Your FinTech app or embedded banking product is starting to come together. You’ve determined your ideal customer profile, mapped out your user flow, and are starting to build your product’s user interface.
But before you launch, one key aspect of your product needs to be fine-tuned: compliance.
Everyone in the FinTech industry is responsible for building their products with compliance at the forefront, doing their part to maintain a safe and secure financial ecosystem for their customers.
On top of that, your Sponsor Bank partner (the bank that provides the banking license necessary for FinTechs to offer financial products) will need to understand how the new financial products you’re building behave in order to ensure compliance with applicable laws and regulations.
Both Sponsor Banks and the regulators that oversee them require FinTechs to build a compliance program before launching their product. When banks conduct their due diligence on a FinTech before forming a partnership, they will want to see that the planning and execution of a FinTech’s compliance program are comprehensive.
There’s a lot of compliance work to cover, but doing this work up front will set your FinTech product up for success, keeping you and your customers safe as you scale.
To help, Synctera's team of experts put together a 9-step FinTech compliance checklist detailing what you need to do to build a secure and compliant FinTech product before launching to your customers.
Get details about the steps below:
- Gather all of the business documents needed for Sponsor Bank due diligence
- Establish compliance policies and procedures
- Build an information security program
- Develop a third-party risk management program
- Set up customer agreements and disclosures
- Institute a compliance training program
- Identify a Compliance Officer
- Establish customer support operations
- Develop a business continuity and disaster recovery plan
1. Gather all of the business documents needed for Sponsor Bank due diligence
Before agreeing to any new FinTech partnership, Sponsor Banks must perform due diligence on your company. In this process they will want to review many of your crucial business documents to help them fully understand your business and growth trajectory, giving them the context to understand your potential risks and perform the necessary oversight.
These documents include things like:
- Business plans
- Financial statements
- Business licenses
Gathering all of these documents before talking with your potential Sponsor Bank will help streamline the due diligence process, speeding up your time to launch.
Check out our Synctera Learn Site for more information on the due diligence process and required documentation.
2. Establish compliance policies and procedures
Before launching your FinTech product, you need to create policy and procedure documents that include the details of how you will manage all of the various compliance requirements and scenarios associated with your product.
These documents are specific to your unique product and should reflect your company’s use case, size, complexity, and maturity.
The policy portion of these documents should cover the specifics behind the policy and how it applies to your product.
The procedure portion should be more detailed, covering how a policy will be used and executed at your company. It should include the roles and responsibilities, review/approval process, and escalation criteria for a given policy.
It’s essential to work with a compliance expert to understand the policies that will apply to your product. For example, here are some of the policies that must be created for most of the financial products that are operating in the market today:
- Bank Secrecy Act (BSA) / Anti-Money Laundering (AML) / Office of Foreign Assets Control (OFAC) Policies
- Fraud Policy
- Customer Service / Contact Policy
- Compliance Training Policy
- Know Your Customer (KYC) / Know Your Business (KYB) Policy
- Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) Policy
3. Build an information security program
Properly securing and handling customer information protects your customers’ sensitive data from bad actors who may try to compromise your systems. A strict yet agile information security program will help you reduce the likelihood of exposing your customer’s data or sensitive information. You should be:
- Creating and documenting processes around releasing code
- Building safe and secure applications and interfaces
- Adequately restricting access to sensitive information
Before launching and for the long term, you will need to perform regular vulnerability scans and penetration tests. These processes will identify vulnerabilities so you can quickly address them before bad actors can exploit them. There are vendors you can use to assist with these scans and tests.
One of the most critical aspects of your information security program is that your whole company views this as a requirement rather than a nice-to-have. If your Sponsor Bank partner sees that this program isn't being adhered to or enforced, they will likely prevent you from launching or operating in the future.
