Opportunity Knocks: New Bank-Fintech Relationships

The regulatory winds have shifted, and the Trump administration seems to be signaling that it is opening the door for fintechs to emerge in a more favorable regulatory environment. This means that compliance professionals at banks and credit unions (referred to hereafter as "banks") will likely be asked to evaluate new opportunities and provide support for responsible innovation.

You know the drill to bring on a new third-party vendor - do your due diligence investigation, a risk-benefit analysis and evaluate how well your bank can mitigate risk to a level within your bank's risk tolerance. However, bringing on a fintech is more complicated. Each fintech is unique, some may be startups with little to no business history offering emerging technologies that are neither well-known nor well-tested, and the task may feel daunting. Where do you start?

Benefits of Bank-Fintech Relationships

Let's start with the touted benefits as we discuss a risk-benefit analysis, because that is likely where the business is starting their discussions with you. You will hear that leveraging the agility, innovation and technology of fintechs will improve customer experience, drive operational efficiency, and provide the ability for your bank to tap into new markets.

It's possible that you are already using Artificial Intelligence (AI) algorithms and models in some fashion. The next step may be employing a chatbot or virtual assistant to provide customer service 24/7 through natural learning processing (NLP) and machine learning (ML) algorithms to understand and respond to customer queries. Predictive modeling could enhance credit scoring to enable the use of alternative data and advanced analytics to access underbanked populations that may have been overlooked by traditional credit scoring systems.

With digital payment integration technologies, your bank could offer customers faster, cheaper, and more secure payment methods. Innovative payment processing solutions could expand your reach to small businesses that may otherwise be underserved. Your bank could access innovative fintech platforms to expand lending capabilities and enhance credit offerings.

Fintech technology could also be used to streamline application processes, attract a broader range of consumers, and enhance risk management capabilities. Robotic process automation (RPA) could streamline tasks such as account opening, loan processing and document verification while reducing manual errors and speeding up service delivery for customers. ML algorithms can also analyze vast amounts of transaction data in real-time to identify patterns and anomalies that could indicate fraudulent activity, and AI models can be trained to detect unusual behaviors that could flag suspicious activities for further investigation.

By partnering with fintechs, your bank could help your customers manage their money in a more proactive manner and could offer them personalized recommendations on how to save, invest, reduce debt, improve their credit score, budget, and manage money. It could then use this data to tailor lending, savings or investment products and services to customers based on their financial goals and spending patterns.

Perhaps it's just a small jump to consider offering Banking-as-a-Service (BaaS) solutions to expand the breadth and scope of your fintech relationships. Some banks are already on the doorstep of using blockchain and distributed ledger technology to increase security and efficiency. Blockchain used for cross-border payments is touted as significantly reducing transaction costs and processing times, and blockchain-based solutions could be used to improve Know Your Customer (KYC) and Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) procedures, reduce the risk of fraud, and make it easier for your bank to comply with regulatory obligations.

Multifaceted partnerships with fintechs can be transformative for your bank, and many of these promised benefits could be realized. Fintechs are already revolutionizing the financial ecosystem, and your bank can't be left behind. Of course, the challenge is in the "how" it's done, and "who" it's done with. Time is of the essence for you to ramp-up your skillset to more accurately identify and assess the potential risks in bank-fintech arrangements.

Assessment of Risks in Bank-Fintech Relationships

Let's all agree on a basic premise: banks cannot outsource risk. Therefore, it is critical that risks be evaluated throughout the lifecycle of the fintech's relationship with your bank, starting with robust due diligence identifying all possible risks. Potential risks include Liquidity, Strategic, Market, Credit, Reputation, Technology, Security, Legal, Operational and Compliance risks.

Within Compliance, risks span across all of the bank's statutory and regulatory obligations, including AML/CFT, fraud, fair lending, UDAAP (Unfair, Deceptive or Abusive Acts or Practices), and across the A-Z consumer and business regulatory requirements.

This is all easier said than done. After all, what could go wrong? Just look to the headlines, and potential impact of regulatory findings (federal/state), civil money penalties, reputation risk, impact on stock price, loss of customers, and in the not-so-rare occurrence, bankruptcy.

Clearly, bank-fintech arrangements can pose risks to banks and consumers in new ways, from new directions, and with more severity than typical third-party relationships. Recently, the Federal Reserve System (Fed) published an article on Complex Bank-Fintech Partnerships in the Fourth Issue 2024 of Consumer Compliance Outlook. This article focuses on community banks, however the principles discussed could apply more broadly as well. It acknowledges the unique nature of the risks posed when working with fintechs:

These novel manifestations of risk can be challenging for some compliance and risk management frameworks that are calibrated to more traditional risk patterns. While risk is inherent in the business of banking, supervisors expect banks to be adequately prepared to identify, measure, and manage the risks they face. Community bankers engaging in complex bank-fintech partnerships will want to consider how their governance and risk management frameworks are fit for new risk patterns.

There are five commonly observed risk management challenges, described as follows:

1. Accountability: Banks and fintechs may divide contractual accountability for aspects of the customer relationship between them. However, the bank remains responsible for compliance with all applicable laws, and this contractual division of labor can complicate a bank's ability to monitor and address risk issues when they arise.

2. Rapid Growth: Partnerships can lead to rapid growth in deposits or payments volume. Banks may have trouble scaling their risk management capabilities fast enough to keep pace with the growth in the volume and complexity of their operations, which can increase the chance of risk management failures, including regulatory violations.

3. Funding Concentrations: Partnerships can result in significant concentrations that challenge a bank's ability to manage liquidity risks, particularly if funding is deployed in illiquid or long-term assets or if a large partnership suddenly ends.

