Community Banks may benefit from cutting edge technology if and when they partner with fintechs. The downside of working with a fintech; they may be an early-stage start-up or in the midst of an impactful change. How can a community bank best protect the institution, and its membership yet still gain the advantages of using cutting edge technology?
Link to full document – Third-Party Relationships: Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks | OCC
| Question/Concern | Possible Answer | Follow-Up Steps | |
| Business Strategy & Plans | Is this relationship a good fit? | Both organizations agree to any & all accommodations. | Put it in the contract
Monitor appropriately: Daily/Weekly/Monthly/Quarterly Obtain Risk Acceptance from Board or Risk program |
| Financial Condition | How best to monitor the financial condition of a start-up or privately held fintech? | Identify and monitor: funding sources, net cash flow, expected growth, projected borrowing capacity. | Put it in the contract
Monitor appropriately: Daily/Weekly/Monthly/Quarterly Obtain Risk Acceptance from Board or Risk program |
| Legal & Regulatory Compliance | Fintech has limited experience in your regulatory environment. | Monitor the fintech’s compliance via agreed-upon terms, i.e. review of customer complaints, compliance w/consumer protection laws, etc. | Put it in the contract
Monitor appropriately: Daily/Weekly/Monthly/Quarterly Obtain Risk Acceptance from Board or Risk program |
| Risk Management & Controls | Depending on fintech maturity; audit, risk and compliance may not be on-par with levels you are required to meet. | Request and review policies, procedures, self-assessments, include right-to-audit provisions | Put it in the contract
Monitor appropriately: Daily/Weekly/Monthly/Quarterly Obtain Risk Acceptance from Board or Risk program |
| Info Security | Depending on fintech maturity; their InfoSec may not align you’re your institutional demands/requirements. | Request and monitor how the fintech restricts access to networks and customer data, review fintech’s policies and procedure docs. | Put it in the contract
Monitor appropriately: Daily/Weekly/Monthly/Quarterly Obtain Risk Acceptance from Board or Risk program |
| Operational Resilience | Will the fintech be able to recover and resume/continue operations during or after an event? | Review BCP and DR plans, test results, cybersecurity reports, audits, and insurance docs. | Put it in the contract
Monitor appropriately: Daily/Weekly/Monthly/Quarterly Obtain Risk Acceptance from Board or Risk program |
Always – DOCUMENT-DOCUMENT-DOCUMENT!
If it’s not written down and retrievable, it doesn’t count!
Contact us today to learn more!
