Know your fintech: Banking agencies issue guide on conducting fintech due diligence
The Federal Reserve, FDIC and OCC jointly issued a due diligence guide for community banks for assessing potential relationships with fintechs. Our client update examines the implications of the guide for both banks and fintechs.
Background
The Federal Reserve, FDIC, and OCC (together, the Agencies) have jointly published Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks (the Guide). While the Guide is framed as a tool for community banks, there is insight to be gleaned from the Guide by fintechs as well.[1] In addition to being a useful guide for banks, the Guide should allow fintechs to gain a better sense of the information and documents they should have in hand, as well as the approach they should take, when aiming to partner with banks. For example, as discussed below, a fintech should: develop strategic plans focused on third-party relationships with banks; highlight the experience and qualifications of its staff; be prepared to demonstrate long-term financial stability; and develop comprehensive internal control, legal compliance, and risk management frameworks that align with those of banks.
The Guide follows the Agencies’ recently published proposed interagency guidance (the Proposed Guidance) concerning how banking organizations should manage the risk associated with their third-party relationships, which Davis Polk addressed in another client update. The Proposed Guidance is applicable to banking organizations’ third-party relationships generally, addressing “any business arrangement between a banking organization and another entity, by contract or otherwise.” In contrast, the Guide focuses squarely on community banks’ relationships with fintechs. Nevertheless, the Guide expressly notes that it draws from the Agencies’ existing guidance on third-party relationships and is consistent with the Proposed Guidance.
The Guide was itself followed by the Federal Reserve’s publication of a paper titled Community Bank Access to Innovation through Partnerships, which provides a framework for understanding partnerships between community banks and fintechs, and what makes those partnerships effective. Davis Polk addressed this publication too, in a separate client update.
The Agencies’ recent publications are responsive to, as the Guide puts it, “innovation and evolving customer preferences that are changing the financial services landscape,” brought about in part by both the increasing prevalence of fintechs as wells as the growing number of relationships between fintechs and banks. The issuance of the Proposed Guidance and the Guide in relatively quick succession may signal that third-party risk management, and in particular risk management of relationships involving fintechs, is an area of increasing supervisory focus for the Agencies.
The Guide
Due diligence as a component of third-party risk management
The Guide, consistent with the Proposed Guidance and other prior guidance from the Agencies, emphasizes that due diligence “is an important component of an effective third-party risk management process.” While conducting due diligence, “a community bank [or other banking organization] collects and analyzes information to determine whether third-party relationships would support its strategic and financial goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements.” The scope and the depth of the diligence process should be properly calibrated based on the degree of risk posed to the bank and the nature and criticality of the contemplated relationship. Accordingly, a fintech seeking to establish and maintain healthy business relationships with banks should consider structuring its presentation to, and documentation for, a bank in a manner appropriately informed by the Guide as a way to potentially bolster its likelihood of success.
Key due diligence topics
The Guide discusses six key topics banks should consider when conducting due diligence on a fintech: (1) Business Experience and Qualifications; (2) Financial Condition; (3) Legal and Regulatory Compliance; (4) Risk Management and Controls; (5) Information Security; and (6) Operational Resilience. Since these topics are of key importance to banks, they should be top of mind to fintechs preparing to approach, or being approached by, a bank.[2]
Business experience and qualifications
The Guide notes that “[e]valuating a fintech[’s] business experience, strategic goals, and overall qualifications allows a community bank to consider a fintech[‘s] experience in conducting the activity and its ability to meet the bank’s needs.” A fintech should be prepared to highlight the adequacy of its expertise, its ability to aid the bank in meeting goals and expectations, and its commitment to the flexibility necessary to adapt to the bank’s regulatory requirements.
Business experience
A fintech’s prior experience in providing services or products similar to those contemplated can shed light on the fintech’s ability to adequately support a bank in a fashion that complies with all regulatory requirements and allows the bank to satisfy its customers. Banks should also review any client references and complaints, which demonstrate a fintech’s ability to satisfy client needs and resolve issues, and any legal or regulatory actions brought against the fintech. Fintechs will therefore want to consider how best to establish and present a track record of both client satisfaction and regulatory compliance.
Business strategies and plan
Examining a fintech’s strategic plans, corporate culture, and management allows a bank to determine whether the two parties’ goals and culture are aligned, and whether any of the fintech’s contemplated actions may affect its ability to adequately service the bank. A fintech should be willing to explain how its mission and strategic plans contemplate the provision of products or services to bank customers.
