Smoke abstract in blue and green,
ComplianceFinanza e Gestione06 luglio, 2023|Aggiornatoluglio 10, 2023

Fintech partnerships bring new questions to old practices

As published in Dodd-Frank Update

The notion of banks engaging in partnerships with other businesses is nothing new. Third-party partnerships have been a long-standing part of the banking industry. By shifting certain functions to third-parties, banks were able to focus more time and resources on core banking operations.

Recently, however, banks have also begun engaging in third-party partnerships with financial technology (fintech) companies to enhance and supplement core banking operations and services.

“Historically, the fintech-financial institution relationship appeared to be structured in a way – not intentionally ­– that resulted in less accountability,” John Levonick, senior partner at Garris Horn, said in an interview. This, he said, was because there was a lack of clarity in these relationships.

“What ended up happening was that the nature of the service may have otherwise triggered a licensable activity, and the concern historically was the regulators needed to hold someone accountable,” Levonick added. “If the technology firm is not directly regulated by the regulators, then they have to hold the financial institution accountable.”

The growth of fintechs and their partnerships with banks has significantly emerged following the days of the 2008 financial crisis, noted Wolters Kluwer Compliance Solutions Senior Director of U.S. Advisory Services Thomas Grundy.

“This has been building momentum and developing since the financial crisis,” Grundy said. “Many younger consumers were having difficulty finding suitable banking relationships.”

“Everything you read is about how to get your arms around the next generations,” Levonick said. To reach the age group of 18 to 32, he noted, banks need to bring a better user experience to the market, and tech firms know how to do that.

The pandemic accelerated the rate of fintech acceptance and adoption as consumers had to rapidly adapt to accessing financial services remotely, Grundy said.

Mutually beneficial arrangements

During the early days of the pandemic, traditional financial institutions needed to act quickly to find tools to keep business flowing, Wolters Kluwer Compliance Solutions Senior Advisor of Regulatory Strategy Timothy Burniston added. Many turned to fintechs to provide those tools, while the tech companies welcomed the financial institutions’ existing customers.

“There are mutually beneficial reasons for working together. The fintech often brings another way for a bank to deliver products to its own customer base, and grow that customer base,” Burniston said. “The fintech can often very efficiently reach markets that the bank can’t necessarily or wouldn’t necessarily reach at the same cost point. From the fintech’s perspective, it gives them the leverage or the relationships that banks already have with customers. And the fact that it brings them into a regulated environment helps with their own reputation in some ways.

“Recently, we’ve seen a lot of [banks] expanding their own deposit base as a result of the new relationships that the fintech firms are bringing in,” he added.

The fintech’s connection with the bank, Burniston suggests, gives consumers a greater sense of security that would not normally be felt with a typical uninsured depository institution.

“The bank brings the experience, the depth of knowledge relative to navigating the regulatory environment, and how to apply laws and regulations to everyday transactions,” Grundy said. “Furthermore, particularly in the case of payments and deposits, the movement of funds, and the ability to facilitate loan servicing and payments, banks have access to payment rails.”

Grundy noted that fintechs lack “legacy constraints.” This, he said, is a benefit to both sides of the partnership. While banks have the benefit of decades of experience, fintechs tend to be “more fluid in their thinking,” with a determination to get to market with products that can be implemented quickly and efficiently.

Levonick noted that as these relationships have grown, regulators have been relatively quick to utilize enforcement powers when necessary. He referred to the rise of “rent-a-charter” schemes that began popping up in the late 2010s. These schemes allowed for non-banks and fintechs to create partnerships with banks as a means to offer lending services that would otherwise be prohibited by state or federal regulations.

“That’s obviously proven to not be successful,” Levonick said. “Regulators have been able to penetrate that practice. And the traditional notion of asking you for permission versus forgiveness, that was kind of flipped on its head.

“Technology has grown so quickly, and the regulatory response has been slow,” he added. “The enforcement mechanism has been creating our policy. The norms of administrative law, where [regulators] propose a rule to address a problem, wait for comment and then promulgated regulation can’t move as quickly.

“I think we’re going to continue to see more of this,” Levonick continued. “But there appears to be better management and oversight by the financial institutions because there’s been evidence of regulators holding them accountable. Even though they might not control the process to ensure that they’ve got better transparency to the service provided, the nature of the service provided, the technology service provider is stepping into the shoes of financial institutions, ensuring that whoever the banking partner is or the client is, that they’re fulfilling the regulatory obligation of that entity.”

New guidance on third-party relationships

In the U.S., relationships between banks and third parties are overseen and regulated by the federal government through agencies including the Federal Deposit Insurance Corp. (FDIC), the Federal Reserve Board of Governors, the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). These prudential regulators have routinely issued regulations and guidance on third-party partnerships that emphasize the need for banks to carefully manage the risks associated with these relationships.

