FinTech Due Diligence Guide for Community Banks
FinTech Due Diligence Guide for Community Banks
Over the past several weeks, bank regulators have released a series of publications applicable to Community Bank-FinTech partnerships including newly proposed guidance, a diligence guide, and a Federal Reserve white paper on types of FinTech partnerships:
- Proposed Interagency Guidance on Third-Party Relationships
- Conducting Due Diligence on FinTech Companies: A Guide for Community Banks
- Federal Reserve paper on “Community Bank Access to Innovation through Partnerships”
Prior to assuming my role as Head of Risk at Synctera, I oversaw the Fintech group at the Federal Reserve Bank of San Francisco, which was tasked with covering FinTech developments in Silicon Valley, consulting bank examiners, and advising policymakers with an overarching mission of pushing for responsible, inclusive innovation. With the release of recent agency publications, I am encouraged to see the efforts regulators across agencies continue to make to provide clarity toward this evolving space.
At Synctera, we focus on forming mutually beneficial partnerships between banks and FinTechs. We’ve had an opportunity to collectively work with community banks and FinTechs at different stages along the Banking-as-a-Service (BaaS) journey. Here are some of my thoughts specific to FinTech due diligence.
A pathway toward innovation
This past decade has been an extraordinary time to build a FinTech company as global equity investments in Fintech reached over a trillion dollars at a 45% annual growth rate since 2010. During my time at the Fed, it was clear that large banks began to recognize both the threat and opportunities of FinTech as they have allocated more of their capital toward technology investments. This is a different challenge for community banks that do not have the scale or ready access to the expertise of a large institution. Yet, it is an unprecedented time for community banks to evaluate partnerships and ride the wave of innovation as customers shift to a digital banking environment accelerated by the pandemic and as the next generation of digital natives arrive. Community banks have an opportunity to provide their relationship-based experience and knowledge of compliance in partnership with FinTechs that are building innovative financial products that are engaging underbanked segments and the next generation of customers.
The US paycheck protection program (PPP) exemplified the possibilities of community bank-fintech partnerships as fintechs rapidly built out PPP loan application portals and served as a source of distribution, providing an crucial source of PPP lending for smaller, diverse businesses. Having worked on these initiatives during the pandemic, it was clear to me that while there are still fraud and compliance challenges, FinTechs play a valuable role reaching smaller businesses that many traditional banks do not. Agencies have become more vocal about the role innovation can play in tackling critical financial inclusion issues and addressing the underbanked, which encompasses nearly 25% of Americans. There have even been agency-sponsored events to connect community banks with technologists.
Proposed guidance released in July 2021 and the complementary guide released in August 2021 by bank regulators underscores that FinTech partnerships are increasingly prevalent and reflect an important pathway for banking innovation. The proposed guidance acknowledges that these innovative partnerships can differ from a typical vendor relationship. As a result, the due diligence process should reflect these unique relationships including those with earlier stage FinTechs that do not have the robust infrastructure of a more mature organization. The Federal Reserve has been open about the fact that diligence can be burdensome for smaller banks. In fact, the due diligence guide was developed in part to help “reduce these burdens” by providing practical tips.
By releasing interagency guidance, the OCC, FDIC, and Fed are also sending a clear message that differences in bank primary regulators should not create different expectations - especially for those trying to reconcile with existing OCC, FDIC, and Fed guidance. The proposed guidance frames diligence as covering six core areas - business experience, financial condition, information security, legal & regulatory compliance, operational resilience, and risk management & controls. What hasn't changed is that these six areas generally build off existing principles, particularly those within OCC guidance, even adopting the OCC’s supplemental FAQ in 2020, which focuses on FinTechs.
Ultimately, these publications offer some added clarity and help community banks reassess their partnership opportunities and the associated due diligence process.
What should sponsor banks do on due diligence?
Given the new proposals and guide, here are four suggestions for sponsor banks considering or already entered into the BaaS space:
1. Review your current due diligence process against proposed guidance
Conduct a high-level assessment of your current diligence process against the six core areas. Regulators are not requiring your process to be precisely organized by those areas, but understanding how your existing diligence maps against these areas will be useful for future regulatory discussions. In addition, this is an opportunity to review your contracts as the due diligence guide provides suggestions and examples on contractual stipulations between sponsor bank and FinTech that define the sponsor bank's oversight capabilities and the FinTech’s responsibilities.
