As banks increasingly collaborate with FinTechs and explore new FinTech partnerships, it’s a savvy move to pursue conversation with your FinTech’s management team. Yes, the CEO and the customer success lead are important but too often banks leave out some of the most essential conversations that can determine if a FinTech is ready to support you in a long-term relationship.
Potentially overlooked conversations are with the Chief Risk Officer (CRO), Chief Compliance Officer (CCO), and CTO (Chief Technology Officer). Discussion with these experts (which each FinTech should have on staff) before going into business with them helps reveal insights about the firm’s operating model, governance, and risk management practices beyond the messaging in marketing collateral. Looking for the good “Green Flags” in a FinTech management team can lead to a long and successful relationship that eases worry about risk and compliance. Look for these very positive Green Flags:
By implementing strong risk management and compliance processes and effectively communicating with the bank, FinTechs can set banks up for enhanced success without exposing them to concerning levels of unmitigated risk. Establishing a relationship that includes regular updates and reporting on the FinTech's risk management and compliance activities is an important step to integrate the FinTechs into your aggregate risk view of third-party exposure and overall risk profile and to affirm internal control systems and processes remain healthy and effective. Banks should conduct regular reviews of the Fintech's operations and discuss any identified concerns.
Executing appropriate risk practices is only part of the picture, they also need to be able to communicate about them clearly. You should feel like they are prepared to talk to regulatory bodies about their risk management abilities, since you can anticipate that you may be asked about their policies during targeted supervisory activities.
Achieving a meaningful partnership with a FinTech team that understands your aims and strategies and has already thought about the issues you may face, the constraints you operate within, and how to solve them can accelerate positive outcomes.
The FinTech management team should remain focused on risk and compliance while understanding that banks are businesses and face increasing regulatory scrutiny on fintech partnerships. They know that you need to digitize and get to market quickly and should be prepared to offer a well-considered plan to collaborate efficiently and effectively towards your goals. Small banks often operate with small Information Technology (IT) departments. Many bank leadership team members wear multiple hats. Being able to lean on the expertise of the FinTech as a partner can bolster your internal teams with depth of experience, insights, and contribute to strategic advantage.
Banking as a heavily regulated business must operate with technology without keeping banking in mind. There are some things that can’t be compromised like internal controls. A smooth onboarding flow is a necessity. If users can’t onboard easily and electronically, it’s severely detrimental in today’s digital world.
The right FinTech Product Officer operates with sound guidance and tools supported by their CCO and CRO and knows banks as clients need to operate in a safe and sound manner and achieve compliance with applicable regulatory requirements while maintaining relevant and competitive in the marketplace.
A bank might hire a FinTech firm because they want to battle fraud or offer / grow a new product. They may be looking for a relationship that helps them leverage innovation through the research and development a FinTech’s team accomplished through its focused efforts, however the FinTech must have a full grasp of what you’re trying to achieve, how you want to execute, and the inherent risks involved. How the FinTech builds, delivers, and operates should help mitigate risk every step of the way.
A tech platform suitable for the banking environment considers risk from inception. The processes to manage information security risk are not an afterthought or a reaction. They were built with the understanding that banking services are likely to be targeted for cyber-attacks. It’s less of an ‘if’ and more of a ‘when.’ The only way to not be a target is to not be on the playing field, which is not possible in today’s world. Knowing and monitoring the threat vectors, the possible sources of intrusion, the vulnerabilities from within, through, and at the periphery are table stakes.
A responsible FinTech team understands its inherent risks as well as yours, the regulatory perimeter, and the controls expected to manage the risks. There should be focus on operating with procedures in place for vendor due diligence and the development of programs and policies to mitigate and/or avoid third- and fourth-party risk. You are not only getting directly involved with the FinTech but indirectly involved with everyone that works with the FinTech.
Ultimately, banks own the risk. However, if your potential FinTech partner expects you to handle the risk management while they handle only the technology, then you will find yourself faced with an increased potential for miscommunication and gaps in internal controls. A FinTech operating with a team of experienced professionals that understand industry practices will advance your objectives with appropriate and reasonable oversight. A FinTech that lacks awareness of risk practices and expected controls may require bank management to exert increased oversight, monitoring, and even training to get them to baseline. This is an added cost, unnecessary cost to managing the FinTech that you want to root out during due diligence. A FinTech’s commitment to risk and compliance should not stop at obtaining relevant certifications and accreditations but should be regularly supplemented by relevant networking and actively taking part in industry groups and forums related to risk management, including information security and compliance.
Banks uphold public trust, and in doing so, they need to operate with sound internal controls and adherence with the applicable regulatory frameworks. Financial institutions face more stringent standards and expectations than that of most companies, notably the supervisory examination process. Finding a FinTech partner that understands the expectations, hurdles, and requirements for safety and soundness, internal controls, and third-party risk management, for starters, can bolster management’s confidence in the products, services, relationship, and information flow they come to expect to effectively risk manage that FinTech and its impact on the bank’s risk profile. As banks think about their FinTech partner as part of their business, not just a banking partners, they should be asking, ‘What if the regulators walked into the FinTech’s office today?’ Your FinTech needs to run as though they are always ready for you or your regulators to show up.
At BrightFi, for example, we govern ourselves like a bank governs itself. We operate with an independent board, risk and compliance committee governance, and bank quality policy, procedure, and control. We’re not a tech firm that thinks of banking as an afterthought. We have built our infrastructure to the banking standards.
BrightFi’s Sidecar implementation stands up fast and has a smooth integration without operational hiccups. It offers easy customer experience, is compliant by design, and all the pieces work seamlessly together, uniting your existing tech and offering an additional shield to inherent risk.
How does your company identify, assess, and mitigate potential risks when developing and enhancing new products and in conducting ongoing operations?
What kind of monitoring is conducted?
How do you protect customer data and ensure that it is treated with proper levels of confidentiality?
What measures do you have in place to protect against cyber-attacks and data breaches?
What procedures do you have in place to handle incidents or breaches if they occur?
What are the 3rd 4th and 5th party risks and how are they managed?
How do you regularly review and update your risk management and compliance processes to ensure that they remain effective?
Is the management team experienced, and do they understand risk?
BrightFi was built from the ground up by experienced technologists, risk management experts and bankers who are passionate about banking. Their philosophy has been to leverage and build technology in the Cloud with stringent standards to protect customer data, only passing the least data to complete the transaction, and granting tokens only as the customer requests to see their information in the app or to transact. We force a selfie face match to ensure the customer is actually trying to complete the transaction.
To preserve the integrity of our internal environment, we operate with a “need to know” and least privilege access principle – access is only granted where it is absolutely needed and with minimal rights. BrightFi is completely password-less and in the few circumstances where passwords are still needed, multifactor authentication is implemented. This helps with protecting against comprised passwords.
