Skip to content
TRAC-Logo
 

Frustration-Free Risk Management

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC automates the tedious risk assessment process and produces customized results that align with regulations, best practices, and your strategic goals.

a person looking at stocks on a phone and on a laptop.
Laura ZannucciJuly 21, 20237 min read

Fintech and Vendor Management Guidance

Many IT professionals cringe whenever they hear “fintech.” Quite honestly, I still do on occasion. When we think of fintech, many think of risk, volatility, and the unknown. But is it really as scary as we think? With the right approach, analyzing fintech companies doesn’t have to be so intimidating.
 

Why are FIs drawn to fintech?

Fintech companies offer a wealth of technical expertise that can help FIs maintain a competitive edge. From new products and services to improved processes and delivery channels, fintech can be a game changer for FIs looking to meet their strategic goals and keep up with a rapidly changing industry. FIs may find establishing vendor relationships with fintech companies more appealing than internally developing products, services, or activities.


One of the biggest challenges facing fintech startups is gaining access to the bank's core banking information, and justifiably so. Bank information security officers (ISOs) should proceed cautiously, considering the ever-evolving regulatory landscape and potential cybersecurity risks. By sticking to regulatory guidelines, savvy ISOs can weigh the risks and rewards to make informed decisions about any fintech partnerships that come their way.

 

An Overview of the Guidance

A guide called "Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks" was issued by the FDIC, the Federal Reserve, and the OCC. The guide provides direction on conducting due diligence when dealing with fintech relationships.


At first glance, the guide may seem like a daunting 20-page read, but the outline is straightforward and practical. The guide takes a closer look at fintech relationships and offers enhanced considerations for six key areas of due diligence.

  1. Business Experience and Qualifications
  2. Financial Condition
  3. Legal and Regulatory Compliance
  4. Risk Management and Controls
  5. Information Security
  6. Operational Resilience


It's important to keep in mind that the guide doesn't replace any current guidance from regulatory agencies and is entirely voluntary.

 

Business Experience and Qualifications

When conducting due diligence, an FI may take into account how a fintech company's previous experiences could impact the proposed activity. By gaining insight into the fintech's qualifications and overall strategy, the FI can evaluate the company’s capability to meet expectations and objectives. It's also important for the FI to assess whether the fintech is willing and able to align its proposed activity with its requirements and regulatory environment.


By evaluating these areas, FI can determine the fintech's level of expertise:

  • Business Experience
    • Sources of information: company overview, organizational charts, client references, complaints, public records of legal or regulatory issues, media reports, and summary of any operational challenges.
  • Business Strategies and Plans
    • Sources of information: mission statement, geographic footprint, strategic plan, patents and licenses, key personnel and subcontractors, employment policies, websites, and social media.
  • Qualifications and Backgrounds of Directors and Company Principals
    • Sources of information: ownership, biographical and professional information about the board of directors and company principals, sources of capital, and succession plans.

 

Financial Condition

Financial institutions need to assess the financial stability of fintech companies, especially those that are less established than other technology vendors. In the absence of audited statements, FIs can review alternative financial information such as funding sources, access to funds, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that can affect the company’s overall financial performance.


By evaluating these areas, FIs can gain confidence that the fintech company can continue to operate and meet its obligations:

  • Financial Analysis and Funding
    • Sources of information: financial statements, annual reports, SEC filings, internal financial reports and projections, and a list of funding sources.
  • Market Information
    • Sources of information: publicly available market information on competitors and information on client base.

 

Legal and Regulatory Compliance

When partnering with fintech companies, FIs need to protect their interests. This means ensuring that the fintech knows legal and regulatory requirements and has experience working within the legal framework. To achieve this, the contract should include provisions requiring compliance with federal consumer protection laws and granting access to the fintech's records for review and monitoring.


By evaluating these factors, FIs can verify a fintech's ability to comply with applicable laws and regulations:

  • Legal
    • Sources of information: charters, articles on incorporation, certificate of good standing, lawsuits, settlements, enforcement actions, Form 10-K, and 10-Q filings.
  • Regulatory Compliance
    • Sources of information: policies, procedures, training, internal controls, contract terms related to legal and compliance responsibilities, and information regarding customer-facing delivery channels or applications, marketing materials and regulatory disclosures, and methods to monitor customer complaints.

