top of page

The BT TrustScore TM Blog

In the previous two blog installments, I discussed the “State of the BaaS Union” and the benefit of putting in the effort to understand the intent behind laws, regulations, and supervisory guidance as they may relate to a program or fintech business model.  As we head into Halloween season, I think it’s only fitting to chat about what some in fintech leadership consider a scary subject – their risk profile. No matter the type of fintech or the industry tenure of its leadership, there seems to be a mental block when it comes to acknowledging their risk profile. Simply put, no one thinks that their line of business or model is moderate risk, let alone higher risk. Picture it, northern Colorado circa 2019 and I’m sitting in an initial team meeting with a newer fintech to discuss compliance and risk management needs. As I walk through the details, I casually note the fact that the fintech’s business use case is considered higher risk for BSA/AML purposes. Before I start discussing the internal controls needed to properly manage that risk, I look around the table and stop when I see the faces of the leadership team. The looks I received ranged from shock and disbelief to truly offended.



The discussion that followed went something like, “But, it’s just payments.” “We only enable payments for bills and invoices.” “The card network didn’t say we were high risk.” And my personal favorite (NOT) – [insert other fintech name here] doesn’t consider itself as high risk!” It was as if they forgot why they brought us on board – to assess the company’s risk profile and build an enterprise risk governance program to properly manage that risk. To do this successfully requires not only experience and expertise, but more importantly an honest approach. What exactly does that mean? First, it means understanding that a product or service that is considered higher risk is not a bad thing. Being labeled as higher risk isn’t tantamount to getting a detention slip or sent to the principal’s office. It simply means there is more exposure for non-compliance with law, regulation, or misuse by actors with nefarious intent and that risk exposure must be properly managed. It also requires understanding how a risk profile is determined and that there are four components to consider equally. These components are inherent risk, risk management, residual risk, and direction of risk.

Components of a Risk Profile

 

Let’s start with inherent risk, which is basically an accounting of the quantity of risk inherent in the product, service, customer, and geography a company wishes to offer or facilitate. If we use a payments fintech as a model, supervisory guidance clearly indicates that electronic transactions are considered higher risk for AML concerns. Why? Some of the factors that increase the risk profile of electronic transactions include the speed of the transaction, lack of transparency (think card not present transactions) or lack of a direct relationship with the end-user that can increase the potential for money laundering, fraud, and identity theft. Now, layer in foreign customers or jurisdictions, newer and innovative products and payment rails that may or may not fit clearly within the regulatory framework, and higher-risk business types (hey crypto folks, I’m looking at you). Each risk factor adds exposure and cumulatively increases inherent risk. And when you add in a consumer product component, there is a host of consumer protection laws and regulations on top of AML considerations that need managed.

 

The good news as I noted earlier, is that higher risk is not a bad thing. It just needs to be properly managed with internal controls, systems, and processes. Even better, there is an abundance of information regarding expected risk management practices. Some risk management controls are non-negotiable, like laws and regulations or network rules based on program type. Others, issued by oversight authorities, allow for flexibility based on the business model and provide a framework for a risk-based approach. An example of the distinction is the requirement to conduct CIP (or KYC) for new accountholders. The regulation doesn’t permit interpretations regarding the data collection and verification of net new customers, but it does provide for flexibility with the methodology for how a fintech or bank conducts verification. The key is that the quality of risk management controls implemented should be commensurate with the risk inherent in the products, services, and customers supported.  That means if the inherent risk in the products or services offered are considered higher risk, stronger internal controls are required; in this case basic or baseline risk management is not sufficient. This is a time when a “satisfactory” program isn’t actually satisfactory.

