top of page

The BT TrustScore TM Blog

As many within the financial industry have noted, over the past several decades financial products, services and methods to meet customers’ needs have continued to evolve. More recently, we’ve seen what is tantamount to a revolution of innovation moving far more quickly to satiate customer demands. This revolution of technology and ideas often acts as a double-edged sword. On one side, increased demands can create more customer options and positive impacts on pricing and speed of services. On the other side, efforts to meet increased demands for options and speed can impact the design and implementation of products and services that may not adequately or appropriately prioritize compliance, security, and governance considerations.


BalancedTrust bridges the gap between banks and Fintechs

As financial services continue to evolve, financial institutions are partnering with fintech companies to expand product options and customer base, generate income, and keep pace with customer demands. Third party risk management is a dual responsibility – and it can be a sharp and dangerous sword if both sides of a partnership do not take compliance and governance obligations seriously. Just last week the Federal Banking Agencies issued a Request for Information on this very topic asking how these partnerships work, how responsibility for compliance is delegated and how key risks are properly managed. This is not a punitive move, but should be seen as an opportunity to inform updates to law, regulation, or supervisory guidance. It’s time to show the regulators how it can work well for all parties. Show that these innovative partnerships can meet customer demands, while maintaining the integrity of the financial system, and preventing potential consumer harm.


A change in perspective will go a long way for both financial institutions and Fintechs in this endeavor. As stated above, innovation and technology advances are moving rapidly, and law and regulatory guidance can’t keep pace. So, part of the challenge with this level of agility and speed is understanding where a product, service, rail, customer type, etc. fits within the regulatory landscape. Instead of analyzing a product or service using the lens of “but the definition doesn’t . . .” or “historically . . .” or “no one else requires that . . .”, think about the purpose of the law, regulation, or supervisory guidance. What was the intent of that guidance? What was it trying to protect, promote, prohibit, or prevent? What are the framework, criteria, and characteristics of guidance? Speaking from experience, most guidance documents are intentionally drafted to inform the audience of how to think about risk management, but not dictating specific, required actions. This permits flexibility and addresses many different facts and circumstances situations. Innovation is thinking outside of the box. Responsible innovation is not completely ignoring or squashing parts of the box without understanding why it was square in the first place.


Financial institutions looking to partner with a fintech or stand up a BaaS Program should approach this activity in the same way they would if introducing a new line of business or supporting a new business type. You wouldn’t begin to offer commercial lending, wealth management products, or provide services to companies involved in cannabis sale without having expert resources on hand to understand the operations, compliance requirements, and risk management expectations for those products. The same standards should govern partnerships with a fintech. Bank teams must take the time to understand the fintech space and different models and use cases. This isn’t a one size fits all arena - “commercial payments” is a very broad category with multiple different use cases. The bank should first understand why they are looking to partner with Fintechs. The program discussion should further explore which use cases match up to the bank’s risk appetite, resources, and expertise to implement and govern the relationship and more importantly – which do not?


Fintechs looking to “faster track” sponsor bank engagements need to remember what the “fin” in fintech represents. I’ve heard too many times, “But, we’re not a bank!” No, but you want to provide financial services. If the product you offer looks like, acts like, and sounds like financial services – guess what, you might be quacking! This means bringing the right folks together as a team to understand all the potential compliance and risk management implications as the product is being designed and built, not scrambling to draft an answer, flowchart, or policy when a sponsor bank requests it. Accept and embrace the fact that your sponsor bank will review and, in many instances, need to approve your compliance program policies and processes. I’m not suggesting that the fintech shouldn’t push back when warranted. But a good way to differentiate your fintech is to show that it’s not just good intentions, but you understand your role in the ecosystem and have prioritized risk management protocols appropriately.


I know that this message may not immediately be embraced by all audiences. But regulatory change and additional guidance is on the horizon. We have an opportunity to inform and influence expectations. My advice to both financial institutions and Fintechs is simple. Instead of challenging regulatory oversight as intrusive and demanding “frictionless” requirements in all instances, work with the regulators to help them understand what guidance currently covers relationships and use cases and where there are gaps and risk management topics that need addressed. Updated guidance should be viewed as a good thing. It will ultimately level the playing field so there is clarity of expectations across this vertical. If you don’t engage in this process with the intention of informing versus complaining, there’s a good chance you will not favor the results. Think about the energy certain factions exerted lobbying against Know Your Customer requirements versus the resulting Customer Identification Program requirements. A step in the right direction is understanding the risk profile of the business and use case(s) you offer or sponsor. An honest assessment of risk is the key to understanding regulatory expectations. In our next installment we’ll walk through the risk assessment process.


