Jan. 27, 2017
By Joshua A. Brown, CIA, CISA, Michele P. Sullivan, CPA, CRMA, Gayle M. Woodbury, CIA, CISA, CCSA
No longer fearful that financial technology (fintech) companies pose an existential threat, banks today increasingly recognize the benefits of collaborating with these tech-savvy organizations. Fintech companies are equally aware that their success hinges on access to the infrastructure, customers, and data that banks have at their fingertips.
The growing prevalence of bank-fintech partnerships underscores the need for a comprehensive and thoughtful approach to third-party risk management. And yet many have failed to prioritize this process: during a recent Crowe/Compliance Week survey,1 66 percent of banks and financial services companies responded that their third-party risk management programs are immature or fairly informal; only a handful of respondents said their programs are mature.
Third-party relationships of any kind can pose threats to a business. Partnerships between financial services companies and fintech companies, which often involve unparalleled access to intellectual property, customers, and data, require particular vigilance. Additionally, due to the relative newness of many fintech companies, business resiliency, model risks, and financial viability also are prevalent risks that need to be addressed. With an effective risk management framework that identifies, assesses, manages, and controls risk, banks and fintech firms alike can protect themselves and their customers while reaping the many benefits of working together.
Natural Partners
Fintech firms and financial services companies are natural partners, with contrasting strengths that complement the other’s capabilities. Banks and established financial services companies have capital, scale, brand, customers, and vast troves of data. Yet many have failed to create the frictionless online and mobile experiences that customers increasingly demand or capitalize on the value of data – both of which are the bread and butter of fintech firms. Fintech companies specialize in the deep consumer knowledge and segment expertise that banks often lack. Using technology to create efficiencies that eliminate the need for a large and intricately staffed organization, many fintech operations run as lean as possible. As a result, these organizations are often agile and highly responsive to customer needs.
A lack of direct supervision in certain instances has helped fintech to thrive in its nascent years. However, regulators have made it clear that the honeymoon period for fintech is nearing the end. New and evolving regulatory hurdles will pose challenges for fintech companies – creating yet another rationale for collaborating with banks, many of which, out of necessity, have more mature and established risk management and governance regimes in place.
Regulators thus far have looked to banks to effectively regulate fintech relationships through their third-party risk management programs. Banks still will need to assess and manage fintechs under their third-party risk management programs, even if fintech firms become chartered, regulated, and highly supervised entities themselves.
With Opportunity Comes Risk
While partnerships can amplify the reach and capabilities of both banks and fintech companies, these types of relationships also can expose organizations to a number of risks. At a basic level, companies should be confident that a partner is willing and able to provide information, data, and reporting that is accurate, complete, realistic, timely, and transparent. Other important considerations when evaluating a partner fall into the following categories:
- Strategy and systems alignment
- Third-party risk management
- Regulatory responsibility
- Board engagement
Strategy and Systems Alignment
Would-be partners exploring a business relationship should consider whether their overarching business strategies and values align. They also should consider the compatibility of systems across the two organizations. Financial services companies must assess whether their core systems and technology align with those of the fintech company. Both parties should ask whether the systems can be integrated in a useful and productive manner.
Third-Party Risk Management
A failure on the part of a third party can deal a devastating blow to a financial services company’s reputation: typically, a partner’s misstep is viewed as the bank’s misstep and vice versa. For that reason, a bank should assess whether prospective partners will handle designated responsibilities as well as the bank would. Of paramount importance, will the partner protect customer data and trade secrets and take reasonable steps to prevent security breaches?
Outside of customer data and system security issues, other potential pitfalls might be important to consider as well, depending on the nature of the partnership and the service being provided by the third party. Partner failures related to anti-money laundering practices or consumer compliance can pose significant risk. Moreover, a fintech company’s engagement with other third parties – fourth parties from the perspective of the bank – also can introduce risk. Business resiliency and financial viability also are important risks to consider, as the collapse of a fintech partner could put tremendous strain on a financial services company. The assessment of whether a partner will manage its own responsibilities appropriately should be guided by a detailed evaluation of the products or services being offered by the third party.
Regulatory Responsibility
Financial services companies and fintech partners also must ask themselves who is to be held responsible by regulators. Often, the answer comes down to who is managing the customer relationship. The level and terms of the third-party contract and the roles and responsibilities of the different parties to the contract also factor in to who bears ultimate regulatory responsibility.
Regulators are increasing their influence on and supervision of all financial services companies, including banks, fintech firms, and others, including expanding the definition of covered persons under current elements of the Dodd-Frank Wall Street Reform and Consumer Protection Act. While the future of certain regulations and the execution of supervision are likely to be volatile, stakeholders across the industry are grappling with the question of who is ultimately accountable to regulators. Several financial services member organizations have assembled working groups to attempt to address this issue. However, the reality today is that banks often are held responsible when something goes wrong.
