know that their banks are accountable for the products and services they offer. But in today’s highly competitive environment in which offerings from myriad firms can help their banks rival and even outperform big competitors, the necessary due diligence can slip.
WEBINAR > Join Ryan Rasske, ABA’s SVP for risk and compliance markets, at 2 p.m. May 22 for a webinar on the operational complexities of third-party risk management, with a focus on managing vendors. The webinar will address banks’ multifaceted challenges in safeguarding their operations and reputation. Register here.
The FDIC released guidance this month aimed at community banks that emphasizes banks’ responsibility to operate in a safe and sound manner when engaging with third-party firms, “just as if the bank were to perform the service or activity itself.” Acknowledging 2023’s Interagency Guidance on Third-Party Relationships: Risk Management, the agency states that its recent guide is not a substitute for the earlier guidance, but instead a resource for community and other banks to consider when managing third-party risk.
The FDIC’s guidance identifies five parts to the third-party, risk-management life cycle: Planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination.
In terms of planning, bankers must first step back to define precisely why the bank is seeking fintech partnerships, says Julieann Thurlow, president and CEO of Reading Cooperative Bank in Massachusetts and board chair for the American Bankers Association. Is the bank seeking to strengthen its relationships with existing customers or gain new clients outside its traditional footprint?
“What is the strategic goal I’m trying to accomplish, and how is this fintech going to get the bank there?” Thurlow says, emphasizing the necessity to ensure that potential fintech partners are not seeking to grow faster than the bank can handle.
The FDIC guidance lists several considerations, including the underlying activities to be performed and the bank’s and fintech’s prospective roles; the legal and compliance requirements that apply to prospective third-party activities; and what risk-management and governance practices will be necessary to manage and mitigate the potential risks.
“Depending on the risk profile of the fintech and the amount of activity that fintech is producing, the bank has to have appropriate staff and the technology platform to manage these types of activities,” said Phil Bianco, EVP and chief technology officer at First Bank of the Lake.
Choosing the correct fintech firm and performing the necessary due diligence is key. Bianco notes that searching for fintech firms resembles the search for any new bank product or service and the task may include attending conferences and working with venture capital firms investing in the firms.
Thurlow helped found Alloy Labs, a consortium of banks interested in more advanced third-party relationships that Reading Cooperative belongs to. She adds that “it enables members to filter emerging fintech opportunities and determine which are bubbling up as the best players.”
Due diligence plays a key role in determining whether to ink an agreement with a fintech. Thurlow said auditor Wolf & Co. has provided advanced evaluations of fintech firms to help her bank consider the risks to address, in advance of signing a contract.
“Having resources that look at these relationships through a difference lens is really important, or you can end up falling in love with every fintech you talk to,” Thurlow says, adding that in the fintech evaluation process, it’s also helpful to engage the bank’s regulator, which can suggest issues the bank may not have considered.
Bianco, previously chief technology officer of The Bancorp, a sponsor bank that has enabled cutting-edge financial services by fintech firms including Chime and Google Wallet, noted the importance of understanding whether the fintech has customers already transacting on its platform, and whether there’s another sponsor bank. A startup’s funding sources and its funding rounds so far are also relevant, as well as who sits on its board and in leadership positions, and whether the firm’s intended market fits the bank’s risk profile.
Another key element, Bianco adds, is whether the fintech is building the technology or using an experienced middleware provider to help build it.
“All those components are built into a profile that is vetted and should be voted on by multiple executives within the bank,” he said, noting the importance of educating fintech partners on bank regulation and determining the roles each party will play to remain compliant.
Keith Monson, chief risk officer at First Bank of the Lake, pointed to BSA and UDAAP requirements as key areas for which banks must ensure compliance when onboarding a fintech. He added that recent consent orders indicate banks are struggling with BSA requirements and adequately identifying customers originated through fintech platforms.
“The bank can rely on the fintech for some compliance functions, but mechanisms must be in place to monitor and track customers and transactions, as the bank cannot outsource accountability,” Monson says.
In its relationship with Upstart, an artificial intelligence-driven consumer lending platform, Reading Cooperative had to ensure that fintech firms’ models and algorithms did not adversely affect the bank’s fair lending results, Thurlow adds.
“So we needed to see their data,” she said. “At first, these companies don’t want to provide the data because they consider it proprietary. But it’s the only way we can ensure there won’t be fair-lending violations on our behalf.”
Banks must then negotiate into contracts those mechanisms and stipulations to meet their business objectives, regulatory obligations and risk management policies and procedures.
“When a community bank has limited negotiating power, it is important for bank management to understand any resulting limitations and consequent risks,” notes the FDIC guidance, to determine whether the contract still meets the bank’s needs, would result in increased risk, and if residual risks are acceptable.
Thurlow says working with the Boston-based KL Gates has been very helpful because the law firm counts both fintech firms and banks as clients.
“They’ve helped us think about contracts because they’ve seen both sides of the aisle,” she says, adding that contracts should contain a renewal date to evaluate and update the relationship with the fintech.
To maintain healthy relationships with their third-party partners, Bianco said, banks should pursue open and continuous communications between bank and fintech staff, especially if the bank is sponsoring the fintech, as well as between the leadership of each institution. Regular reporting requirements can be built into contracts, he adds, and in addition to annual audits there may be additional levels of documentation, depending on the function the third-party firm is providing.
Potentially ongoing monitoring considerations listed by the FDIC include whether a third party’s financial situation has changed; its compliance with applicable laws, regulations and service level agreements; its reliability; the effectiveness of its business continuity and disaster recovery plans; and whether its performance has changed due to mergers, acquisitions or divestitures.
A bank’s ongoing monitoring responsibilities of third-party firms reaches up to the board level. Regulators view fintech relationships as critical services offered to bank customers, Monson says, so board approval may be required when engaging in new fintech relationships. TRecent consent orders illustrate regulators’ concerns about banks’ third-party, risk-management practices, especially when sensitive customer data is involved.
“Banks must be aware that the regulators are looking for board involvement when engaging in higher risk activities,” Monson said.
All business relationships come to an end, and in the case of community banks and fintech firms, the reasons can vary from breach of contract to the bank seeking a different firm or bringing the function in-house. Some potential considerations before a breakup, the FDIC points out, include how the bank and third party handle shared intellectual property; the access to bank systems or information granted to the fintech; and if the fintech has access to bank customer data and how will it be returned or destroyed.
“You need a crystal ball to understand what could go wrong,” Thurlow says. “It’s kind of like a [prenuptial agreement]: You don’t want to think about what a break up would look like, but sometimes it needs to happen.”
John Hintze is a regular contributor to ABA Banking Journal.