 

In my experience, even more potentially problematic is the misunderstanding that residual risk (the aggregate or remaining risk once internal controls are in place) replaces inherent risk. Properly managed risk does not equate to “the inherent risk went away”. This thought process is unfortunately common among both bankers and fintech folks.  The inherent risk of a business use case or model remains the same unless specific higher risk characteristics of the use case are changed or that use case is retired. The challenge to the mindset of residual risk prioritization is complacency. When things are running smoothly and risk is properly managed, too often the actual inherent risk exposure is forgotten. As companies grow and add to product offerings, shifting resources and priorities instead of expanding them can effectively end up robbing Peter to pay Paul. I’m by no means a troglodyte and embrace the philosophy of work smarter, not harder.  But far too often, these changes that are characterized as doing more with less, don’t translate to doing better, just more with less – which is not a good thing when it comes to risk management.  If the internal controls or risk management processes are not prioritized, are changed in a negative manner, or fail . . . inherent risk has a way of rearing its ugly head. This is imperative for both banks and fintechs to seriously consider when making decisions about offering a new product or line of business, expanding their footprint by jurisdiction, vertical, or customer type, attempting to fully automate processes, or address balance sheet issues with staff or system reductions.

 

Finally, I want to remind everyone that the risk assessment and risk management process is not a set it and forget it function. Risk assessment should be a continuous process and not prompted only by an expansion of services, a new law or regulation, or identification of non-compliance. Perhaps the most valuable and underrated component of the risk assessment and management process is understanding a company’s direction of risk. The direction of risk takes into consideration known variables on the horizon. This may include plans to scale current product offerings or expand customer base and jurisdictions, which may increase the quantity or inherent risk. It could be plans to remediate identified noncompliance issues that may decrease residual risk. And, it may be new law or regulation with a future effective date that requires a review of and possible changes to internal controls. These types of known variables should inform a roadmap of work to continue to implement an effective risk management program that keeps pace with the business. This can be a challenge for some fintechs that focus only on the current scrum or issue to be fixed.  Even more challenging is that while fintechs purport to be quite different from their chartered counterparts, many have fallen into the same trap and siloed their engineering and product teams in the same way many banks silo their lines of business. This practice is counter to a defined risk management roadmap based on strategic goals and milestones and often creates more work to integrate and streamline internal controls.

 

At the end of the day, recognizing your true risk profile should be considered a win-win.  Once you understand the inherent risk in your business model and use case, you can make a plan to properly manage that risk. Not acknowledging your risk profile is kind of like asking for a Halloween trick, instead of candy. It’s far scarier to not know the risk and exposure your company faces than acknowledging your risk profile and putting a plan together to properly address it. This is key to getting in front of any concerns or questions from regulators, auditors, investors, or prospective sponsor banks. So, in this fall season, don’t treat risk assessment and management like a costume that you pull out of the closet once a year and hope to win the contest. Make it a part of your company’s daily routine.


Kimberly Hebb, Co-Founder & CRO of BalancedTrust

26 views0 comments

As many within the financial industry have noted, over the past several decades financial products, services and methods to meet customers’ needs have continued to evolve. More recently, we’ve seen what is tantamount to a revolution of innovation moving far more quickly to satiate customer demands. This revolution of technology and ideas often acts as a double-edged sword. On one side, increased demands can create more customer options and positive impacts on pricing and speed of services. On the other side, efforts to meet increased demands for options and speed can impact the design and implementation of products and services that may not adequately or appropriately prioritize compliance, security, and governance considerations.


BalancedTrust bridges the gap between banks and Fintechs

As financial services continue to evolve, financial institutions are partnering with fintech companies to expand product options and customer base, generate income, and keep pace with customer demands. Third party risk management is a dual responsibility – and it can be a sharp and dangerous sword if both sides of a partnership do not take compliance and governance obligations seriously. Just last week the Federal Banking Agencies issued a Request for Information on this very topic asking how these partnerships work, how responsibility for compliance is delegated and how key risks are properly managed. This is not a punitive move, but should be seen as an opportunity to inform updates to law, regulation, or supervisory guidance. It’s time to show the regulators how it can work well for all parties. Show that these innovative partnerships can meet customer demands, while maintaining the integrity of the financial system, and preventing potential consumer harm.