In June 2023, the OCC, Fed Board, and FDIC issued a long-anticipated joint update to the OCC’s 2013 guidance on risk management for banks engaging in third-party relationships. This new guidance, “Interagency Guidance on Third-Party Relationships: Risk Management,” provides regulated banks with an update on risk management expectations when working with third parties, including fintechs.

During the process of finalizing this guidance, commentors expressed concerns that the same level of expectations and scrutiny would be placed on the risk management processes of smaller banks with few resources as they would on larger banks with substantially more resources.

The guidance addresses this by noting that “not all third-party relationships present the same level or type of risk and therefore not all relationships require the same extent of oversight or risk management.” 

It also states that “as part of sound risk management, it is the responsibility of each banking organization to analyze the risks associated with each third-party relationship and to calibrate its risk management processes, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships.”

The guidance goes on to outline particular characteristics of critical activities that should be subject to more rigorous oversight and management by the bank. These characteristics include activities that could:

  • Cause a banking organization to face significant risk if the third party fails to meet expectations.
  • Have a significant impact on customers.
  • Have a significant impact on a banking organization’s financial condition or operations.

The agencies state that “it is up to each banking organization to identify its critical activities and third-party relationships that support these critical activities,” noting that an activity that is critical for one bank may not be critical for another. A primary focus of the new guidance is on how the regulators perceived the “life cycle” of a third-party relationship. This life cycle includes five key stages:

  • Planning.
  • Due diligence and third-party selection.
  • Contract negotiation.
  • Ongoing monitoring.
  • Termination.

During the planning stage, banks should be evaluating and considering how to manage risks before entering into a third-party relationship, the agencies stated. This will include determining the level of support being received by the third party and the degree of risk involved in the activities being supported.

Depending on the degree of risk and complexity of the third-party relationship, the agencies expect that a bank will typically consider the following factors, among others, in planning:

  • Understanding the strategic purpose of the business arrangement and how the arrangement aligns with a banking organization’s overall strategic goals, objectives, risk appetite, risk profile, and broader corporate policies.
  • Identifying and assessing the benefits and the risks associated with the business arrangement and determining how to appropriately manage the identified risks.
  • Considering the nature of the business arrangement, such as volume of activity, use of subcontractor(s), technology needed, interaction with customers, and use of foreign based third parties.
  • Evaluating the estimated costs, including estimated direct contractual costs and indirect costs expended to augment or alter banking organization staffing, systems, processes, and technology.
  • Evaluating how the third-party relationship could affect banking organization employees, including dual employees, and what transition steps are needed for the banking organization to manage the impacts when activities currently conducted internally are outsourced.
  • Assessing a potential third party’s impact on customers, including access to or use of those customers’ information, third-party interaction with customers, potential for consumer harm, and handling of customer complaints and inquiries.
  • Understanding potential information security implications, including access to the banking organization’s systems and to its confidential information.
  • Understanding potential physical security implications, including access to the banking organization’s facilities.
  • Determining how the banking organization will select, assess, and oversee the third party, including monitoring the third party’s compliance with applicable laws, regulations, and contractual provisions, and requiring remediation of compliance issues that may arise.
  • Determining the banking organization’s ability to provide adequate oversight and management of the proposed third-party relationship on an ongoing basis.
  • Outlining the banking organization’s contingency plans in the event the banking organization needs to transition the activity to another third party or bring it in-house.

The importance of due diligence

As the planning stage concludes, it moves into the “due diligence and third-party selection” stage.

The scope and degree of due diligence should be proportionate with the level of risk and complexity of the third-party relationship.

“More comprehensive due diligence is particularly important when a third party supports higher-risk activities, including critical activities,” the guidance stated. “If a banking organization uncovers information that warrants additional scrutiny, the banking organization should consider broadening the scope or assessment methods of the due diligence.”

The guidance further advises that, when banks are considering entering into these partnerships with third-parties that do not have a long operational history, do not allow or have the capacity for “on-site” visits, or may not share or be permitted to share some information with the bank (all which are common with most fintechs), it is important that the bank identify and document these limitations during this due diligence stage. Understanding these types of limitations can allow for the bank to consider alternatives or develop plans to mitigate these risks before entering into a partnership.

A bank entering such a partnership, especially with a newer fintech, must be particularly engaged in this due diligence stage. Burniston points out that banks should be assessing these potential partners from the top down. Banks should be examining the third-party and “how it structures its compliance management system, including governance, policies, procedures, training, ongoing monitoring as well as the audit function.”
How the third-party handles customer complaints and manages its own relationships should also be assessed during this stage, Grundy added.

He went on to emphasize the importance of ensuring the third-party fintech has its own compliance infrastructure in place.

“I've seen [compliance] programs grow within fintechs over the past decade to having fully conforming processes guided by a qualified staff of compliance professionals,” Grundy said. “I'm seeing a lot of new [fintechs] just getting off the ground typically with one person managing compliance, when, in fact, it takes a team.”

