March 19, 2018
By Joshua Brown, Michele Sullivan, and Gayle Woodbury
The growing prevalence of bank-financial technology (fintech) partnerships underscores the need for a comprehensive and thoughtful approach to third-party risk management. And yet many have failed to prioritize this process. During a recent Crowe/Compliance Week survey, 66 percent of banks and financial services companies responded that their third-party risk management programs are immature or fairly informal; only a handful of respondents said their programs are mature.
Third-party relationships of any kind can pose threats to a business. Partnerships between financial services and fintech companies, which often involve unparalleled access to intellectual property, customers, and data, require particular vigilance. Additionally, due to the relative newness of many fintech companies, business resiliency, model risks, and financial viability also must be addressed.
Regulators thus far have looked to banks to effectively regulate fintech relationships through their third-party risk management programs. Although regulators have signaled their intent to regulate fintech companies more heavily, banks still will need to assess and manage fintech companies under their third-party risk management programs.
With an effective risk management framework that identifies, assesses, manages, and controls risk, banks and fintech firms alike can protect themselves and their customers while reaping the many benefits of working together.
This highlights some of the risks inherent in bank-fintech partnerships, as well as mitigating steps both partners can take to manage those risks.
1. In Bank-Fintech Partnerships, the Whole Is Greater Than the Sum of the Parts
Fintech firms and financial services companies are natural partners, with contrasting strengths that complement the other’s capabilities. Banks and established financial services companies have capital, scale, brand, customers, and vast troves of data. Yet many have failed to create the frictionless online and mobile experiences that customers increasingly demand or capitalize on the value of data – both of which are the bread and butter of fintech firms.
Fintech companies specialize in the deep consumer knowledge and segment expertise that banks often lack. Using technology to create efficiencies that eliminate the need for a large and intricately staffed organization, many fintech operations run as lean as possible. As a result, these organizations often are agile and highly responsive to customer needs.
A lack of direct supervision in certain instances has helped fintech companies to thrive in their nascent years. However, regulators have made it clear that the honeymoon period for fintech is nearing the end. New and evolving regulatory hurdles will pose challenges for fintech companies – creating yet another rationale for collaborating with banks, many of which, out of necessity, have more mature and established risk management and governance regimes in place.
2. Gauge Reporting Capability and Strategy and System Alignment
While partnerships can amplify the reach and capabilities of both banks and fintech companies, these types of relationships also can expose organizations to a number of risks. At a basic level, companies should be confident that a partner is willing and able to provide information, data, and reporting that is accurate, complete, realistic, timely, and transparent.
Would-be partners exploring a business relationship should consider whether their overarching business strategies and values align. They also should evaluate the compatibility of systems across the two organizations. Financial services companies must assess whether their core systems and technology align with those of the fintech company. Both parties should ask whether the systems can be integrated in a useful and productive manner.
3. Consider Third-Party Risks Embedded in the Partnership
A failure on the part of a third party can deal a devastating blow to a financial services company’s reputation; typically, a partner’s misstep is viewed as the bank’s misstep and vice versa. For that reason, a bank should assess whether prospective partners will handle designated responsibilities as well as the bank would. Of paramount importance, will the partner protect customer data and trade secrets and take reasonable steps to prevent security breaches?
Outside of customer data and system security issues, other potential pitfalls might be important to consider as well, depending on the nature of the partnership and the service being provided by the third party. Some common areas of concern include:
- Anti-money laundering. Partner failures related to anti-money laundering practices or consumer compliance can pose significant risk.
- Fourth-party risk. A fintech company’s engagement with other third parties – fourth parties from the perspective of the bank – also can introduce risk.
- Business resiliency. Business resiliency and financial viability also are important risks to consider, as the collapse of a fintech partner could put tremendous strain on a financial services company.
4. Assess Regulatory Culpability
Financial services companies and fintech partners also must ask themselves who will be held responsible by regulators. Often, the answer comes down to who is managing the customer relationship. The level and terms of the third-party contract and the roles and responsibilities of the different parties to the contract also factor in to who bears ultimate regulatory responsibility.
Regulators are increasing their influence on and supervision of all financial services companies, including banks and fintech firms, by expanding the definition of covered persons under current elements of the Dodd-Frank Wall Street Reform and Consumer Protection Act. While the future of certain regulations and the execution of supervision are likely to be volatile, stakeholders across the industry are grappling with the question of who is ultimately accountable to regulators. Several financial services member organizations have assembled working groups to attempt to address this issue.
5. Keep the Board of Directors in the Loop
The responsibility for exploring new products and initiatives rests with the management team. However, given the level of access to customers, strategic insight, and data inherent in many fintech partnerships, these relationships should be considered critical or high risk, and thus should have the attention of the board. As part of this risk evaluation, the board should challenge whether the strategies of partner organizations align with the financial services company’s strategy and make sure any risks that exist are within the defined risk tolerance of the organization.
Once a relationship is established, best practices for risk management of critical or high-risk third parties include ongoing monitoring of any type of trigger event – such as patent infringement, litigation, data breach, imminent threat to the company’s financial viability or reputation, or regulatory concerns – that might cause a change in risk profile. These updates should be regularly reported to the board. Finally, depending on the relationship, organizations should consider doing periodic background checks on the top executives at the fintech firm, and possibly also evaluating hiring practices, training policies and curriculum, and confidentiality policies for employees.
6. Bear in Mind the True Cost of Partnership
Third-party relationships often are a result of outsourcing, a strategy that is motivated by cost cutting. Additionally, relationships with fintech firms also are achieved through joint ventures and other forms of partially or fully owned affiliates. Whatever the origin of the structure, organizations often fail to consider the actual total cost, which includes not only the external cost to pay the third party, but also the cost of oversight of the third party. Management of the risks and relationship with the third party requires time, skills, training, knowledge, visibility, and often, additional technology. If the bank doesn’t make necessary investments, it can’t effectively govern and manage the third party. In turn, this resource deficit increases the bank’s third-party risk and thus the overall risk profile of the bank.
Organizations need to calculate the total cost of the relationship considering all the internal resources required – including resources to train the third party’s personnel, negotiate the contract, implement any shared technology, and conduct initial due diligence, ongoing monitoring, and periodic reviews. The total cost may include the hiring of additional risk management personnel to compensate for added risk due to the relationship.
Conclusion: To Realize Benefits of Partnership, Manage Risk
For both banks and fintech firms, the same partnerships that can make them stronger also can make them vulnerable. Organizations should consider the potential pitfalls of a partnership – particularly system alignment, partner governance and oversight, regulatory responsibility, and board engagement. Partnerships should then be evaluated through a rigorous and ongoing risk management process built on the principles of identification, assessment, management, and control.