Managing risk in bank-fintech partnerships

As fintechs continue to define their position and value within the financial services environment, organizations might need to strengthen their Bank Secrecy Act/anti-money laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) programs to address risks related to fintech partnerships.

While beneficial to both parties, fintech partnerships inherently create additional risk, which must be considered. Financial crime prevention professionals are responsible for assessing the BSA/AML and OFAC risks related to products, services, and activities made available to customers via the fintech partnerships. Banks embarking on such partnerships might want to explore questions such as:

• Does our organization partner or plan to partner with fintechs to provide enhanced products and services to our customers?
• If yes, have we planned for how we will evaluate each fintech partner and adjust our control environment to support the evolving operations?

Third-party risk management for bank-fintech partnerships

To mitigate the inherent risk of bank-fintech partnerships, an enterprise third-party risk management (TPRM) program that can review and assess the fintech partner’s controls is critical. The TPRM program must include a robust assessment of BSA/AML and OFAC controls to reasonably conclude whether the fintech partner can onboard, monitor, investigate, and report customers and their activity in alignment with regulatory expectations. Some questions banks can ask when establishing a fintech partnership include:

• How will we oversee third-party relationships?
• What is our strategy to manage our fintech partnership?
• Can we rely on our existing risk assessments, due diligence procedures, and ongoing monitoring procedures to keep our partnership in compliance?
• Has the board of directors approved this partnership?
• What is our policy for ending relationships with fintech partners?

Maintaining an up-to-date TPRM program can help organizations assess whether a specific fintech partnership is beneficial and what control enhancements are required by either the fintech or the banking organization.

Targeted financial crime risk

As an extension of the organization’s current BSA/AML and OFAC programs, it is important to analyze risks that the partnership might introduce into the organization’s ecosystem, both initially and on an ongoing basis. BSA/AML and OFAC programs should include analysis and supporting documentation to identify risks, define needed controls, and determine the mitigation efforts required when considering a fintech partnership. Some specific focus areas include:

• Customer due diligence (CDD). Of course, due diligence is critical, specifically as it applies to understanding customers who are being onboarded. In establishing a fintech partnership, collecting CDD, enhanced due diligence, and beneficial ownership information is required to fully inform the compliance program.
• Transaction monitoring (TM). Monitoring is also critical, and TM helps organizations understand how a fintech’s customers are using the provided products and services to move funds. Clearly defined entry and exit points need to be considered, as does an understanding for how data should be integrated with current-state TM and the case management system. Note: It is important to define these points prior to entering the fintech partnership, as doing so can allow the organization to capture an understanding about potentially suspicious activities the fintech relationship might create. Transaction monitoring procedures must align with the current risk profile of the organization so that all suspicious transactions can be reviewed.
• Investigations and case management. Bringing together sound CDD and TM program elements helps the organization review how it will collaborate with the fintech to meet the required levels of due diligence and reporting when unusual or unreasonable activity is identified. An effective investigation and reporting process requires a clear and complete understanding about customer and transactional information and suspicious activity report filing to mitigate missteps in case management.
• Training. Thorough training is a must. Beyond the customer, product, and services risk, all employees of the banking organization must receive thorough training to understand the BSA/AML and OFAC risks that the fintech partnership creates.

Auditing your programs

A qualified auditor should review the organization’s policies, procedures, and processes related to BSA/AML and OFAC to independently test whether the organization has a reasonable and sound control environment. Auditors will test various models and controls to assess whether they are operating effectively relative to their design. At the end of the audit review period, and after confirmation by management, the results of the independent testing should be presented to the audit committee of the board of directors.

Positioning for success

As organizations seek out new partners, particularly in the fintech space, understanding regulatory expectations to support sound compliance operations can help determine what steps should be taken to strengthen their BSA/AML and OFAC programs. Establishing these steps before agreeing to a partnership can make it easier to onboard and monitor fintechs, and it can support more constructive communication with regulatory authorities during examination or audit periods.