4. Develop a third-party risk management program
Your product likely relies on various third-party integrations to operate effectively. Importantly, your Sponsor Bank will want to understand:
- Who these third parties are
- Whether they are vendors or subcontractors
- What is the process to assess and mitigate any risks associated with those relationships
Bank regulators have released guidance on how Sponsor Banks should monitor their FinTech partners’ third parties and subcontractors. Quick summary: Regulators want to see that you’ve informed your Sponsor Bank of any third parties you rely on and have reviewed these relationships to identify the risks and necessary controls.
5. Set up customer agreements and disclosures
When offering financial products, federal and state-level laws require your customers to sign or agree to specific terms and conditions and have access to particular disclosure statements.
The language and requirements of these will depend on your product set and what states you operate in. For example, specific disclosures are required for California customers as a part of the California Consumer Privacy Act (CCPA).
We recommend that you work with an external resource, such as your legal counsel, to understand what terms, conditions, and disclosures are required for your product. You will also need to determine how these will be signed by or become available to customers as a part of your onboarding process.
6. Institute a compliance training program
All employees at your company will need to understand the specific compliance requirements that apply to your product and their job functions, and regularly stay up to date on rules and regulations. For example, your marketing team needs to understand the regulations surrounding how you can and can’t market financial products, and importantly, make sure they’re refreshing their knowledge on these regulations regularly.
To keep your employees up-to-date on these regulations, you must develop a thorough compliance training program. An effective training program acts as a preventative measure, reducing the chance of regulatory issues or consumer harm by generating company-wide awareness.
Your compliance training program should outline:
- What courses are required
- Who will need to complete these courses
- The associated training calendar or schedule
Special note: Compliance training programs should also track employee participation and completion. This training program will be reviewed and approved by your Sponsor Bank.
7. Identify a Compliance Officer
A Compliance Officer is an important team member that will help with essential compliance decisions that affect your company, and also develop a collaborative relationship with your Sponsor Bank.
When preparing to launch your financial product, your company needs to designate an individual to lead critical risk and compliance functions. These functions include:
- Overseeing the KYC process
- Fraud monitoring
- Consumer compliance
Your Compliance Officer should be qualified and knowledgeable in financial compliance and receive ongoing training. Initially, the Compliance Officer can be a part-time hire, and some consultants provide fractionalized Compliance Officer support until your company becomes more mature.
8. Establish customer support operations
As the FinTech, you are responsible (and liable based on Regulation E from the Federal Reserve Board) for owning the customer relationship, including, timely customer support.
This means that anytime there is a customer complaint, dispute, or error, your team must bring it to resolution. Creating a process guide is essential to ensure an efficient and uniform process for your teams to start handling and documenting customer support cases. This guide should include:
- Your policies
- The process for addressing different support types
- Associated timing or SLAs on how long you take to investigate and respond to customer complaints
Your Sponsor Bank will want to review these specifics to ensure they comply with certain regulations.
9. Develop a business continuity and disaster recovery plan
Before launching your FinTech product with your Sponsor Bank, they will want to know that you and your systems are ready to handle the unexpected.
This means you should have a business continuity plan, along with supporting incident response and disaster recovery plans, which ensures that you have programs and processes in place that will allow you to continue operating during a disruptive event.
A disruptive event can include scenarios such as losing your primary availability zone within your cloud service provider, experiencing a distributed denial of service (DDoS) attack, or recovering critical files from prior instances.
Additionally, in the case of a disaster, which is a partial or complete destruction of your systems, you need to have a recovery plan in place. We recommend you perform simulations of these disruptive events to identify gaps or concerns before an actual event.
This process will help you minimize the losses and impact of a disruptive event.
Maintaining a compliant product should never be a “set it and forget it” process for FinTechs. After building out your compliance program using this checklist, you should continue to update and review it as your product becomes more mature or regulatory requirements change.
We always recommend you speak to a compliance professional in the early stages of building your FinTech product, as each company will have unique requirements.
The Synctera team is here to help guide you and provide you with the knowledge and resources you need to help maintain a safe and compliant FinTech product.
<div class="rt-btn-wrap"><a href="https://synctera.com/contact-us" class="button yellow w-button">Contact us to get started</a></div>