Qualifications and backgrounds of directors and company principals
Understanding the background and expertise of a fintech’s senior management aids a bank in developing a view as to whether the fintech has knowledge and expertise commensurate with the requirements of the contemplated relationship. A fintech will therefore want to emphasize its depth and breadth of experience present at the management level, as well as broader staff levels, and develop plans showing that the fintech has sufficient resources to service the bank.
Financial condition
Understanding a fintech’s financial condition is important to a bank, which will want to be confident that a third-party provider will remain a going concern and be able to fulfill its obligations to the bank. More established fintechs should be capable of providing multiple years of audited financials; nascent and still developing companies may be unable to provide such documentation. When such information is unavailable, the Guide suggests that a fintech could provide alternative information bearing on aspects of its financial performance and stability, such as the fintech’s “access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect a fintech[’s] overall financial performance.”
Financial analysis and funding
Financial reports and funding sources are both relevant to a fintech’s ability to continue as a going concern and satisfy its obligations. Depending on a fintech’s stage of development and business model, it may fund operations and potential growth with its own cash flow or may rely on other sources of funding. Regardless of funding source, a fintech should be prepared to explain how its operations will be funded for the life of the contemplated relationship.
Market information
A bank will need to understand the dynamics of the market in which a fintech operates and the competition the fintech faces in order to better assess the viability of the fintech as a potential third-party provider. Similarly informative will be details on the fintech’s client base (e.g., size, number of large critical clients) and sensitivity to market shocks. Given that the Agencies have highlighted these dynamics to banks, a fintech should consider the way in which it describes its competitive markets and client base, especially where that base is highly concentrated.
Legal and regulatory compliance
An assessment of a fintech’s legal standing, track record of compliance with regulations and cooperation with regulators, and knowledge of the legal and regulatory landscape applicable to the contemplated activity assists a bank in judging whether the fintech is capable of servicing the bank in a manner compliant with all relevant laws and regulations. Some fintechs may have limited or no experience operating in, and interacting with, the legal and regulatory environment inhabited by banks. In such circumstances, a bank may take approaches designed to ensure compliance, such as tailored contract terms focusing on compliance, supervisory reviews and audits, mechanisms requiring bank approval for certain changes, and periodic review of customer feedback and complaints on the fintech.
Legal
Banks can analyze a fintech’s legal standing by reviewing the fintech’s licenses, charters and registrations, which shed light on the activities legally permissible for the fintech to engage in. They can also consider the legal implications of the contemplated relationship, and evaluate any outstanding legal or regulatory issues faced by the fintech. A fintech should ensure that all of its activities are permitted by the fintech’s formation documents, demonstrate that it has obtained all licenses necessary to engage in such activities, and be prepared to discuss any ongoing legal or regulatory disputes, especially those that involve intellectual property relevant to the products or services to be provided to the bank.
Regulatory compliance
Developing a view on a fintech’s regulatory compliance is key to a bank and is aided by: review of the fintech’s risk and compliance processes relating to privacy, consumer protection, anti-money laundering, and other matters; consideration of the fintech’s experience working with other banks; analysis of the fintech’s consumer-facing applications, delivery channels, disclosures, and marketing materials that may give rise to legal or regulatory issues; and consideration of the fintech’s industry ratings. A fintech should prepare for third-party relationships with banks by ensuring that comprehensive policies, controls, and training programs are in place with respect to all relevant legal and regulatory requirements. A fintech should also review its public-facing materials and other communications to ensure that they pose no compliance risks. These analyses should be carried out with respect to the legal and regulatory environment inhabited by both the fintech as well as the bank.
Risk management and controls
Banks should understand a fintech’s internal risk management framework, which sheds light on whether the fintech will be able to conduct the contemplated activity in a manner that aligns with the bank’s risk appetite. The maturity level of this framework, and a fintech’s ability to provide related documentation, may depend in part on the fintech’s stage of development. In addition, a fintech may be unwilling to provide certain information that it deems to be trade secrets or proprietary in nature. In such situations, alternative approaches may be of value to both the bank and fintech, such as: on-site visits to evaluate the fintech’s operations and controls; use of the bank’s auditors or another independent party to assess the same; incorporating contract provisions that provide rights to conduct on-site visits, audits, and other performance monitoring and require remediation of identified issues; incorporating contract provisions that outline risk and performance expectations and metrics and grant the bank termination rights if the fintech fails to meet such standards; and acceptance of due diligence limitations as compared to the bank’s typical procedures, if acceptable given the importance of the contemplated arrangement, the bank’s risk appetite and the bank’s third-party risk processes. Regardless of the approach taken, a fintech should seek to demonstrate that its risk management framework, control environment and risk appetite fit squarely with those of the bank.