A change in perspective will go a long way for both financial institutions and Fintechs in this endeavor. As stated above, innovation and technology advances are moving rapidly, and law and regulatory guidance can’t keep pace. So, part of the challenge with this level of agility and speed is understanding where a product, service, rail, customer type, etc. fits within the regulatory landscape. Instead of analyzing a product or service using the lens of “but the definition doesn’t . . .” or “historically . . .” or “no one else requires that . . .”, think about the purpose of the law, regulation, or supervisory guidance. What was the intent of that guidance? What was it trying to protect, promote, prohibit, or prevent? What are the framework, criteria, and characteristics of guidance? Speaking from experience, most guidance documents are intentionally drafted to inform the audience of how to think about risk management, but not dictating specific, required actions. This permits flexibility and addresses many different facts and circumstances situations. Innovation is thinking outside of the box. Responsible innovation is not completely ignoring or squashing parts of the box without understanding why it was square in the first place.


Financial institutions looking to partner with a fintech or stand up a BaaS Program should approach this activity in the same way they would if introducing a new line of business or supporting a new business type. You wouldn’t begin to offer commercial lending, wealth management products, or provide services to companies involved in cannabis sale without having expert resources on hand to understand the operations, compliance requirements, and risk management expectations for those products. The same standards should govern partnerships with a fintech. Bank teams must take the time to understand the fintech space and different models and use cases. This isn’t a one size fits all arena - “commercial payments” is a very broad category with multiple different use cases. The bank should first understand why they are looking to partner with Fintechs. The program discussion should further explore which use cases match up to the bank’s risk appetite, resources, and expertise to implement and govern the relationship and more importantly – which do not?


Fintechs looking to “faster track” sponsor bank engagements need to remember what the “fin” in fintech represents. I’ve heard too many times, “But, we’re not a bank!” No, but you want to provide financial services. If the product you offer looks like, acts like, and sounds like financial services – guess what, you might be quacking! This means bringing the right folks together as a team to understand all the potential compliance and risk management implications as the product is being designed and built, not scrambling to draft an answer, flowchart, or policy when a sponsor bank requests it. Accept and embrace the fact that your sponsor bank will review and, in many instances, need to approve your compliance program policies and processes. I’m not suggesting that the fintech shouldn’t push back when warranted. But a good way to differentiate your fintech is to show that it’s not just good intentions, but you understand your role in the ecosystem and have prioritized risk management protocols appropriately.


I know that this message may not immediately be embraced by all audiences. But regulatory change and additional guidance is on the horizon. We have an opportunity to inform and influence expectations. My advice to both financial institutions and Fintechs is simple. Instead of challenging regulatory oversight as intrusive and demanding “frictionless” requirements in all instances, work with the regulators to help them understand what guidance currently covers relationships and use cases and where there are gaps and risk management topics that need addressed. Updated guidance should be viewed as a good thing. It will ultimately level the playing field so there is clarity of expectations across this vertical. If you don’t engage in this process with the intention of informing versus complaining, there’s a good chance you will not favor the results. Think about the energy certain factions exerted lobbying against Know Your Customer requirements versus the resulting Customer Identification Program requirements. A step in the right direction is understanding the risk profile of the business and use case(s) you offer or sponsor. An honest assessment of risk is the key to understanding regulatory expectations. In our next installment we’ll walk through the risk assessment process.


Kimberly Hebb, Co-Founder & CRO of BalancedTrust

11 views1 comment

Over the past six months, we’ve seen various federal banking regulators issue formal enforcement actions that focus on risk management deficiencies related to Banking as a Service (“BaaS”) programs.  There are several common threads to all of these enforcement actions. Noted deficiencies include insufficient third-party due diligence and risk management and failure to implement appropriate governance of delegated compliance functions. At the same time, articles, blogs and social media comments have emerged that seem to purport what I believe are misconceptions. Namely:


  1. The standards and supervisory expectations for fintechs and banking relationships with fintechs are new and not fully understood.

