Financial institutions are zeroing in on compliance when evaluating fintech partners. Nearly three-quarters (72%) of banks and credit unions cite compliance as their top criteria in the due diligence process, according to a recent survey conducted by Ncontracts. And that was before a rash of enforcement actions led some banks to reduce their exposure to fintechs.
Federal agencies are increasingly emphasizing the importance of third-party risk management. In June, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) released the Interagency Guidance on Third-Party Relationships: Risk Management, promoting standardization for assessing third-party risk and providing risk management principles when developing and implementing third-party risk management practices.
What does all this mean? It means that compliance isn’t just for banks and credit unions. If a fintech or other banking-as-a-service partner (BaaS) wants to enjoy the benefits of partnering with a chartered financial institution, it needs to know to play by the rules – or prepare to not get picked for the team.
Fintechs Must Prioritize Strong Compliance Management
According to the Ncontracts survey, more than 80 percent of financial institutions report that the fintechs they have evaluated possess a solid understanding of regulatory requirements, third-party vendor management, cybersecurity, and other key factors.
The data looks like good news for fintechs, but it doesn’t necessarily mean that most fintechs have demonstrated a sound understanding of compliance. What it does mean is that financial institutions are only considering fintechs that have mastered their own compliance and risk processes. If a fintech is perceived as lacking in this area, it doesn’t stand a chance of partnering with a financial institution.
Fintechs must prioritize risk and compliance if they expect to remain relevant and in business – and there is no time to wait. More than half of the banks and credit unions surveyed plan to evaluate fintech partnerships in the next one to two years. That makes compliance a top priority.
Compliance Red Flags Fintechs Must Avoid
To enhance their chances of partnering with financial institutions, there are seven areas they should avoid that signal elevated compliance risk:
Non-Compliance with Laws and Regulations
In the realm of compliance, no rule is too insignificant to be ignored. Financial institutions insist on strict adherence to every compliance rule and policy. Any hint that a fintech is not in full compliance raises a red flag that may signal a broader problem.
Unfair, Deceptive, or Abusive Practices
Compliance violations in the form of unfair, deceptive, or abusive acts or practices (UDAAP) are among the most common and costly sources of enforcement actions. Regulatory agencies and financial institutions are on high alert for these violations. Fintechs must be equally vigilant in avoiding them.
BSA and OFAC Non-Compliance
Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations are another common source of enforcement actions. Any indication that a fintech may not be following BSA/AML rules to the letter raises compliance risks. Robust monitoring of transactions for compliance risk is essential.
Inadequate Vendor Compliance Oversight
Ignorance is far from bliss when it comes to vendor compliance. Financial institutions hold fintech partners accountable not only for their own actions but also for those of their subcontractors. The risk associated with fourth-party vendors is a real concern, and a fintech’s ability to manage and monitor these vendors can be a make-or-break factor in compliance risk assessment.
Foreign Business Operations
Conducting business in foreign countries elevates compliance risk. Different economic, social and political conditions in foreign locations can result in non-performance or data loss, increasing country risk. To mitigate this risk, fintechs should demonstrate substantial due diligence, including monitoring government policies and conditions in foreign locations.
Unmanaged Conflicts of Interest
Financial institutions expect fintech partners to provide objective advice and perform to the best of their abilities without compromising the institutions’ interests. Signs that a fintech prioritizes its own interests or has conflicts of interest can raise compliance concerns. Financial institutions scrutinize contracts, proprietary information confidentiality, relationships with competitors and ethical programs.
Inadequate Data Security Controls
Fintech partners with weak data security controls are not desirable to financial institutions. A fintech should be able to demonstrate that its IT security controls are effective, routinely monitored and updated. Protecting sensitive data is a non-negotiable aspect of compliance.
Compliance risk is an ongoing challenge that demands careful navigation. By steering clear of these seven red flags and ensuring robust compliance measures, fintechs can enhance their appeal to financial institutions, paving the way for successful collaborations in an ever-evolving landscape of regulations and risks.
The responsibility for managing compliance is increasingly falling on fintechs. Here are seven areas where fintechs need to focus.