On August 27, the Federal Reserve, FDIC, and OCC jointly published guidance on the types of due diligence community banks should engage in when contemplating arrangements with financial technology companies or FinTechs. While the diligence guidance is voluntary, the banking agencies suggest that community banks should conduct due diligence with respect to FinTechs in six key areas: (i) business experience and qualifications, (ii) financial condition, (iii) legal and regulatory compliance, (iv) risk management and controls, (v) information security, and (vi) operational resilience. The guidance then provides subcategories for due diligence within each category, and provides relevant considerations for the bank for each subcategory, and potential sources of information. The subcategories are as follows:
Business Experience and Qualifications
-
Business experience
-
Business strategies and plans
-
Qualifications and backgrounds of directors and company principals
Financial Condition
-
Financial analysis and funding
-
Market information
Legal and Regulatory Compliance
-
Legal
-
Regulatory compliance
Risk Management and Controls
-
Risk management and control processes
Information Security
-
Information security program
-
Information systems
Operational Resilience
-
Business continuity planning and incident response
-
Service level agreements
-
Reliance on subcontractors
Putting It Into Practice: The increase in Fintech partnerships, like any other third-party relationship, can introduce risks for community banks. Importantly, the banking agencies remind banks that partnerships do not diminish a bank’s responsibility to comply with “federal consumer protection laws and regulations, just as if the bank were to perform the service or activity itself.” Community banks looking to work with FinTechs should carefully examine the company’s qualifications, compliance systems, and information security practices. And while the guidance is directed at community banks, it also provides FinTechs with information as to what sort of due diligence can be expected when considering an arrangement with community banks.
Third-party risk management and compliance has quickly become an increased focus of the banking agencies – in July, they published proposed guidance to help banking organizations manage risks related to third-party relationships, including relationships with vendors, FinTech companies, affiliates, and the banking organizations’ holding companies (discussed in an earlier Consumer Finance & FinTech Blog post here). This July guidance includes the OCC’s 2020 FAQs (released in March 2020) that applies to all banking organizations and provides more specific guidance on third-party relationships with FinTechs.