Community Banks: OCC Issues New Due Diligence Guidance For FinTech Partnerships

Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks. 

The Financial services sector is continually implementing new and innovative technologies to improve products, update the way they deliver services, and meet changing customer expectations. 

However, community banks simply don't have the same level of resources or funds that larger national banks have. That can make it difficult for them to keep up with new technological innovations used throughout the federal banking system. As a result, Banks of all sizes are turning to third-party companies such as FinTechs to attain these services. 

FinTechs that provide financial technology may assist banks in offering new or enhanced products and services, establishing new delivery channels, improving bank processes, and remaining competitive in the industry. These relationships are particularly attractive to community banks that may not have the resources to develop or engage in these activities in-house.

Employing third-party companies helps community banks remain competitive, achieve strategic goals and objectives, and satisfy consumers' demands.

However, before entering into any partnerships, community banks must perform due diligence to protect the viability of the bank and ensure the safety of its customers.

Community banks must perform due diligence on third party FinTech companies to determine if they can implement their services safely. They also must determine whether the partnership will fit with the bank’s risk appetite while meeting legal and regulatory requirements.

This can often be quite difficult for community banks.

FinTech companies come in all forms and levels of experience. They often will not need to meet the same regulatory requirements as community banks. They also may not be familiar with or be able to provide the type of information banks generally need to perform adequate due diligence.

Federal agencies that govern our federal banking systems understand this creates difficulties for community banks. These agencies include The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation. 

In order to help ease the situation, the agencies teamed up to collaborate and create guidance for community banks to help them perform adequate due diligence regardless of a FinTech's size or state.

This new guidance was recently published as:

Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks. 

This guidance shows banks that they may not have to disqualify a FinTech company as a prospective third party due to lack of specific data. It shows community banks how they can use alternative approaches to prudently assess and manage risks if certain information is missing.

*This guide is exactly that - guidance. It is meant as a resource to help banks evaluate FinTech companies and tailor their due diligence processes accordingly. It is voluntary and should not be considered all-inclusive, as evidenced in the following full disclosure:

Disclosure:

“This guide serves as a resource for bank management, apart from the OCC's supervisory guidance on third-party risk management.5 The guide does not anticipate all types of third-party relationships or risks and should not be viewed as all-inclusive. Use of the guide is voluntary, and the relevance of specific information within the guide depends on the nature and extent of a community bank's third-party relationships and related activities. There may be other topics, considerations, and sources of information that a community bank should consider, depending on the prospective relationship.”

Due Diligence Guidance: A high-level summary

In order to make it easier to understand, the guidance focuses on six common topics of due diligence community banks follow in current guidance. 

1. Business Experience and Qualifications
2. Financial Condition
3. Legal and Regulatory Compliance
4. Risk Management Controls
5. Information Security
6. Operational Resilience

Within each of these topics, they've included specific considerations that may be relative to the particular area of due diligence as well as potential resources for the information. They've also included an illustrative example of what the scenario may look like. 

Below, we will summarize the main highlights included in the agencies' new guidelines.

*Banks and FinTechs can obtain a copy of the full guidance document here. 

1. Business Experience and Qualifications

   When evaluating a business’s experience, it is common to consider the operational history of the company. This will allow banks to determine if the company has the ability to provide the services requested and meet the bank's needs. 

   But it's also important to turn to outside sources to help determine their true capabilities. Client references and complaints, as well as Legal or regulatory actions, can provide insight into a company's track record in providing services and resolving issues.

   Potential Resources: Public records, regulatory agencies, and media outlets.

   Once you’ve considered where a company currently is and has been, it is a good idea to evaluate where they are going. Do they have any strategic plans, such as acquisitions or joint ventures? Community banks will want to consider how these future plans could affect the bank's operations or the FinTech’s ability to provide compliant services.

   Potential Resources: Overview of strategic plans, patents, development roadmaps, and licenses.

2. Financial Condition

   Evaluating a FinTech's current financial condition and funding sources helps the bank determine the likelihood the company can remain in business and fulfill its obligations. 

   It's important to understand whether they can operate through profitability or if they rely on sources such as loans or venture capital. But it's also relevant to consider a FinTech company’s market information, including competitor environment and client base. 

   Do they have a broad client base or rely on a few significant clients? Could loss of a single client negatively affect its revenue and ability to fulfill obligations?

   Potential Resources: Financial statements, U.S. Securities filings, list of funding sources.

3. Legal and Regulatory Compliance

   Community banks must assess the depth of knowledge a Fintech company has surrounding their legal and regulatory compliance requirements. They also need to find out how much experience they have working within the confines of these frameworks. Banks will need to know where the FinTech company is able to operate and what types of activities are permissible under the laws. 

   In addition, review the fintech company’s current risk and compliance processes. This will help banks understand if their current processes will support the banks’ efforts to meet regulations. Requirements to consider include things like fair lending, consumer protections, and anti-money laundering laws. 

   Potential Resources: Charters, articles of incorporation,  patents, Policies & Procedures, Lawsuits, enforcement actions, settlements.

4. Risk Management Controls

   Evaluate the company’s policies and procedures to gain insight into how the company outlines “risk management responsibilities and reporting processes.” This will also reveal how its employees are responsible for complying with those policies and procedures. Evaluating these will help a community bank assess the quality of the company’s risk management and control practices. It will also help them assess if these are aligned with their own policies, procedures, and risk appetite.

   Control reviews can reveal how effective a company’s risk management and control processes are. Reviewing their reporting provides insight into how they monitor their performance and risk indicators. And it will provide a means to assess the FinTech company’s risk and control processes for the proposed activity for overall adequacy.

   Potential Resources: Internal control environment policies and procedures, Schedule of planned control reviews and audits, training materials and training schedules.

5. Information Security

   Take a deep dive into a potential Fintech’s information security measures to evaluate their processes for handling, storing, and protecting sensitive information.

   As the guidance impresses, “It is important to understand any security framework that a FinTech company employs to manage cybersecurity risk.”

   A community bank can assess how the FinTech identifies, mitigates, and corrects vulnerabilities through its information security control assessments. They can show the FinTech’s ability to perform the activities and services as well as whether their employees and subcontractors are well trained and tested.

   A community bank will also need to understand the FinTech’s procedures for deploying new software and hardware. What are their policies for using and/or patching unsupported or end-of-life software or hardware?

   Potential Resources: Information security policies, security controls assessments, Incident reports, management, and response policies.

6. Operational Resilience

   Every company will endure a disruption at some point. It's the company's ability to continue operations during and recover after a disruptive event that matters. 

   A FinTech’s business continuity plan, incident response plan, and disaster recovery plan can give valuable insight into their resilience. Incident response plans provide insight into the company’s recovery objectives and reveal tolerances for downtime and data loss.

   It's also important to understand where the company’s data center resides (domestic or international) and what laws govern the data that may affect the bank.

   Ensure the company carries adequate hazard and cyber insurance so they have the financial ability, in the event of a loss, to make the bank whole.

   Potential Resources: Company plans for: Business Continuity, Incident Response, Disaster Recovery. System backup processes. Cybersecurity reports and audits. Insurance documents.

   

    

   B.I.G. - Your cannabis payments partner

Is your Financial Institution ready to provide BSA/AML compliant banking and payments services to the cannabis industry? This guidance can support your efforts towards rigorous due diligence on any third-party FinTech or payments professional providing services, such as Bankcard International Group.

If you're looking for guidance or information on the complicated world of cannabis payments, give BIG a call. We have ETA Certified and CAMS (Certified Anti-Money Laundering Specialist) professionals on staff to help you navigate the evolving regulations the right way. Contact us today!