Risk management and control persons
Banks benefit from clearly understanding not only the internal procedures and policies that govern the contemplated activity at the fintech, but also related management responsibilities and reporting processes. Likewise, banks should attempt to assess the nature, scope, frequency, quality, and findings of both a fintech’s control reviews and internal or outsourced audit functionality, especially as they relate to the prospective activity. Additional areas of focus include the fintech’s internal reporting, which demonstrates how the fintech monitors key risks, performance, and control indicators, the fintech’s staffing and expertise, and the fintech’s training programs. A fintech should be prepared to provide thorough materials describing the comprehensiveness of internal review programs and strength of its risk management framework, as well as recent internal and external review and audit reports and control plans.
Information security
Protection of the sensitive information of a bank and the bank’s customers is vital. As a result, it is important that banks assess the strength of a fintech’s processes for data management and security in light of the relationship and activity contemplated. In particular, banks should understand whether and how the fintech trains and tests employees and subcontractors, the access restrictions used by the fintech to safeguard systems and customer data, the fintech’s methods of identifying and correcting vulnerabilities, and the fintech’s procedures for updating and replacing hardware and software. Like other areas of a fintech’s internal policies and controls, these processes may not be particularly mature in early stage companies. Nevertheless, fintechs should demonstrate that information security is a priority and how they will secure digital infrastructure.
Information security program
When assessing a fintech’s information security program, a bank should also review internal control assessments and testing, training programs, privacy policies, and incident response and notification procedures. A fintech should be willing to provide information about the comprehensiveness and effectiveness of its information security policies, incident management and response policies, and details of security controls assessments.
Information systems
A fintech’s underlying information systems infrastructure is another factor in bank diligence. Banks should determine whether the contemplated relationship and activity—both current and projected—can be performed with the fintech’s existing systems or if additional investment is required. A related consideration will be the fintech’s procedures for deploying new hardware or software, and its policy toward patching and using unsupported (end-of-life) hardware or software.
Operational resilience
Banks should evaluate a fintech’s ability continue its operations in the presence of disruptions such as technology-based failures, human error, cyber incidents, pandemic outbreaks, and natural disasters. Relevant to this assessment are the fintech’s processes to identify, address, mitigate, and recover from threats and failures affecting itself and its customers. Resilience planning and capabilities should be consistent with the nature and criticality of the contemplated relationship and activity. Banks may investigate the fintech’s ability to meet recovery expectations in the event of a disruption and consider contract terms that ensure that the bank’s and fintech’s recovery timelines and objectives are aligned.
Business continuity planning and incident response
Analysis of a fintech’s business continuity plan, incident response plan, disaster recovery plan and related testing is helpful in forming a view on the fintech’s ability to operate and satisfy its obligations in the face of disruptions. A fintech should be prepared to provide its threat detection procedures and recovery objectives, explain the adaptability of continuity and recovery plans to account for evolving conditions and threats, and describe its prior responses to actual disruptions, cyber and otherwise. The location of a fintech’s data center may be relevant to a bank’s consideration of the laws and regulations that may apply to customer and business data.
Reliance on subcontractors
Fully understanding a fintech’s resilience and recovery capacities requires analysis of the fintech’s dependence on subcontractors, such as the number and nature of any subcontractor relationships. Fintechs should be prepared to share, and explain the adequacy of, processes for vetting and engaging with subcontractors, especially if subcontractors have access to fintech systems critical to the contemplated relationship and activity.
[2] The Guide includes one additional sub-topic not discussed in this client update because it is not a due diligence topic—“service level agreements.” In that sub-section, the Guide explains that when negotiating the agreement that will ultimately govern the relationship between a bank and a fintech, a bank should ensure that the terms are both reasonable and adequately tailored to the nature of the relationship and activity.