top of page

Unpopular Opinion - But Someone Needs to Say IT

Over the past six months, we’ve seen various federal banking regulators issue formal enforcement actions that focus on risk management deficiencies related to Banking as a Service (“BaaS”) programs.  There are several common threads to all of these enforcement actions. Noted deficiencies include insufficient third-party due diligence and risk management and failure to implement appropriate governance of delegated compliance functions. At the same time, articles, blogs and social media comments have emerged that seem to purport what I believe are misconceptions. Namely:


  1. The standards and supervisory expectations for fintechs and banking relationships with fintechs are new and not fully understood.

  2. The regulators do not support BaaS programs and similar relationships between financial institutions and Fintechs.

 

The deficiencies between Banks and Fintechs

Let’s take a moment to dispel these interpretations. Yes, it’s true that the Federal Banking Agencies consolidated their independent, third-party risk management supervisory guidance documents last June. But a careful and honest read of the surviving document will note no new expectations. The consolidated guidance basically rolled-up existing expectations and subsequent clarifications issued by the agencies since 2013.  The introduction to the 2023 guidance specifically reiterates that the terms “business relationship” and “third-party relationship” are intentionally broad to cover various types of third-party relationships. Financial technology companies are not new entrants to the industry - think core processors and banker’s banks. What has changed is the nature of the relationship between the banks and the fintechs. That relationship has morphed from vendor to partner or sponsor, or somewhere in between. What hasn’t morphed as quickly is the understanding by banks that the third-party risk management expectations are not limited to vendors but extend to BaaS programs and similar relationships. The onus continues to remain on the financial institution to understand the nature of the third-party relationship and implement appropriate controls and governance commensurate with the risk of that relationship. And, let’s be honest, if the FBAs prescribed what types of relationships were higher risk (instead of identifying risk characteristics like they did), banks and Fintechs alike would claim the regulators were overstepping. 

 

And no, the federal regulators aren’t gunning for Fintechs and BaaS programs. The FBAs have divisions or offices dedicated to understanding industry innovation, providing guidance, and encourage responsible innovation that balances customer demands with maintaining the integrity and stability of the industry. Earlier this year, FinCEN requested information on CIP data requirements and the utilization of automated augmentation of data. What we are seeing with respect to recent enforcement actions is a simple cause and effect relationship. Historically, the financial industry has evolved, but at a much slower pace than we’ve witnessed over the past decade. Fintechs that partner with a bank in the provision of financial services have grown exponentially. These companies benefit from engineering agility that, combined with ever-increasing customer demands for financial services, has resulted in a revolution of innovation, customer options, and yes - some concerns. As with anything else, increased adoption equals increased awareness, which in turn, results in increased oversight. Simply based on the numbers, more examinations and identified deficiencies were to be expected. 

 

Third-Party Due diligence

There is good news - as I stated above, the regulators have not introduced any new third-party risk management expectations. The risk criteria characteristics and risk management standards also remain unchanged.  The key is to step outside of the “we’ve always done it this way” box.  Instead of requiring a specific control, think about what risk you are trying to manage. More importantly, can that risk be properly managed using different types of controls more appropriate for the nature of the relationship between the bank and the fintech. For example, CCTV has traditionally been used to monitor public and private spaces, but it may or may not be an appropriate control to monitor access in a cloud-based information security environment. 

 

In this blog series, we’ll explore how banks and Fintechs can partner successfully to meet the risk management lifecycle supervisory expectations. Specifically, we’ll discuss actions that both Fintechs and sponsor financial institutions can take when engaging in third-party relationships to provide financial services that will not summon the ire or enforcement pen of the regulators. Those actions not only assist entities to comply with consumer protection laws and regulations, but also protect both the financial institution and fintech from potential fraud or being used as a conduit for nefarious transactions, inform pricing decisions, and lead to the expansion of innovative financial services that benefit all parties.


In the coming weeks, we’ll discuss the following third-party risk management topics: 

-Intentional Compliance

-Being Honest About Your Risk Profile: BaaS Programs and Fintechs

-Due Diligence: Onboarding and Monitoring

-Direct vs. Delegated Compliance Functions: What to Review, When, and How

-Governance Expectations: Banks and Fintechs


Kimberly Hebb, Co-Founder & CRO of BalancedTrust

54 views1 comment

1 Comment

Rated 0 out of 5 stars.
No ratings yet

Add a rating
Guest
Jul 26
Rated 5 out of 5 stars.

Fabulous article, Kim! Love the way you look to bring banks and fintechs together, at a time when the state of everything seems determined to pull them apart and put them at odds. Doesn't have to be that way! And this, this is my everything: "The key is to step outside of the “we’ve always done it this way” box.  Instead of requiring a specific control, think about what risk you are trying to manage. More importantly, can that risk be properly managed using different types of controls more appropriate for the nature of the relationship between the bank and the fintech." Can't wait for the next installment!

Like
bottom of page