2. Tailor your due diligence based on the maturity of the FinTech
Both the proposed guidance and due diligence guide recognize that not all FinTechs are created equally. Sponsor banks should review their process for FinTechs that have varying levels of maturity. For example, a seed stage, pre-product FinTech's projected financials may not carry as much weight as understanding their business model, management team, and sources of funding (as well as burn rate). In addition, understanding the lead investor at an early stage, venture capital (VC) funded FinTech may be a helpful signaling mechanism as VCs perform their own intensive diligence of companies before deploying their capital. This may contrast with the approach toward a larger FinTech with an established customer and revenue base. Existing financials and projections may be more credible while understanding their historical control environment could be a helpful leading indicator on their approach toward risk and compliance.
3. Treat your FinTech partnerships like a portfolio
The due diligence process is an opportunity to understand how a particular FinTech might supplement your portfolio of partnerships. Regulators continue to emphasize concentration risk in the proposed guidance. Just as a portfolio manager might assess the correlation and concentrations across their investments, sponsor banks might evaluate whether they have FinTechs that are concentrated in specific customer segments or industries and the impacts of a potential downturn. Likewise, a sponsor bank diligencing more strategic partnerships may want to understand the idiosyncratic impacts on the bank’s broader deposits or revenues of a partner. For community banks flush with deposits, being proactive in understanding balance sheet or regulatory ratio impacts (e.g., Tier 1 Leverage) could be an important part of the diligencing process.
4. Have a clear understanding of when to say ‘no’
Both the guidance and the Fed white paper focus on the importance of aligning the sponsor bank’s diligence and decision-making on partnerships with its broader strategy and risk appetite. The Fed white paper provides an example of a bank that decided not to go with a particular partner due to its handling of customer data. Each bank should have principles and criteria regarding the types of FinTechs they are willing to partner with, which may be based on factors such as product types, industry/sectors, maturity, and sophistication of controls. Sponsor banks should be prepared to speak with regulators regarding situations where they may have had to turn down a deal due to diligence findings or misalignment to strategic goals or risk appetite.
Six key areas of FinTech due diligence
Based on the guide, there are six key areas that should be considered when partnering with a FinTech:
- Business experience and qualifications: Operational history, experience (e.g., client references, complaints), legal and regulatory actions, and strategic plans including for new products, arrangements, etc.
- Financial condition: Financial analysis of the FinTech’s ability to remain as a viable business operation and market considerations (e.g., client base, competition, geopolitical risk).
- Information security: Infosec framework including documented and enforced data security controls, incident response, breach notification processes, and information systems programs and design (e.g., ability to deploy new hardware/software, end-of-life policies, etc.).
- Legal and regulatory compliance: Organizational documents, licenses, registrations, legal permissibility of activities and products, regulatory compliance (policies, procedures, training for topics such as privacy, consumer protection, fair lending, anti-money laundering, and so on), marketing channels, and consumer complaints.
- Operational resilience: Business continuity planning, business resilience, and incident response (disaster recovery, tolerances around downtime, failover data centers and replication sites, insurance policies), service level agreements (proposed agreements with FinTech for such things as performance standards and associated triggers/recourse).
- Risk management and controls: Effectiveness of risk policies, procedures, process, training, reporting, and general ability to align with the bank’s risk appetite, appropriate laws, and regulations.
The Synctera FinTech-as-a-Service (FaaS) platform facilitates and streamlines many of the complicated workflows associated with the oversight of Bank-FinTech partnerships. We also assist with FinTech compliance and due diligence. Our bank and FinTech partners are able to get to market faster while accommodating specific regulatory and bank partner requirements.
As we remain in a fast-moving space where guidance from industry and regulatory experts continue to inform and mold the business model, Synctera is here to help provide support. It’s imperative that banks, FinTechs, and service providers such as Synctera, keep pace with regulatory and other developments.
Whether you’re new to bank-FinTech partnerships or have an existing program already in place, we’d be happy to answer any questions you may have regarding the proposed third-party relationships guidance or the August 2021 due diligence guide for community banks.
<div class="rt-btn-wrap"><a href="https://synctera.com/contact-us" class="button yellow w-button">Contact us today</a></div>
Great FinTech apps get built and scaled on Synctera’s end-to-end platform.
Get started to learn how Synctera can bring your product vision to life