Kimberly Hebb, Co-Founder & CRO of BalancedTrust

8 views1 comment

Over the past six months, we’ve seen various federal banking regulators issue formal enforcement actions that focus on risk management deficiencies related to Banking as a Service (“BaaS”) programs.  There are several common threads to all of these enforcement actions. Noted deficiencies include insufficient third-party due diligence and risk management and failure to implement appropriate governance of delegated compliance functions. At the same time, articles, blogs and social media comments have emerged that seem to purport what I believe are misconceptions. Namely:


  1. The standards and supervisory expectations for fintechs and banking relationships with fintechs are new and not fully understood.

  2. The regulators do not support BaaS programs and similar relationships between financial institutions and Fintechs.

 

The deficiencies between Banks and Fintechs

Let’s take a moment to dispel these interpretations. Yes, it’s true that the Federal Banking Agencies consolidated their independent, third-party risk management supervisory guidance documents last June. But a careful and honest read of the surviving document will note no new expectations. The consolidated guidance basically rolled-up existing expectations and subsequent clarifications issued by the agencies since 2013.  The introduction to the 2023 guidance specifically reiterates that the terms “business relationship” and “third-party relationship” are intentionally broad to cover various types of third-party relationships. Financial technology companies are not new entrants to the industry - think core processors and banker’s banks. What has changed is the nature of the relationship between the banks and the fintechs. That relationship has morphed from vendor to partner or sponsor, or somewhere in between. What hasn’t morphed as quickly is the understanding by banks that the third-party risk management expectations are not limited to vendors but extend to BaaS programs and similar relationships. The onus continues to remain on the financial institution to understand the nature of the third-party relationship and implement appropriate controls and governance commensurate with the risk of that relationship. And, let’s be honest, if the FBAs prescribed what types of relationships were higher risk (instead of identifying risk characteristics like they did), banks and Fintechs alike would claim the regulators were overstepping. 

 

And no, the federal regulators aren’t gunning for Fintechs and BaaS programs. The FBAs have divisions or offices dedicated to understanding industry innovation, providing guidance, and encourage responsible innovation that balances customer demands with maintaining the integrity and stability of the industry. Earlier this year, FinCEN requested information on CIP data requirements and the utilization of automated augmentation of data. What we are seeing with respect to recent enforcement actions is a simple cause and effect relationship. Historically, the financial industry has evolved, but at a much slower pace than we’ve witnessed over the past decade. Fintechs that partner with a bank in the provision of financial services have grown exponentially. These companies benefit from engineering agility that, combined with ever-increasing customer demands for financial services, has resulted in a revolution of innovation, customer options, and yes - some concerns. As with anything else, increased adoption equals increased awareness, which in turn, results in increased oversight. Simply based on the numbers, more examinations and identified deficiencies were to be expected. 

 

Third-Party Due diligence

There is good news - as I stated above, the regulators have not introduced any new third-party risk management expectations. The risk criteria characteristics and risk management standards also remain unchanged.  The key is to step outside of the “we’ve always done it this way” box.  Instead of requiring a specific control, think about what risk you are trying to manage. More importantly, can that risk be properly managed using different types of controls more appropriate for the nature of the relationship between the bank and the fintech. For example, CCTV has traditionally been used to monitor public and private spaces, but it may or may not be an appropriate control to monitor access in a cloud-based information security environment. 

 

In this blog series, we’ll explore how banks and Fintechs can partner successfully to meet the risk management lifecycle supervisory expectations. Specifically, we’ll discuss actions that both Fintechs and sponsor financial institutions can take when engaging in third-party relationships to provide financial services that will not summon the ire or enforcement pen of the regulators. Those actions not only assist entities to comply with consumer protection laws and regulations, but also protect both the financial institution and fintech from potential fraud or being used as a conduit for nefarious transactions, inform pricing decisions, and lead to the expansion of innovative financial services that benefit all parties.


