In today’s competitive banking landscape, many community banks have embraced the benefits of partnering with a variety of financial technology companies (“fintechs”). In recent years, a variety of fintechs have emerged and introduced valuable expertise and financial products and services in areas that many community banks lack (or that would be cost prohibitive for a community bank to pursue or develop on its own). In fact, many in the industry recognize the cold hard truth that community banks that fail to embrace fintech relationships may ultimately find themselves at a significant competitive disadvantage. As you might imagine, these fintech relationships (and the risks that accompany them) have also been an increasing area of focus for federal banking regulators.
On August 27, the three federal banking agencies (i.e., the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency) jointly issued guidance entitled “Conducting Due Diligence on Financial Technology Companies—A Guide for Community Banks” (the “Guidance”). As its name suggests, the Guidance is not intended to be a mandatory set of rules or requirements, but instead serves as a resource to community banks when performing due diligence in connection with potential fintech relationships, and a reminder of the need to conduct due diligence.
In the Guidance, the regulators again recognize that arrangements between community banks and fintechs will introduce and involve certain risks, and that assessing the benefits and risks associated with such relationships is a critical part of a community bank’s responsibilities. The Guidance includes a recommendation that, during the due diligence process, a community bank collect and analyze relevant information (both publically available information and information requested from the fintech) in order to determine whether the potential relationship is in line with the community bank’s goals and whether the relationship can be implemented in a manner that is consistent with legal and regulatory requirements applicable to the community bank, including safe and sound operation.
Of course, the scope and depth of due diligence will ultimately vary depending on the risk to the community bank and the nature of the proposed activity (i.e., the nature and extent of the specific products or services being offered by the fintech). In particular, the Guidance focuses on the following six due diligence topics that will be familiar to bankers, and includes discussions of relevant considerations in each, potential sources of information, and illustrative examples:
- Business Experience and Qualifications. Under this first area of focus, relevant considerations may include the fintech’s operational history, client references and complaints, legal or regulatory actions against the company, and qualifications and backgrounds of directors and company principals, including whether the fintech has sufficient management and staff with appropriate expertise to handle the proposed activity.
- Financial Condition. Under this second area of focus, relevant considerations may include an analysis of financial reports and the sources of the fintech’s funding, as well as information on the fintech’s competitive environment, client base, and susceptibility to external risks.
- Legal and Regulatory Compliance. Under this third area of focus, relevant considerations may include the fintech’s legal standing, its knowledge about the applicable legal and regulatory environment, and its experience working within the applicable legal and regulatory framework. Community banks should consider reviewing the fintech’s organization and licensing and evaluating its risk and compliance processes and its relevant experience.
- Risk Management and Controls.
Under this fourth area of focus, relevant considerations may include the fintech’s risk management policies, processes and controls, as well as information on the fintech’s staffing and training programs.
- Information Security.
Under this fifth area of focus, community banks should consider evaluating the fintech’s information security measures and seek to understand any security framework the fintech employs to manage cybersecurity risk, including its information security control assessment, information security policies, and security measures for managing operational risk.
- Operational Resilience.
Under this last area of focus, relevant considerations may include the fintech’s ability to continue operations through a disruption and its processes to identify, respond to, and protect itself and customers from threats and potential failures, including significant disruptions in operations. In fact, the FDIC also issued a Financial Institution Letter in early 2019 observing that many contracts with fintechs did not adequately define rights and responsibilities regarding business continuity and incident response (or provide sufficient detail to allow banks to manage those processes and risks).
In the end, it is fairly safe to say that fintech is here to stay, and that the majority of community banks will ultimately find themselves partnering with a handful of fintechs in one way or another. The federal banking regulators recognize the symbiotic nature of these fintech relationships, and the Guidance is a welcome and helpful tool for community banks to have on hand when performing due diligence on both new and well established fintechs.