As bankers continue to rely on technology to enhance their operations and keep their banks competitive, partnerships with third-party fintech vendors are becoming increasingly important.
While technological advances help improve compliance, products and services, due diligence, underwriting and monitoring cash transactions, they also carry significant increased risk when paired with such third-party arrangements. With the risks of data breach, cyber threats and denial-of-service attacks continuing to grow, banks need to be even more vigilant in evaluating, documenting, and monitoring their relationship with fintech vendors.
These risks are of great concern to bank regulators, as evidenced by the April 2019 Financial Institution Letter from the FDIC which described how many banks have failed to meet regulatory expectations in properly monitoring the risk of their fintech vendor relationships. The OCC has also recently expressed concerns about third-party relationships in two different bulletins.
One of the main concerns with outside vendors comes from the integration of a bank’s systems and processes with those of the third-party vendor. This integration can make a big difference when it comes to how a bank manages its internal processes, such as business continuity and incident response.
One of the most overlooked areas of concern is how the bank will handle situations when one of the systems being supported by the third party vendor fails. When the systems are in-house, the breakdown can be more easily and quickly addressed. This is not the situation when the problem resides with the systems of a remote third-party technology service company.
Any downtime will put the customers’ banking needs at risk, and it could negatively affect their businesses, expose the bank to liability and jeopardize the bank’s reputation. Banks need to fully plan for these situations, in advance, and have suitable contingency plans in place, ready to provide back-up and address the need immediately.
The contract with the third-party service provider should address what level of response will be expected and how fast, establishing service level requirements. For the more critical functions, the contract should require that the third-party service provider resolve the problem quickly, usually within a few hours.
While banks are required to maintain adequate internal protections for customer data, when the data is maintained by, or accessible to, third-party vendors, the risks of data breach become even greater. The bank needs to audit the vendor’s system of internal controls or have access to regular reports from the vendor’s auditors or independent reviewers that confirm the vendor’s system are adequate.
The contracts should require the third party to notify the bank of a breach as soon as it is identified and specify what the third-party vendor will do in response to the problem, such as notifying appropriate regulatory authorities and customers.
An appropriate business continuity plan in connection with outsourced technology functions should also be in place. If a third-party service provider closes due to financial or other issues, such as public health issues, the bank needs to have a continuity plan that will become immediately operational. The bank must have access to the data on the third-party vendor’s systems.
The contact should provide for frequent and regular backups of all data, which are housed in an off-site facility that the bank can access, if the third-party service provider is unable to meet its obligations. The bank will need to have a plan for how those functions will be accomplished. Banks need to keep in mind the things that can go wrong and address them in its third-party service contracts.
Banks need to do proper vetting and due diligence before entering into a relationship with an outside service provider. Ask for and contact all references to confirm the provider’s “real life” experience and level of service. This is especially true where the services to be provided are critical banking functions, and even more so where the contract term is of significant duration and/or provides for automatic renewals. The bank needs to confirm the vendor’s good standing, creditworthiness, and financial resources. You should check for lawsuits and confirm the vendor’s reputation with your regulators.
Contracts should also contain early termination provisions allowing the bank to terminate by paying a reasonable termination fee. This protects the bank by permitting it to exit an arrangement where there has not been a breach, but the bank determines that it has become uncomfortable with the vendor.
Banks should also consider requiring third-party service contracts to include an appropriate indemnification provision, requiring the third party to hold the bank harmless in case the third party vendor’s actions or omissions result in potential liability to the bank. Banks should review all relevant insurance policies of existing or potential fintech partners to confirm that they have adequate coverage. If the bank is able it should be made an additional loss payee on the vendor’s relevant policies.
Developing business relationships with third-party vendors to assist in providing financial technology functions can provide the bank customers with state of the art services at a reasonable cost to the bank and keep the bank competitive. However, bankers know all too well that problems can arise at any time and that the bank and its management will be held responsible for those problems in the public’s eye — not the service provider.
Bankers need to do due diligence before outsourcing products and service to third parties and be very careful before entering into partnerships with fintechs. When considering such an arrangement, banks must thoroughly anticipate and prepare for all of the potential risks, develop back-up and redundant processes, properly document the respective duties and responsibilities, and regularly monitor and verify the implementation of the systems and procedures identified.
This is all vitally necessary because bankers also know too well that while they can outsource the service to be provided, they cannot outsource the responsibility for what happens when that service goes wrong.
Arthur A. Coren and S. Alan Rosen are partners and Steven J. Sweeney is an associate at Duane Morris LLP, an international law firm with 800 lawyers and 29 offices, including five offices in California. Based in the firm’s Los Angeles office, they represent community banks and their holding companies, as well as large banking institutions, in regulatory matters, corporate governance, M&A and capital raising.