As part of the due diligence stage, the agencies suggest a bank assess, among other things:

  • The third party’s overall business strategy and goals.
  • Any legal and regulatory compliance considerations associated with engaging a third party in its banking operations.
  • The available financial information and the financial condition of the third party.
  • The third party’s business experience and history.
  • The qualifications and background of key personnel and other human resources considerations.
  • The third party’s risk management policies, practices, and expectations.
  • The third party’s information security infrastructure and information systems management.
  • The third party’s operational resilience practices and ability to operate during and recover from disruptions and incidents.
  • The third party’s incident reporting and management processes.
  • Physical security and environmental controls are used to protect the safety of the third party’s people, facilities, technology, and data.
  • The third party’s reliance on subcontractors.
  • The third party’s insurance coverage.
  • The third party’s contractual commitments with other parties.

After the bank has satisfactorily completed the due diligence stage and has selected a third party to enter into a business relationship with, the bank must then begin contract negotiations. The guidance encourages banks to be mindful of any risks and limitations that may be faced through this partnership, so that mitigation tools and options can be negotiated into the contract.

Depending on the degree of risk and complexity of the third-party relationship, the agencies advise banks to consider the following factors, among others, during contract negotiations:

  • Any agreed upon, clearly defined performance measures or benchmarks for evaluating the performance of the third party.
  • Each party’s responsibilities related to the providing, receiving, and retaining of information, as well as each party’s rights to access each other’s data.
  • The right of the bank to perform audits and remediations when issues arise with the third party.
  • Each party’s responsibilities for compliance with applicable laws and regulations.
  • The rights and restrictions relating to the ownership and licensing of intellectual property, information, and technology.
  • Any expectations of confidentiality and integrity of sensitive information.
  • Each party’s operational resilience and business continuity expectations.
  • Procedures for default or termination of the third party.
  • Regulatory oversight and examination expectations.

During this stage, Levonick added the bank “needs to ensure that they've got in house skill sets that give them the ability to work hand-in-hand with the fintech, to understand what the fintech’s doing, and to ensure that the fintech is working in the best interest of the financial institutions.”

He continued: “The best way to do this is to have comprehensive agreements between the parties and to create comprehensive documentation, how the technology works, and not only reflect how the technology works, but how the technology fulfills the regulatory obligations of the financial institution. So when the fintech assumes a certain function that's historically been undertaken by the institution, the financial institution understands what the fintech’s doing and how they're doing it, and, most importantly, how the fintech’s are fulfilling the regulatory obligation of the financial institution and a certain acknowledgment that the financial institution is ultimately responsible for the fintech.

“There cannot be contractual elements that alleviate the financial institution from any traditional liability. They can't shift away their liabilities through crafty lawyering on their relationships. At the end of the day, our institutions will be held accountable, and they need to ensure that they are responsible and know when a question arises as to what the fintech’s doing, the institution better know exactly who is doing what, how it’s being done, and how it fulfills regulatory obligations.”

When a contract has been negotiated and agreed to by all relevant parties, and the bank and third-party begin their business relationship, the bank is expected to engage in ongoing monitoring of the third-party.

Typical monitoring activities include: 

  • review of reports regarding the third party’s performance and the effectiveness of its controls.
  • periodic visits and meetings with third-party representatives to discuss performance and operational issues.
  • regular testing of the banking organization’s controls that manage risks from its third-party relationships, particularly when supporting higher-risk activities, including critical activities.

A relationship with a third party will end with the termination of the relationship. This can happen for a variety of reasons. The agencies point out in their guidance that when this termination occurs, it is important that it be done efficiently and effectively without any further risk to either party or consumers.

Burniston and Grundy were both quick to point out that, even if this guidance is followed, there is still a fair amount of risk for banks that are entering into a relationship with a third-party fintech. These risks include reputational and cultural risks.

“There’s reputational risks for banks with firms that are, for example, new to the federally regulated environment, or have not been subject to routine examination,” Burniston noted. “If that fintech has problems, those problems will spill over to the bank and harm their reputation and present other risks.”

Burniston went on to say, “Business leaders must also evaluate whether the fintech firm and the bank are culturally aligned. Do they share similar interests in how they're going to serve their markets and do their cultures fit?”

Enjoy more features included in the Who’s My Regulator? report by clicking here.

This article features insights from:

Timothy Burniston
Senior Advisor, Regulatory Strategy

Timothy R. Burniston joined Wolters Kluwer in December 2011 to lead the company’s Risk and Compliance consulting practice. Under his leadership, the practice grew significantly in scope and now enjoys a national reputation for excellence.

Thomas Grundy
Senior Director, U. S. Advisory Services
With over 33 years of experience Thomas leverages his experience advising compliance and risk management executives on solutions to effectively manage risk in a complex and rapidly changing regulatory environment.
Back To Top