Banking guidance: Six key areas of FinTech due diligence

The Federal Reserve Bank, Federal Deposit Insurance Corp., and Office of the Comptroller of the Currency published guidance Friday offering tips and suggestions to community banks for conducting due diligence on potential FinTech partners.

”Community banks are entering into business arrangements with FinTech companies to offer enhanced products and services to their customers, increase efficiency, and reduce internal costs,” the agencies wrote in a joint press release. “This guide is intended to serve as a resource for community banks when performing due diligence on prospective relationships with FinTech companies.”

The guide covers six key areas of due diligence: business experience and qualifications, financial condition, legal and regulatory compliance, risk management and control processes, information security, and operational resilience.

“There may be other topics, considerations, and sources of information to consider, depending on the unique relationship and the role of the FinTech company,” the guide said.

Assessing business experience includes vetting the potential FinTech partner’s track record, volume, and types of complaints and reviewing legal and regulatory actions and any summaries of past operational failures. Other considerations include who owns the FinTech, its geographical footprint, and a summary of key personnel and subcontractors. The review should also assess the FinTech’s “willingness and ability to align the proposed activity with the community bank’s needs, its plans to adapt activities for the community bank’s regulatory environment, and whether there is a need to address any integration challenges with community bank systems and operations,” the guide said.

Community banks should also determine a potential FinTech partner’s financial condition by reviewing publicly available financial statements and reports and internal financial statements, if available. Request a list of the FinTech’s funding sources and client base and assess its market position among its competitors, the guide suggests.

Any service a FinTech company provides to a community bank must meet all the bank’s legal and regulatory requirements. At a minimum, a FinTech should be authorized to operate in the community bank’s geographic area. Review its charter, certificates of good standing, licenses, and other relevant public information.

To assess its ability to comply with regulatory requirements, review a FinTech’s policies, procedures, and internal controls that are relevant to the service it would provide. Ensure the contract between the bank and the FinTech company lays out legal and compliance duties, the guide said.

“Some FinTech companies may have limited experience working within the legal and regulatory framework in which a community bank operates,” the guide said. Banks should consider requiring potential FinTech partners to allow the bank and the bank’s regulator to access the FinTech company’s records, as well as monitoring, reviewing, and potentially auditing a FinTech company periodically to ensure compliance with the terms of the contract.

Some FinTechs either do not have or might be unwilling to provide answers to some due diligence questions, either because of their relative maturity or because the information is considered proprietary. In those cases, the guidance suggests a community bank might consider an onsite visit of the FinTech or request an audit, either by the bank’s audit team or an independent one, to evaluate suitability.

In some cases, a community bank might accept certain limitations, commensurate with the criticality of the arrangement and the bank’s risk appetite, the guide said. But the contract between the bank and the FinTech company should lay out how the bank will monitor and review the FinTech’s performance, how the bank will request remediation of issues of concern, and establish the factors that would lead to termination of the contract.

Information security has become one of the key problem areas between banks and their third parties, as many breaches of sensitive customer data have occurred through weaknesses in a third party’s cyber-security defenses. A bank should thoroughly assess a potential FinTech partner’s cyber-defenses and how well it identifies, reacts, and remediates problems. The contract should make clear when and how the FinTech should notify the bank in the event of a breach.

And with the pandemic still a lingering concern, banks should assess a FinTech’s operational resilience.

“For example, community banks may evaluate a FinTech company’s ability to meet the community bank’s recovery expectations and identify any subcontractors the FinTech company relies upon for recovery operations,” the guide said.