By Roy Urrico
Credit unions and banks are investing in governance, risk, and compliance (GRC), but not every financial institution practices an identical method – and those approaches are not equal.
That is one of the findings in The State of GRC: How Financial Institutions Are Navigating Today’s Risk and Compliance Challenge, a survey from Ncontracts, the Brentwood, Tenn.-based provider of integrated compliance and the CBANC banking network. The report surveyed 147 credit union and bank professionals to understand the prevalent strategies, practices, and trends within the GRC space, particularly risk and compliance
The survey revealed that 72% of credit unions and banks are prioritizing compliance when evaluating fintechs, citing it as their top criteria in the due diligence process. The survey also revealed as credit unions and banks evaluate fintech partnerships, cybersecurity (62%) is also a critical factor, followed by return on investment (46.3%) and reputation (44.4%).
Michael Berman, CEO of Ncontracts, said, “Financial institutions are looking more closely at risk when evaluating fintech partners – and for good reason. Their exposure to risk is greater, not only opening them up to regulatory scrutiny, but also risking their reputation. Fintechs must prioritize risk and compliance if they expect to remain relevant and in business, and they must do so now. Over half of the banks and credit unions we surveyed plan to evaluate fintech partnerships in the next one to two years, therefore, this should be a top priority.”
Third-party data breaches, in particular, and cybersecurity overall continue to be concerns, as financial institutions take notice. The report also emphasized this is especially critical as financial institutions begin to evaluate their technology budgets for 2024.
Third-party Compliance and Risk Management
According to the survey, more than 80% of financial institutions report that the fintechs they have evaluated have a solid understanding of regulatory requirements, third-party vendor management, cybersecurity, and other key factors.
The report found that it is also vital that fintechs maintain a security component because of the troubling concerns associated with cloud security brought about by an increase in cyberattacks within the existing cloud fintech environment.
Federal agencies are also increasingly emphasizing the importance of third-party risk management. In June 2023, the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) released the Interagency Guidance on Third-Party Relationships: Risk Management. The guidance promotes standardization for assessing third-party risk and describes sound risk management principles.
Securing Partnerships
“You can’t underestimate the importance of a fintech partner’s compliance posture,” said Rafael DeLeon, Ncontracts’ senior vice president of industry engagement and a former bank examiner with the OCC. “If a fintech can’t demonstrate a strong compliance management program, no bank or credit union should want to touch it. The risk is too high for potential consumer harm, and operational issues could lead to even more compliance costs and regulatory trouble. Who needs it?”
For fintechs, a strong compliance management program is key to securing partnerships with banks and credit unions. “While this may look like good news for fintechs looking to work with banks and credit unions, there is a big catch. This does not necessarily mean that most fintechs have demonstrated a sound understanding, but that financial institutions are only considering fintechs that have mastered their own compliance and risk processes. This poses a challenge for fintechs perceived as lacking in this area,” revealed the report.
Gaining a Competitive Advantage
The survey suggested financial institutions relying on manual processes for GRC management are disadvantaged when it comes to satisfaction, efficiency, and examiner scrutiny. “Manual processes not only result in gaps in data, systems, and tools, but they also contribute to a lack of comprehensive understanding of risk and compliance stature, ultimately affecting strategic decision-making.”
In an era where risk and compliance are becoming increasingly complex, and where the growth and reputation of financial institutions are at stake, relying on manual GRC processes is no longer a sustainable approach. The survey highlighted the benefits of adopting more sophisticated, integrated solutions for GRC, which it says can not only streamline operations, but also improve satisfaction levels and ensure a robust understanding of the institution’s risk and compliance position.
“As the regulatory environment becomes more complex, vendor management requirements expand, and the competitive landscape shifts, banks and credit unions that embrace a proactive approach to GRC will have the most valuable data and business insights and the strongest compliance positions – creating the opportunity to gain a competitive advantage,” the report concluded.
Key Takeaways
· Most financial institutions (FIs) utilize vendors for GRC efforts. Almost half (49.6%) use a variety of solutions from different vendors, 16.3% use a suite of solutions from a single vendor, and 23.6% rely on manual processes.
· FIs that rely on a single vendor suite for GRC reported the highest satisfaction levels. Nearly a third (30%) claimed to have a full understanding of their risk and compliance stature.
· More than a quarter of FIs plan to add compliance staff (27.6%) and risk management staff (13.1%). No FI reported plans to reduce headcount in these areas.
· In the last 18 months, examiners have shown significant interest and raised concerns about compliance management, risk management, audit and findings, IT/data security/cybersecurity, and third-party vendor management.
· FIs with a manual approach to GRC were 16.8% more likely to experience examiner questions and concerns about compliance management.
· Over half of banks and credit unions (52.9%) plan to evaluate fintech partnerships in the next one to two years.
• Compliance management (72.2%), cybersecurity (62%), return on investment (46.3%), and reputation (44.4%) are critical factors when banks and credit unions evaluate fintech partnerships.
• More than half of banks and credit unions (54.7%) use their vendor management program to evaluate fintech partners, while 28.4% of financial institutions have no documented process for evaluating fintechs.
• Over 80% of FIs report that the fintechs they have evaluated have a solid understanding of regulatory requirements, third-party vendor management, cybersecurity, and other key factors.