4. Customer Confusion: When a fintech is an intermediary between a bank and its customers, the customers may not know that the fintech they are interacting with is not itself a bank, particularly when the fintech refers to FDIC insurance in its marketing. Customers may not understand that deposit insurance does not protect against the fintech's failure.

5. Data Use and Ownership: The division of roles between a bank and a fintech can create issues around data ownership, particularly in regard to the bank managing its operations and meeting compliance obligations. Therefore, it is important for the bank to have access to its data held at the fintech. If the bank cannot access its data, the bank faces multiple challenges, including challenges related to customer account recordkeeping and AML/CFT compliance.

For a deeper dive into the interagency discussions, check out OCC Bulletin 2024-20 Third-Party Arrangements: Joint Statement on Banks' Arrangements with Third Parties to Deliver Bank Deposit Products and Services, July 2024.

Risk Management of Fintech Partners

The Interagency Third-Party Risk Management Guidance issued in June, 2023, is a good resource that provides general risk management considerations for the planning, due diligence, contract negotiation, ongoing monitoring, and termination stages of managing third-parties, including fintechs, and is a good place to start risk management of your bank's fintech partners. Here are some additional thoughts with practical ways to implement mitigation strategies based on the enumerated risks in the Fed article, as well as a few additional things to consider beyond the typical due diligence done as part of your standard third-party vendor management onboarding process. (Also, because of the complex nature of new technologies, don't be afraid to ask for an "interpreter" to help you translate between "fin" and "tech" when needed.)

1. Accountability: Accountability starts with questions to ask before deciding to partner with a fintech. Be thoughtful and think through exactly what your objective is, consider what elements need to be outsourced, and determine whether any elements could be developed in-house. Understand critical or key activities, where they fit within the product or service lifecycle, and be attentive to all customer interfaces.

Next, choose your partner carefully. Evaluate the competitive landscape and explore whether there are other options to achieve your objective. Talk with your existing tech partners that you know and trust (to the extent possible with Non-Disclosure Agreements) to determine whether any of them would be willing to partner with you to develop new capabilities to meet your objectives. Time spent exploring partner, buy, network, invest or build considerations is time well spent. (For a look at how banks developed the Zelle® network to compete with fintechs, check out Zelle - A Fast and Easy Path to Compliance Concerns, which highlights the success of the payment network, as well as some compliance issues. The CFPB has since dismissed the lawsuit. https://www.bankersonline.com/articles/177078.)

If you decide to partner with a new fintech, dig deeper to get to know who the talent is, how long they have been there and what funding sources are in place. You do not want to have key talent leave or funding dry up in the middle of your contract. Also consider what experience they have not just as a fintech, but in doing the exact type of initiative that you need. Many fintechs expand rapidly and may not be as consistent in ancillary activities as they are with their core functionalities.

Also be realistic in how important you are to the fintech. When they are starting out, they are eager to spend time with you and be responsive to your timeline and requests. That may all change if a bigger fish comes along. Therefore, consider contracting the work in stages or phases, to give you flexibility to pivot if you get left in the dust or are not achieving the benefits/progress you expected.

As you negotiate the contract, consider specifically enumerating what may be needed for compliance, risk, audit and exam responsibilities to maintain a robust Compliance Management System and adequate Risk Framework. Be as detailed as possible and include expectations for review and approval of marketing, social media, web and other consumer interfaces, key metrics and key performance indicators, access for monitoring, complaint management processes, and timelines for responding to audit or exam requests. Be clear about your expectations with regard to the fintech outsourcing any of your work to subcontractors.

2. Rapid Growth: Success can happen rapidly and lead to difficulties in scaling operations as well as scaling risk management oversight. During the planning phase, understand any aspects of the functionality that involves manual work, and be sure to have key performance metrics timely delivered to help you quickly notice any uptick in trends. Plan for business continuity before signing the contract.

In areas of emerging technologies, especially with blockchain or cryptocurrencies, risk management must include commensurate talent and resources to support oversight, with contingency plans (including contractors or consultants) to maintain the integrity of risk management.

3. Funding Concentrations: Business continuity plans and safety and soundness considerations are key to prevent your bank from disaster - consider Silicon Valley Bank's inability to manage liquidity risks, or the issues for Evolve Bank (and consumers) arising from Synapse's failure. Study the lessons learned, especially if you are considering BaaS opportunities.

4. Customer Confusion: As part of your Compliance Management System, you already have preventive controls in place to review customer interfaces, such as marketing, social media and web pages, and you should have contract provisions to extend this review to your fintech partners. Pay special attention to whether and how Federal Deposit Insurance Corporation (FDIC) insurance is represented. The Synapse failure highlighted the difficulties in reconstructing customer accounts and reconciling Synapse's and partner banks' records. FDIC Director Jonathan McKernan (current nominee for Director of the Consumer Financial Protection Bureau) issued a statement in support of improved recordkeeping for custodial accounts that is interesting reading.

5. Data Use and Ownership: Consider all aspects of data in the contract terms - data collection, data integrity, system communications, system monitoring, data analytics, data retention, data destruction as well as privacy, security, and cybersecurity considerations. Who owns what, in terms of customers, methodologies and data, and what happens if the fintech fails or the relationship ends.

One other area of amplified risk occurs when the compliance function itself is outsourced to a third-party vendor or fintech. Remember the basic premise - banks can outsource the activities, but cannot outsource the risk. Choose your partners wisely.

Reporting to the Board

It is essential that senior management and the Board of Directors have the benefit of your reasoned risk-benefit analysis, assessment of risks and mitigation strategies so that they can make an informed decision on the latest and greatest fintech opportunity or partnership that arises. The Board has the ultimate responsibility for your bank's compliance with applicable laws and regulations, as well as oversight of all bank-fintech partnerships. Technology evolves quickly, and you want to be ready to act when opportunity knocks.