On August 27, 2021, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, “the regulators”) issued “Conducting Due Diligence on Financial Technology Companies – A Guide for Community Banks.” The Guide is “intended to be a resource for community banks when performing due diligence on prospective relationships with fintech companies” and is directed at helping community banks meet their third-party risk management obligations when partnering with financial technology (“fintech”) companies.
Fintech is a term that describes a broad range of technological solutions to traditional banking services. For instance, banks have partnered with fintech companies to distribute digital credit cards, provide real-time virtual customer service, make digital payments more efficient, and facilitate the online loan application process. Increasingly, community banks are seeking to utilize new technologies and services offered by fintech companies to meet what the Guide calls “evolving customer preferences.” While offering customers third-party fintech services can increase a bank’s competitiveness, as is always the case when partnering with vendors, it also introduces new risks.
The Guide focuses on six topics for banks to consider when conducting their due diligence inquiry and includes suggestions for sources of information as well as examples. The topics are:
Business Experience and Qualifications – Banks are advised to consider a fintech company’s business experience, strategic goals, and overall qualifications to provide the services desired by the bank. The regulators recommend looking to complaints filed against a company, media reports, patents and licenses, and board of directors’ and executive directors’ backgrounds as sources of information when conducting due diligence.
Financial Condition – When considering a fintech’s financial condition, the regulators suggest looking to the company’s funding sources and internal documents, as well as any public filings and financial statements. The regulators also suggest looking to any of a fintech’s competitor’s financials, as available.
Legal and Regulatory Compliance – To evaluate a fintech’s legal and regulatory soundness, the regulators suggest evaluating the company’s formation documents, as well as any legal or regulatory complaints filed against the company, in addition to any public filings such as a Form 10-K.
Risk Management and Controls – The regulators recommend looking to a fintech’s policies and procedures, staffing, self-assessments, reports to directors, and other internal risk management practices, as well as to consider how the bank would incorporate the risk management and controls of the fintech into its own reporting and issue management processes.
Information Security – To evaluate a fintech’s information security, the Guide suggests looking to the company’s policies such as access management, data center security, backup management, change management, and anti-malware policies. A bank should also evaluate the company’s policies addressing safeguarding and privacy laws and regulations.
Operational Resilience – A bank should consider a fintech company’s ability to continue operations through a disruption. The regulators suggest that sources of information to consult for this topic include the fintech’s business continuity, disaster recovery and incident response plans, its policies and reliance on subcontractors, and evidence of its ability to meet existing service agreements.
While the above summary provides a snapshot of the regulators’ Guidance, community banks that are considering utilizing third-party fintech companies will need to give the Guide a thorough read-through, as well as follow their routine due diligence procedures. The Guide is not intended to be a comprehensive source of all the factors a bank will need to consider in the course of its due diligence, and banks continue to be subject to existing regulatory guidance on third-party risk management. In addition, in July the regulators issued “Proposed Interagency Guidance on Third-Party Relationships: Risk Management,” which contains many of the same points raised in the Guide. The comment period for the proposed rule ends on September 17, 2021, and is likely to be finalized in substantially similar form. In the meantime, the Guide provides both a useful map to the regulators’ expectations as well as a helpful tool in meeting regulatory obligations.
The attorneys at Jordan Ramis stand ready to help community banks meet their regulatory and compliance obligations, and to respond to new and proposed changes to regulatory policy.
Gregory Zerzan is a Jordan Ramis PC attorney with legislative, regulatory, and cabinet agency experience who advises clients through their interactions with Congress and federal agencies. Contact him at firstname.lastname@example.org or (503)-598-7070.