  2. The regulators do not support BaaS programs and similar relationships between financial institutions and Fintechs.

 

The deficiencies between Banks and Fintechs

Let’s take a moment to dispel these interpretations. Yes, it’s true that the Federal Banking Agencies consolidated their independent, third-party risk management supervisory guidance documents last June. But a careful and honest read of the surviving document will note no new expectations. The consolidated guidance basically rolled-up existing expectations and subsequent clarifications issued by the agencies since 2013.  The introduction to the 2023 guidance specifically reiterates that the terms “business relationship” and “third-party relationship” are intentionally broad to cover various types of third-party relationships. Financial technology companies are not new entrants to the industry - think core processors and banker’s banks. What has changed is the nature of the relationship between the banks and the fintechs. That relationship has morphed from vendor to partner or sponsor, or somewhere in between. What hasn’t morphed as quickly is the understanding by banks that the third-party risk management expectations are not limited to vendors but extend to BaaS programs and similar relationships. The onus continues to remain on the financial institution to understand the nature of the third-party relationship and implement appropriate controls and governance commensurate with the risk of that relationship. And, let’s be honest, if the FBAs prescribed what types of relationships were higher risk (instead of identifying risk characteristics like they did), banks and Fintechs alike would claim the regulators were overstepping. 

 

And no, the federal regulators aren’t gunning for Fintechs and BaaS programs. The FBAs have divisions or offices dedicated to understanding industry innovation, providing guidance, and encourage responsible innovation that balances customer demands with maintaining the integrity and stability of the industry. Earlier this year, FinCEN requested information on CIP data requirements and the utilization of automated augmentation of data. What we are seeing with respect to recent enforcement actions is a simple cause and effect relationship. Historically, the financial industry has evolved, but at a much slower pace than we’ve witnessed over the past decade. Fintechs that partner with a bank in the provision of financial services have grown exponentially. These companies benefit from engineering agility that, combined with ever-increasing customer demands for financial services, has resulted in a revolution of innovation, customer options, and yes - some concerns. As with anything else, increased adoption equals increased awareness, which in turn, results in increased oversight. Simply based on the numbers, more examinations and identified deficiencies were to be expected. 

 

Third-Party Due diligence

There is good news - as I stated above, the regulators have not introduced any new third-party risk management expectations. The risk criteria characteristics and risk management standards also remain unchanged.  The key is to step outside of the “we’ve always done it this way” box.  Instead of requiring a specific control, think about what risk you are trying to manage. More importantly, can that risk be properly managed using different types of controls more appropriate for the nature of the relationship between the bank and the fintech. For example, CCTV has traditionally been used to monitor public and private spaces, but it may or may not be an appropriate control to monitor access in a cloud-based information security environment. 

 

In this blog series, we’ll explore how banks and Fintechs can partner successfully to meet the risk management lifecycle supervisory expectations. Specifically, we’ll discuss actions that both Fintechs and sponsor financial institutions can take when engaging in third-party relationships to provide financial services that will not summon the ire or enforcement pen of the regulators. Those actions not only assist entities to comply with consumer protection laws and regulations, but also protect both the financial institution and fintech from potential fraud or being used as a conduit for nefarious transactions, inform pricing decisions, and lead to the expansion of innovative financial services that benefit all parties.


In the coming weeks, we’ll discuss the following third-party risk management topics: 

-Intentional Compliance

-Being Honest About Your Risk Profile: BaaS Programs and Fintechs

-Due Diligence: Onboarding and Monitoring

-Direct vs. Delegated Compliance Functions: What to Review, When, and How

-Governance Expectations: Banks and Fintechs


Kimberly Hebb, Co-Founder & CRO of BalancedTrust

55 views1 comment
bottom of page