In the coming weeks, we’ll discuss the following third-party risk management topics: 

-Intentional Compliance

-Being Honest About Your Risk Profile: BaaS Programs and Fintechs

-Due Diligence: Onboarding and Monitoring

-Direct vs. Delegated Compliance Functions: What to Review, When, and How

-Governance Expectations: Banks and Fintechs


Kimberly Hebb, Co-Founder & CRO of BalancedTrust

51 views1 comment

Fintech companies are not new to the financial industry. For years, financial institutions have

used fintechs to assist in the maintenance of their customer account relationships. In these

types of bank – fintech relationships, the fintech rarely if ever had direct contact with the bank

customers except to perform duties on behalf of the bank. More recently, fintechs have emerged

to provide financial services in new and innovative ways that often cater to a consumer’s desire

for increased speed, access to systems, or niche services (that some banks fear to tread).

Whether a fintech seeks to provide services as an extension of bank services or independently

with a bank as their sponsor, many fintechs are faced with the harsh reality that the Sponsor

Bank Dating Game is not for the weak at heart.





Banks have historically implemented third-party risk management protocols for entities and

individuals that are conducting activities on behalf of the bank. While the bank can outsource

functions, it cannot outsource responsibility. Third-party risk management programs enable a

bank to properly vet a third party to understand if they can reasonably rely on that entity to

perform in compliance with law and regulation and with bank policy.


As banks began dipping a toe in the fintech sponsorship waters, some delegated key compliance and consumer protection functions to those fintechs. While delegation is not in general prohibited, it introduces oversight responsibilities on the bank. New fintechs entering the landscape seeking bank sponsorships as well as fintechs with existing sponsorship relationships are finding that banks have introduced new and/or enhanced third-party risk management requirements for engagement. These changes have been prompted by regulatory scrutiny, bank risk appetites, and some of the underlying factors for recent bank failures.


So, how does a fintech get a potential sponsor bank to “swipe right”? The first step is setting up

your profile to get a bank’s attention in the right way. Whether it’s a slide deck, intro packet, or

meeting, your team should demonstrate an understanding and familiarity of the consumer

protection laws and regulations that are applicable to the products and services you provide.

Many fintechs understand what consumers want, but often have no or little experience in

understanding the legal requirements for consumer protection, fraud and anti-money laundering

protocols. Even more important is an understanding of how your fintech’s product fits within the

regulatory space. Most law, regulations, and supervisory guidance haven’t kept pace with the

financial innovations being developed daily. Many bankers are immediately “turned off” if the

fintech lacks an understanding of the risk inherent in their product or the application of laws and

regulations for your business use case.





Also, be careful not to throw up red flags in the process. Fintechs pride themselves on being

innovative – being the first to try it this way or introducing a new concept. Understand that

language matters when explaining these concepts to bankers. There are specific terms either

defined within laws and regulations or considered terms of art in the industry. Using these terms

correctly will keep you out of rabbit holes that can derail the courtship.


The next step is to avoid being a “Compliance Catfish”. Be prepared to share policies,

procedures, data flow charts, funds flow charts, and details about your company’s structure.

Also understand that a bank sponsorship relationship will open your fintech up to regulatory

review as part of a bank program examination. Don’t represent that you have compliance

program components that either you don’t have or have yet to implement. Be honest - A

meaningful thought process goes a long way. Let the bank know what is on your roadmap and

how you’ve prioritized implementation. Bankers understand that consumer protection, fraud and

anti-money laundering protocols take time to implement properly. Having a frank discussion may

delay a “go live” date until certain systems are tested and running but it also might get you that

second date.


Some key compliance program components that fintechs should consider developing are listed

below. The level and depth of your program implementation should be commensurate with the

risk inherent in the product, service, customer type, and jurisdictions served.


 Information Security

 BSA/AML

 OFAC

 Consumer Protection

 Complaints & Inquiries

 Audit & Review

 Training

 Reporting





This bank courtship process can be long and seemingly cumbersome, so remember to have

fun. Yes, I said have fun – but then again, I am a compliance geek! Remember “Comply or Die”

until the next blog!


Kimberly Hebb, Co-Founder & CRO of BalancedTrust

20 views0 comments
bottom of page