On August 27, 2021 the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency released guidance on Conducting Due Diligence on Financial Technology Companies to help community banks evaluate potential relationships with fintech companies. While the guidance is intended for community banks, it may be helpful for any financial institution that partners with fintech companies. The guidance focuses on six due diligence topics: 1) business experience and qualifications; 2) financial condition; 3) legal and regulatory compliance; 4) risk management and controls; 5) information security; and 6) operational resilience.
Business Experience and Qualifications
Understanding a fintech company’s business experience and qualifications give insight into the potential relationship. A fintech company’s operational history, strategic plans, and director and principal qualifications can be useful to determine whether the company has the experience necessary to successfully partner with a community bank, and whether the fintech company is in a position to meet the bank’s needs.
Financial Condition
“Evaluating a fintech company’s financial condition helps a community bank to assess the company’s ability to remain in business and fulfill any obligations created by the relationship.” When considering financial condition, community banks should review the company’s financial reporting and funding, and market information. Reviewing sources of funding may help assess whether a fintech company is supported by cash flow and profit, or by debt. Market information, including the size of the company’s client base, is helpful to determine whether the company is dependent on a few clients and whether the company can sustain the loss of their largest client.
Legal and Regulatory Compliance
Legal and regulatory compliance is important for determining whether a fintech company has a regulatory framework in place to comply with applicable laws and regulations. When reviewing the proposed agreement or evaluating the proposed relationship, a community bank should identify legal risks based on the roles and responsibilities of the fintech company under the terms of the partnership. Reviewing a fintech company’s regulatory compliance procedures may help the bank determine whether the company will “support the community bank’s legal and regulatory requirements.”
Risk Management and Controls
Reviewing a fintech company’s risk management policies and controls may help a community bank assess whether the fintech company is in a position to operate in a safe and sound manner, “consistent with the community bank’s risk appetite.” Risk management policies and controls may provide insight into how risk management is governed, including through audits and annual reviews, and how the company’s employees comply with its policies and procedures. A bank may review the company’s risk management and control processes to determine if they are in line with the bank’s own policies and procedures or create additional risk.
Information Security
In light of the importance of data privacy and protection, community banks are urged to review the fintech company’s information security program to determine data privacy risks associated with a fintech company. A fintech company’s information security policy should show how the company manages cybersecurity risk, its approach for identifying, mitigating, and correcting vulnerabilities, and safely conducting its activities.
More broadly, the Federal Financial Institutions Examination Council (FFIEC) released guidance on Authentication and Access to Financial Institution Services and Systems to help financial institutions develop and maintain effective risk management practices related to access and authentication of a financial institution’s systems. As technology expands financial service capabilities, new technology may also provide attackers with additional opportunities to obtain unauthorized access to financial institution systems. Certain authentication controls, such as single-factor authentication, that were effective may no longer be effective. Multi-factor authentication or other similar controls, such as layered security, may be necessary to mitigate authentication risk. Layered security creates multiple levels of controls, such as multi-factor authentication, user time-out, and transaction amount limits, all working together to mitigate potential risk. The FFIEC guidance applies to financial institutions, however third-parties who partner with financial institutions to provide access to information systems and authentication controls should expect to be held to these standards by their financial institution partners. Depending on the risk, third parties who partner with financial institutions should have robust access and authentication controls in place to mitigate risk. Financial institutions more broadly should review a prospective partner fintech company’s information security program and any accompanying risk assessments to determine the adequacy of the controls in place.
Operational Resilience
“A community bank may evaluate a fintech company’s ability to continue operations through a disruption.” A fintech company’s operational resilience, including processes in place in the event of system failures or disruptive events, may help a community bank assess whether the company can successfully manage a system failure or disruption by having adequate recovery times, and minimizing data loss. In addition, a community bank should review service level agreements to ensure that the bank’s key obligations are met. Finally, a fintech company’s relationship with its subcontractors may provide additional insight into a fintech company’s operational resilience. If a fintech company only relies on a small number of subcontractors, there may be a heightened vulnerability to a single point of failure.
While the guidance urges caution and diligence when community banks partner with fintech companies, recent guidance issued by the Federal Reserve clearly supports the development of these partnerships. Generally, there are three different types of community bank and fintech company partnerships: 1) operational technology partnerships; 2) customer-oriented partnerships; and 3) front-end fintech partnerships. Operational technology partnerships “aim to enhance a bank’s processes, monitoring capabilities, or technical infrastructure.” Customer-oriented partnerships aim to “enhance various customer-facing aspects of [the community bank’s] business.” Front-end fintech partnerships combine “a bank’s infrastructure… with the technology of a fintech” where the fintech company directly interacts with the bank’s customers. Each type of partnership has its own benefits, risks, and challenges, but community banks view these partnerships as part of their overall strategy to meet the diverse needs of their clients.
For more information about fintech partnerships or conducting due diligence on fintech companies, please contact Wilson Sonsini attorneys Josh Kaplan or Troy Jenkins.