Federal Reserve, FDIC, and OCC published Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks. The Guide is aimed at community banks, but fintechs can also learn from it. In addition to helping banks, the bank guidance helps fintechs understand what information and documentation they need and how to contact banks.

Fintech companies develop strategic plans focused on third-party relationships with banks, highlighting their staff's experience and qualifications. They are prepared to demonstrate long-term financial stability and develop comprehensive internal control. This article will discuss six key areas for banking fintech due diligence.

Third-party Risk Management

The Guide, like the Proposed Guidance and other Agencies guidance, emphasizes due diligence as an important component of an effective third-party risk management process. When a community future bank fintech (or other banking institution) conducts due diligence, it collects and evaluates information to figure out if an association with a third party could assist it in achieving its financial and strategic objectives and if so, how to carry out the partnership safely and peacefully while following all the rules and regulations.

The bank's risk and the relationship's importance should determine the diligence process's extent and depth. Fintech companies wishing to build and maintain healthy business relationships with banks should structure their presentation to and documentation for banks in a manner informed by the Guide to increase their chances of success.

Business Expertise

A fintech's expertise in delivering similar services or products can indicate its potential to support a bank guide in a way that meets regulatory standards and satisfies clients. Banks should analyze client references and complaints, which show a fintech's capacity to please clients and handle concerns, as well as any legal or regulatory measures against it. Fintechs should explore how to demonstrate client happiness and regulatory compliance.

Director and Firm Principal Credentials

A bank can determine if a fintech's senior management has the knowledge and experience needed for the relationship by reviewing its background and competence. Thus, fintech companies will seek to highlight their management and staff experience and establish strategies to demonstrate their resources to serve the future bank fintech.

Money Analysis and Funding

Financial reporting and financing sources affect a fintech's viability and duties. Depending on its stage of development and business model, a fintech can fund operations and growth using cash flow or outside capital. Fintechs should clarify how they will be supported throughout the partnership, regardless of funding source.

Legal and Regulatory Compliance

A fintech's legal standing, track record of compliance with regulations and cooperation with regulators, and knowledge of the legal and regulatory landscape applicable to the contemplated activity help a bank determine if it can serve the bank guidance in accordance with all relevant laws and regulations.

Fintechs may be unfamiliar with bank legal and regulatory environments. In such cases, a bank may use adapted contract terms, supervisory checks and audits, processes requiring bank approval for certain changes, and frequent analysis of FinTech companies' client comments and complaints to ensure compliance.

Risk and Controls

Financial institutions should comprehend a fintech's internal risk management structure to determine if it can undertake the proposed activity within the bank's risk appetite. This framework's maturity and a fintech's capacity to supply related documentation may depend on its development stage. In addition, a fintech may not share trade secrets or confidential information.

In such cases, the bank guidance and fintech may benefit from on-site visits to evaluate the fintech's operations and controls, use of the independent party or bank's auditors to assess the same, contract provisions that allow on-site visits, audits, and other performance monitoring and require remediation of identified issues, and contract provisions that outline risk and performance. Whatever its strategy, a fintech should show that its risk management framework, control environment, and risk appetite match the bank's.

Internal Reporting

Understanding the fintech's internal procedures, rules, management duties, and reporting processes benefits banks. In relation to the projected activity, banks should evaluate a fintech's control reviews and internal or outsourced audit functionality's type, scope, frequency, quality, and findings. In addition, FinTech's internal reporting shows how it monitors important risks, performance, and control indicators, as well as staffing expertise and training programs. Fintech companies should offer detailed information about their internal review procedures, risk management framework, current internal and external review, audit reports, and control plans.

Security of Information

Protecting a bank's and its clients' sensitive data is crucial. Thus, banks must evaluate a fintech's data management and security policies in light of the connection and activity. Banks should know whether and how the fintech trains and tests employees and subcontractors, how it restricts access to systems and customer data, how it finds and fixes vulnerabilities, and how it updates and replaces hardware and software.

IT Security Program

Banks should evaluate FinTech information security strategies by reviewing internal control assessments and testing, training programs, privacy rules, and incident response and notification procedures. Fintechs should disclose their information security, incident management, and security controls assessments and their comprehensiveness and efficacy.

Information systems

Future bank fintech diligence also considers fintech information systems infrastructure. Banks should examine if the fintech's present and projected systems can handle the connection and activity or if additional investment is needed. The fintech's patching and end-of-life hardware and software policies will also be important.

Operations Resilience

Banks should assess a fintech's resilience to technology failures, human error, cyberattacks, pandemics, and natural calamities. This audit considers the fintech's processes for identifying, managing, mitigating, and recovering from threats and failures to itself and its clients. The relationship and activity's nature and criticality should inform resilience planning and capabilities. Banks may assess the fintech's capacity to satisfy recovery expectations after a disruption and seek contract parameters that reflect their recovery timetables and goals.

Subcontractor Dependence

The number and type of subcontractors fintech companies use are crucial to evaluating its resilience and recovery capabilities. Fintechs should discuss and explain their subcontractor vetting and engagement processes, especially if subcontractors have access to fintech systems that are crucial to the relationship and activity.