Board Engagement
Boards have a responsibility to ensure appropriate third-party risk management. The responsibility for exploring new products and initiatives rests with the management team. However, given the level of access to customers, strategic insight, and data inherent in many fintech partnerships, these relationships should be considered critical or high risk, and thus should have the attention of the board. As part of this risk evaluation, the board should challenge whether the strategies of the partner organizations align with the financial services company’s strategy and make sure that any risks that exist are within the defined risk tolerance of the organization.
Once a relationship is established, best practices for third-party risk management of critical- or high-risk third parties include ongoing monitoring of any type of trigger event – such as patent infringement, litigation, data breach, imminent threat to the company’s financial viability, reputation, or regulatory concerns – that might cause a change in risk profile. These updates should be reported regularly to the board. Finally, depending on the relationship, organizations should consider doing periodic background checks on the top executives at the fintech firm, and possibly also evaluating hiring practices, training policies and curriculum, and confidentiality policies for employees.
Risk Management Framework
A third-party risk management framework can help organizations monitor and mitigate the risks inherent in partnerships. An effective framework should cover the third-party life cycle and be guided by the core principles of identification, assessment, management, and control.
1. Identification
Companies must know their partners, but often this is easier said than done. Many third-party relationships are buried in the far corners of an organization, having existed for years under the authority of just one or two line managers. Senior leadership must acknowledge and communicate to all managers that third-party relationships pose risk to the organization and therefore need to be identified and managed transparently. All new and ongoing vendor relationships should undergo an initial and periodic risk assessment to evaluate the level of risk they pose to the organization. The higher the risk, the more resources should be committed to managing the relationship.
2. Assessment
Once all third-party relationships have been identified, financial services companies need to understand the risks that the relationships pose by following standardized procedures for assessing and documenting risk. There is no one-size-fits-all approach when it comes to the appropriate steps for the risk and controls assessment, either initially or periodically. The guidance on this topic from the Office of the Comptroller of the Currency, the Federal Reserve Board, the Consumer Financial Protection Bureau, and the Federal Financial Institutions Examination Council can provide organizations with the basic tenets for their programs.
For new or changing relationships, this assessment should tie directly to the contract negotiation. Simply accepting a contract presented by a third party is inadequate; a company should negotiate terms that strengthen its controls. A financial services company should insist that the contract include a formal agreement by the third party to implement risk-mitigating controls and help establish standards for ongoing reporting and management. A right-to-audit clause should be included to encourage transparency. And, risks may change over time: for example, a third party may itself outsource relationships, which can lead to new risks. Companies continually must monitor and assess relationships and their associated risks as they change.
3. Management
Financial services companies also need to manage third-party risks during the execution of the agreement. This can be challenging, as line-of-business management might be focused on performance or spending rather than risk management. In addition, risks are changing continually as new threats emerge in the business environment. Considering these challenges, organizations need appropriate resources, including staff and tools to monitor and manage third parties proactively. There should be an understanding across the management team that there is an ongoing cost and effort to managing the risks of third-party relationships, and resources should be allocated to this process accordingly.
4. Control
Another critical aspect of oversight is controlling risk, which companies can do with some degree of confidence via contracts with third parties and through establishment of independent monitoring and testing processes. A company’s ability to effectively manage risk related to third parties will have a direct impact on its ability to function effectively as an extended enterprise. Companies should gather feedback from third parties to assess whether programs are working and what adjustments, if any, are needed. The easiest way to deal with this is to introduce standard contracts that clearly state the responsibilities of third parties, including the responsibility to participate in a company’s risk management processes, among them allowing the right to audit.
True Cost of Partnership With Fintech Firms
Third-party relationships often are a result of outsourcing, a strategy that is motivated by cost cutting. Additionally, relationships with fintech firms also are achieved through joint ventures and other forms of partially or fully owned affiliates. Whatever the origin of the structure, organizations often fail to consider the actual, total cost, which includes not only the external cost to pay the third party, but also the cost of oversight of the third party. Management of the risks and relationship with the third party requires time, skills, training, knowledge, visibility, and often, additional technology. If the bank doesn’t make necessary investments, it can’t effectively govern and manage the third-party. In turn, this resource deficit increases the bank’s third-party risk and thus the overall risk profile of the bank.
Organizations need to calculate the total cost of the relationship by including all the internal resources required – including resources to train the third party’s personnel, negotiate the contract, implement any shared technology, and conduct initial due diligence, ongoing monitoring, and periodic reviews. The total cost may include the hiring of additional risk management personnel to compensate for added risk due to the relationship.
To Realize Benefits of Partnership, Manage Risk
For both banks and fintech firms, the same partnerships that can make them stronger also can make them vulnerable. Organizations should consider the potential pitfalls of a partnership, considering in particular system alignment, partner governance and oversight, regulatory responsibility, and board engagement. Partnerships should then be evaluated through a rigorous and ongoing risk-management process built on the principles of identification, assessment, management, and control.
1 Jaclyn Jaeger, “Survey: Trials, Tribulations of Third-Party Risk Management,” Compliance Week, Nov. 1, 2016.
