In July, we discussed the federal banking agencies' proposal to harmonize their respective risk management guidance. At the time, we highlighted three passages from the proposal that relate to the due diligence banking organizations should perform on third parties:
- In some instances, a banking organization may not be able to obtain the desired due diligence information from the third party. For example, the third party may not have a long operational history or demonstrated financial performance.
- In order to facilitate or supplement a banking organization's due diligence, a banking organization may use the services of industry utilities or consortiums, including development organizations, consult with other banking organizations, or engage in joint efforts for performing due diligence to meet its established assessment criteria.
- In situations where it is difficult for a banking organization to negotiate contract terms, it is important for the banking organization to understand any resulting limitations, determine whether the contract can still meet the banking organization's needs, and determine whether the contract would result in increased risk to the banking organization.
The New Guide
Undoubtedly, these challenges resonate strongly with traditional community bankers, who are struggling to remain competitive and meet the growing demands for better technology but lack the greater resources of their larger peers or the FinTech savvy of some newer bank competitors. Recognizing these difficulties, the federal banking agencies—Federal Reserve Board (Board), Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation—published Conducting Due Diligence on Financial Technology Companies, A Guide for Community Banks (Guide).
The Guide, which is voluntary and does not establish any new risk-management requirements, is "intended to be a resource for community banks when performing due diligence on prospective relationships with FinTech companies." It is organized as a table of descriptions and practical tips for each of six due diligence topics with several subtopics.
Due Diligence Topics in the Guide
- 1. Business Experience and Qualifications
- Business Experience
- Business Strategies and Plans
- Qualifications and Backgrounds of Directors and Company Principals
- 2. Financial Condition
- Financial Analysis and Funding
- Market Information
- 3. Legal and Regulatory Compliance
- Regulatory Compliance
- 4.Risk Management and Controls
- Risk Management and Control Processes
- 5. Information Security
- Information Security Program
- Information Systems
- 6. Operational Resilience
- Business Continuity Planning and Incident Response
- Service Level Agreements
- Reliance on Subcontractors
The reader-friendly Guide provides a description of what a community bank should be looking for when it evaluates a potential FinTech provider with respect to each of the six topics. For example, as part of reviewing the FinTech company's risk management and control processes, the bank should ask whether the company has reports from an audit function and "may also consider how it would incorporate such reporting into the bank's own issue management processes."
The agencies understand that community banks may not have extensive experience conducting this kind of due diligence, and for each topic the Guide provides a list of potential sources of information that a community bank could use. Under the Legal subtopic, for example, the Guide suggests requesting a potential provider's organizing documents and certificates of good standing, searching for lawsuits, settlements, and enforcement actions, and reviewing the company's 10-K and 10-Q filings.
The Guide helpfully provides illustrative examples for each of the six main due diligence topics. These examples provide realistic hypotheticals to help community banks figure out what to include in their due diligence process. The illustrative example under Information Security demonstrates this practical approach, such as including this advice:
The bank may also consider risks and related controls pertaining to its customers' data, in the event of the FinTech company's security failure. Also, contractual terms that authorize a community bank to access FinTech company records can better enable the bank to validate compliance with the laws and regulations related to information security and customer privacy.
Additional Resources and Commentary
Shortly after the federal agencies jointly issued the Guide, the Board released a paper titled Community Bank Access to Innovation through Partnerships (Paper). The Paper summarizes the insights gathered by the Board over the course of several outreach discussions with community bankers. The purpose of the paper is to facilitate sharing of experiences among banks that have experience dealing with the challenges of establishing FinTech partnerships.
Community bankers may find the description of the various types of FinTech partnerships to be particularly useful. The Paper describes three broad types of partnerships: operational technology, customer-oriented, and front-end FinTech partnerships, including the benefits, risks, and challenges with each.
The Paper then discusses the key elements for implementing an effective FinTech strategy, based on the experience of community bankers. Based on their first-hand experiences, community bankers indicated that:
[F]intech partnerships were most effective when three elements [are] present: a commitment to innovation across the community bank; alignment of priorities and objectives of the community bank and its fintech partner; and a thoughtful approach to establishing technical connections between the parties, including the bank, fintech, and the bank's core services provider.
Finally, the Paper also shares specific concerns from community bankers, including that:
Some community bankers expressed a reluctance to be first to engage in a relationship with a less established fintech, with many participants articulating a strategy of being on the "leading edge" instead of the "bleeding edge." For some community bankers, this hesitation to engage with less established fintechs reflected concerns about solvency and a prospective partner's ability to remain a going concern while their products were being developed or implemented.
Community bankers will certainly relate to many of opinions and difficulties shared by those who participated in the Board's discussions. The insights in the Paper will prove useful as more community banks engage FinTech partners.
The Paper is consistent with other recent initiatives of the federal banking agencies that underscore the criticality of traditional community banks getting on the FinTech bandwagon. In a speech on Community Banks and Digital Innovation in June of this year, Patrick Harker, President and CEO of the Federal Reserve Bank of Philadelphia, stressed the importance of responsible financial innovation and discussed the opportunities and challenges it presents to community banks.
Also this year, in her article, Technological Innovation is Essential to the Future of Community Banking in America, Board Governor Michelle Bowman, a former community banker and state banking supervisor, stressed the importance of community banks successfully implementing effective FinTech solutions. While Governor Bowman acknowledges the difficulties facing community banks in "identify[ing] a technologically compatible partner that aligns with their overall strategy and risk appetite," she urges them to meet that challenge because "community banks that fall behind . . . run the risk of being at a competitive disadvantage or of failing to meet the needs of the communities they serve."
Customer demand and competition will continue to push community banks to adopt more complex and sophisticated—and in some cases, riskier—FinTech products and services. Unlike their larger or more tech-savvy peers, most traditional community banks do not have the means either to develop FinTech in-house or to exhaustively diligence potential providers.
The two new resources from the federal banking agencies, the Guide and the Paper, will help community bankers focus their due diligence of FinTech providers and get a better understanding of the risks and mitigation strategies relating to FinTech partnerships.