“The core of the problem is that the bank ultimately needs to have a strong monitoring and management system.”
By John Hintze
Banks’ measured and controlled approach to adopting new products and services is being tested now as it aggressively pursues partnerships with non-bank fintech companies – all as regulators increase scrutiny.
Nearly two-thirds of banks and credit unions had entered into at least one fintech partnership in the previous three years and 35 percent invested in a fintech firm, reports a 2021 survey from Cornerstone Advisors. And of those who had not yet partnered or invested, 37 percent and 18 percent respectively planned to do so in 2022.
The Consumer Financial Protection Bureau has taken notice. In April, it invoked authority under the Dodd-Frank Act to investigate non-bank companies that pose risks to consumers, including fintech firms, and it issued a procedural rule to make its process for determining an entity’s risk more transparent. In December, it requested information from large buy-now-pay-later, or BNPL, firms, an early step in proposing regulations.
In short, the CFPB has stepped up its oversight of fintech firms, and so must the banks with oversight of those relationships, noted participants in a session on building a compliance risk management framework for fintech partnerships at the ABA’s recent Regulatory Compliance Conference .
This oversight starts with fintech onboarding, which requires advance due diligence in the same way as onboarding any high-risk provider and implementing an ongoing monitoring process. Consumer financial service providers need to be especially vigilant, the panelists said, regarding the UDAAP and fair lending regulations. And banks must ensure that fintech partners understand and observe them.
Some pre-testing – before entering into a partnership – may be necessary, says Chris Lucas, chief compliance officer at MVB Bank, and points to customer complaints as particularly relevant. Given that fintech firms are not vetted and are often startups, bankers need to be sure that these companies that directly contact customers have the ability to capture complaints, and the bank and fintech “stack their hands” on how complaints are defined and the risks they pose .
“And you want a good flow of those complaints, on at least a monthly basis, for the bank’s own analysis,” says Lucas.
Juan Azel, chief compliance officer and deputy general counsel at Cross River Bank, which serves many fintech firms as a bank as a service provider, adds that banks need to view fintech providers as a delivery channel and ultimately take responsibility for the product.
“Whether it’s BNPL, crypto or any product, ultimately it’s the bank’s,” says Azel. And it is important to convey this message not only to the bank’s management and board, but also to regulators. “The core of the problem is that the bank ultimately needs to have a strong monitoring and management system.”
When considering a new relationship with fintech firms, banks should also consider reputational risk, particularly if the fintech firm has faced penalties before, and whether the fintech has a compliance management system in place. An early-stage fintech company’s CMS may be lacking, requiring the bank to establish a baseline of what is required and even help the fintech establish key components, such as a compliance staff, training and risk assessment.
“Once they’ve established that baseline, the bank can come back and do a phase two due diligence,” says Lucas.
Banks are implementing compliance management systems focused on their traditional banking businesses, including branches, commercial real estate and small business lending, and they must determine whether a separate CMS is appropriate for fintech partnerships and the accompanying rules and guidance from banking regulators to manage third-party risk. To make that decision, Azel says, a bank can look at its current products and services and prepare a feasibility study and perhaps a liability register to find out what laws and regulations apply as a bank, as well as deliver products and services through a fintech firm .
“Are you going to have individuals monitor and test only the bank-side products and others who monitor third-party partners and those products and services?” Azel asks. “You can double yours [compliance department]size pretty quickly.”
Both MVB and Cross River decided to merge their functions into one group. Azel said Cross River created a team of analysts called CMS Support that reviews complaints received by the bank and the fintech firms and works with the compliance experts at each site to identify trends, solutions or what’s needed.
MVB’s CMS sits over and oversees its traditional and fintech partnerships, viewing the latter as “essentially another line of business,” says Lucas.
He adds that his compliance team has subject matter experts dedicated to the fintech activities, as well as a dedicated “risk onboarding team” which he described as a “jack of all trades in terms of risk disciplines”, covering compliance, operations, anti-money . launch, fraud and other risks.
“A CMS works much more seamlessly from a governance and reporting perspective,” he says, noting the importance of giving senior management and the bank’s board as well as regulators “the full risk spectrum.”
Fintech firms’ innovative and ever-changing ideas can rub against the grain of how some banks are used to working. For example, a fintech company’s product may change shortly after the bank comes on board. That requires the bank to have a change management process, notes Azel, and perhaps also a formal change request process similar to Cross Rivers that defines significant changes and establishes a review process. In some cases, he says, the liability register can make it clear that the bank simply cannot offer the new product today.
“It triggers a readiness or feasibility gap analysis of what the bank needs in terms of resources, policies and procedures and controls to be able to offer that product through that specific platform,” he said.
Lucas points out that the key to balancing fintech’s speed and the banks’ more methodical approach is to wrap governance around the change management processes. MVB, for example, has a committee that oversees the bank’s new products and services, and any fintech company that requests product changes or launches a new product goes through this committee.
“We work with fintech to make sure they understand what they need to do,” Lucas said. “Then we track the build-up on the bank and fintech side and report through the appropriate reporting channel.”
Governance smooths the change management process, and hiring dedicated staff is another lubricant. Lucas also points to “playbooks” that the bank builds out with fintech early in the relationship to detail the steps in the process. “So we’re operating quickly, but we’re not abandoning our existing compliance and control infrastructure,” he says.
Azel agreed that a playbook for dealing with UDAAP concerns because BNPL fintechs, for example, not only market on their own websites but enter into agreements with multiple merchants, and they may be unfamiliar with UDAAP or the Trust in Lending Act’s Reg Z requirements . A playbook can set out how they can advertise their products and what types of terms to use or not.
Monitoring playbook compliance can be difficult, Azel acknowledges, but it’s important to emphasize that if the fintech wants to go outside the playbook, “we have to review and consent to the marketing sheet before it can do that.”
John Hintze is a frequent contributor to ABA Risk and Compliance.