Updated: Aug 12, 2022
Community financial institutions (FIs) are differentiating themselves by the unique services they offer, often thanks to financial-technology partners. While these fintech relationships can bring FIs dazzling new offerings to attract customers and enhance a reputation for innovation, they also mean many painstaking hours as FIs make sure prospective (and existing) partners are in a position to protect customer data and otherwise behave responsibly.
Over time, regulators have come to emphasize the importance of not only maintaining strict data privacy and other standards of conduct for financial institution’s themselves—but for all of their third-party vendors, as well.
Recognizing the difficulty of performing due diligence, the regulators have put out user-friendly advice that clarifies expectations. One of the best sources is titled Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks. It was published by the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC).
RiskScout is covering similar ground in a webinar, "WHAT BANKERS NEED TO KNOW IN NAVIGATING FINTECH COMPLIANCE", to take place on Wednesday, August 24, 2022 | 1:00 PM - 2:00 PM CDT. To register for this webinar, please go to https://register.gotowebinar.com/register/4799612771692918543. 
Six Areas to Consider
In their guide, the OCC, the Federal Reserve, and the FDIC emphasize that FIs should consider how a fintech “may assist the bank in meeting its strategic objectives” and determine “whether the relationship aligns with the FI’s risk appetite.” How is this done? By assessing whether the activities the fintech will perform can be implemented safely, “consistent with applicable legal and regulatory requirements.”
The agencies break down the complicated due-diligence process into six approachable topics. Here is an overview:
1. Business experience and qualifications
There are numerous ways to consider a fintech’s experience and qualifications, ranging from doing a deep dive into its operational history to looking at references from clients (good and bad) and investigating whether any regulatory or legal actions or complaints have been lodged.
Important areas of inquiry include a fintech’s strategic plans, as well as the experience and qualifications of its management team and directors. Some areas of information would include org charts, client references, media reports, public records of legal or regulatory actions, a summary of key personnel and subcontracts, and bios of management and directors.
2. Financial condition
Assessing a third-party’s financial condition is critical to determining how able a company is to stay in business and fulfill obligations within a partnership. Here, some key sources of information would include financial statements, securities filings, a list of funding sources, and information about the fintech’s client base.
3. Legal and regulatory compliance
Researching a third party’s experience working within the legal and regulatory framework in which community FI’s operate is a good indicator of how a fintech will comply with applicable laws and regulations. Here, potential sources of information would include charters and articles of incorporation; records related to intellectual property, such as patents; lawsuits and complaints; and 10-K and 10-Q filings.
The agencies note that some fintechs may have limited experience working within the legal and regulatory framework in which a FI operates. In these cases, a FI might include contract terms requiring compliance with specific legal and regulatory requirements, as well as authorization for a FI or the FI’s main supervisory agency to access a fintech’s records.
4. Risk management and controls
Not all fintechs will have the well-developed audit, risk and compliance functions that a FI might have. This is especially true for younger organizations.
Some ways to work with a fintech in this scenario might include requesting periodic on-site visits to evaluate controls and operations. Within a contract with a fintech, a FI might insert provisions establishing the right to audit, conduct on-site visits, and require remediation when issues are identified.
5. Information security
Here, a community FI would assess how a fintech is managing cybersecurity risk. Valuable sources of information include incident reports, policies addressing how information is safeguarded, and completed controls or standards assessments.
Remember that fintechs often have access to a FI’s customer data and so making sure that this data is protected is paramount.
6. Operational resilience
A community FI will want to evaluate how able a fintech is to continue to operate even in a disruptive event. Here, potential sources of information might include business continuity plans, disaster recovery plans, and insurance documents.
Another important area to investigate is the fintech’s reliance on subcontractors, and how that fintech is monitoring its subcontractors.
Finally, a community FI might inquire about appropriate contingency plans-- for instance, the availability of substitute service providers-- in case a fintech experiences a business interruption and cannot perform agreed-upon activities.