Regulators lay out fintech partnership guidance

Federal regulators late last week issued guidance for community banks to consider when they seek to partner with fintechs. 

The guide, issued by the Federal Reserve, Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency, is considered voluntary and intended as a resource for community banks when researching prospective relationships with fintechs.

The guide includes the six pillars federal regulators say community banks must use when considering whether to partner with fintechs: Business experience and qualifications, financial condition, compliance with laws and regulations, risk management and control processes, operational resilience and information security.

Evaluating a fintech’s strategic goals, business experience and overall qualifications allows community banks to consider whether the fintech could meet their needs. The report suggests community banks view fintech company overviews, organizational charts, client reference lists, public records, media reports and other information to gain a better understanding. 

Discussing a fintech’s strategic plans can inform community banks on whether their potential collaborators are a good cultural fit. Banks should be aware of new products or potential acquisitions, and joint ventures or marketing initiatives. They should examine the fintech’s mission statement, service philosophy and quality initiatives; geographic footprint information, overview of strategic plans and/or expansion strategies. 

According to the report, understanding the background and expertise of a fintech’s directors and executive leadership can tell the community bank whether the fintech will be a good fit for their project. 

The report states that reviewing policies and procedures governing applicable activities offers community banks insight into how the fintech outlines risk management responsibilities and reporting processes, and how the fintech’s employees are tasked with complying with policies and procedures. Such information can be gleaned by reviewing policies, procedures and other related documentation; information on risk and compliance staffing, issue management policies, procedures and reports; and self-assessments. 

The report also suggested:

  • Community banks should evaluate information security measures to assess the fintech’s integrity and adequacy in handling and protecting sensitive information, including community bank customer information. Potential sources of information include completed information security controls assessments, incident management and response policies and incident reports with associated post-mortem and remediation activities. 
  • Community banks should assess the fintech on their operations infrastructure and security measures for managing operational risk. Potential sources include IT policies on data protection, including data classification, retention and disposal; an overview of the fintech’s technology and processes supporting the prospective activity; and completed controls or standards assessments.
  • Community banks should evaluate a fintech’s ability to continue operations through a disruption. Depending on the activity, community banks can look to the fintech’s processes to respond to, identify and protect itself from threats and potential failures as well as recover and learn from disruptive events. Banks should evaluate the fintech’s plans for business continuity, disaster recovery and incident response. Third-party resilience and continuity planning should correspond with the nature and importance of activities performed for the bank.