Compliance coverage by Paul Davis, Director of Market Intelligence at Strategic Resource Management (SRM)
We're seeing increasing regulatory scrutiny brewing over third-party fintech relationships in areas such as Banking-as-a-Service (BaaS), digital assets, and Buy Now, Pay Later (BNPL).
In recent weeks, the Federal Deposit Insurance Corp. has urged banks it supervises to police misleading claims by their crypto partners, while the Consumer Financial Protection Bureau has been looking closely at lending relationships between banks and non-banks.
Legislators are constantly discussing ways to create safer relationships between banks, credit unions, and non-banks as part of a broader goal of protecting consumers. And you can suffer substantial reputational harm if your members are negatively impacted by a miscue on the part of a fintech partner.
What should credit unions do to mitigate these potential risks? For now, I encourage financial institutions to follow the 'six pillars' guidance provided by regulators. While not included in examinations, I can assure you these topics would come up if your fintech relationship went sideways.
While federal bank regulators provided this guidance (FDIC, Federal Reserve and the Office of the Comptroller of the Currency), I assert that it allows for a logical roadmap that all credit unions can follow.
The guidance encourages financial institutions to assess a fintech's:
Business experience and qualifications: How long has the fintech been in business? Do you know anyone who has worked with the company? Any negative press?
Financial condition: Who are the fintech's investors? How much capital has it raised? Are financial statements – income statement, balance sheet, cash flows - available?
Compliance with laws and regulations: Any existing or pending enforcement orders? Any known investigations? Vet their messaging on their website and in other communications to end users.
Risk management and controls processes: How does the fintech vet customers? What is its plan for identifying and addressing compliance issues? How does it communicate lapses to other partners?
Information security: What policies does the fintech have to monitor hacks and cybersecurity breaches? How do they protect customer information? How would they notify you of an incursion?
Operational resilience: Does the potential partner have a plan to conserve capital if financial conditions worsen? Is there a resolution plan in place should the fintech have to shut down? What contingency plans exist?
With these questions in mind, how should you go about vetting these qualifications? I strongly recommend conversing with your regulators, state and federal associations, and fellow credit union executives. Their knowledge and experiences can help you assess the viability of a potential fintech partnership.
It is also essential to take your time (and consider hiring an outside consultant experienced in looking into third-party contracts). If the fintech is bringing you borrowers, ensure that their underwriting standards align with yours.
Document everything you have been doing to adhere to the six pillars. I mean everything. While it may not avert a hiccup, it will show your regulators that you are trying to do all the right things if something goes awry.