 

Risk Management Controls

Fintech companies’ audit, risk, and compliance functions will differ depending on various factors, such as the company's maturity and the complexity of its activities. As a result, some companies may not have the usual documentation that traditional FIs require for their due diligence review. Additionally, some fintech companies may hesitate to provide certain documentation they consider proprietary or a trade secret.


The FI may consider the following:

  • accepting due diligence limitations, with any necessary approvals and/or exception reporting, compared to the FI’s normal processes.
  • incorporating contract provisions establishing the right to audit, conduct on-site visits, monitor performance, and require remediation when issues are identified.
  • establishing a right to terminate a third-party relationship based on a fintech company’s failure to meet specified technical and operational requirements or performance standards.
  • outlining risk and performance expectations and related metrics within the contract to address requirements.


By evaluating these factors, FIs can assess a fintech's ability to conduct the activity safely and soundly, consistent with its risk appetite and in compliance with relevant legal and regulatory requirements:

  • Risk Management and Control Processes
    • Sources of information: policies, procedures, information on risk and compliance staffing, results of control reviews and audit reports, schedule of planned control reviews and audits, self-assessments, training materials, and schedule, inventory of key risk, performance, and control indicators, project plans, and sample reports to the board of directors.

 

Information Security

Information security programs and processes vary, particularly for fintech companies in an early start-up or expansion phase. FIs may assess whether a fintech company's information security processes are suitable and proportionate to the risk of the proposed activity. Additionally, FIs may seek to understand the fintech company's oversight of its subcontractors, including data and information security risks and controls.


When a fintech company has access to customer data, the FI should know how the company limits access to its systems and data, identifies and fixes vulnerabilities, and updates and replaces hardware or software. The FI should consider the risks and related controls concerning its customer data if the fintech's security is compromised.


By evaluating these factors, FIs can assess the adequacy and integrity of a fintech company’s processes for handling and protecting sensitive information, including customer information, depending on the third-party relationship and activity proposed.

  • Information Security Program
    • Sources of information: information security controls assessments, incident management and response policies, incident reports with post-mortem and remediation activities, Information security policies, information security and privacy training for staff, and policies addressing safeguarding and privacy laws and regulations.
  • Information Systems
    • Sources of information: information technology policies, an overview of technology and processes supporting prospective activity, and completed controls or standards assessments.

 

Operational Resilience

A fintech's backup resiliency and business continuity processes can vary depending on their offerings. FIs need to assess whether a fintech company's planning and related processes are suited to the nature and importance of their work. FIs may consider having appropriate contingency plans in place, such as having other service providers available, in case the fintech company experiences any issues like a business interruption, failure, or bankruptcy that prevents them from doing their job.


An FI may evaluate a fintech company’s ability to continue operations through a disruption. Depending on the activity, an FI may look to the fintech company’s processes to identify, respond to, and protect itself and its customers from threats and potential failures, as well as how it will recover and learn from disruptive events.


By evaluating these factors, FIs can review a fintech’s ability to maintain operations:

  • Business Continuity Planning and Incident Response
    • Sources of information: business continuity plans, business impact analysis, disaster recovery plans, incident response plans, documented system backup processes, testing results, cybersecurity reports and audits, and insurance documents.
  • Service Level Agreements
    • Sources of information: proposed service level agreements and evidence of status meeting existing service level agreements
  • Reliance on Subcontractors
    • Sources of information: policies on outsourcing and its use of subcontractors, independent reports or certifications regarding subcontractors, and a list of third parties used.

 

Conclusion

Financial institutions are always seeking ways to improve their products and services while reducing costs, making fintech relationships increasingly popular. These relationships provide access to new and innovative technologies that can significantly enhance the efficiency of FIs, making them more competitive in the market. However, as with any third-party relationship, there are risks involved. To ensure that the benefits outweigh the potential risks, FIs need to conduct a thorough due diligence process, as outlined in the guide. By taking these extra steps, FIs can make informed decisions and reduce the stress and uncertainty often associated with partnerships.

avatar

Laura Zannucci

Laura Zannucci is an Information Security Consultant and IT Auditor at SBS CyberSecurity. She also serves as the Information Security Officer (ISO) for the company.

RELATED ARTICLES