The concept of third-party risk management is, of course, nothing new and has been seen in banking guidance including that from the OCC. However, regulators view the abundance of companies partnering with and using services of Financial Technology (FinTech) organizations as a true risk game-changer. Regulatory expectations for risk management are tightening across the board for third-party usage in financial institutions, but they are perhaps most pronounced in the case of organizations who utilize FinTechs as third parties.
Since 65% of banks and credit unions use at least one FinTech, it is important to understand the additional risks FinTechs bring to their financial institution (FI) partners. FinTechs can be especially risky due to their high failure rate, lack of historical data, and consistent usage of innovative, new technologies.
FinTechs are often “disruptors” with a pioneering spirit and start-up structure. Today’s FIs frequently partner with FinTechs to drive revenue, decrease expenses, and expand their customer base. Because FinTechs can pose significantly higher risk, regulators are watching FI – FinTech partnerships closely and are more likely to warn or fine FIs that haven’t demonstrated careful assessment and management of their FinTech Partner’s risk exposures.
To avoid this exposure, there are some very effective actions FIs can take to mitigate risk and keep regulators happy including: creating a FinTech risk management framework, developing approval criteria, and ensuring continuous risk monitoring of their FinTech partners.
A FinTech Risk Management Blueprint
As a foundational step, it is crucial for the FI to develop and adopt a comprehensive FinTech Risk Management Framework that addresses nine critical pillars: risk governance, FinTech operations, FinTech-related ERM, Independent Reviews, FinTech Relationship Monitoring, Strategic Considerations, Executive and Board Oversight, Information Management and Reporting, and Data and Document Management. Here is an example of such a framework.
The benefits of such a risk management framework are numerous:
- Creates a common understanding and language between those responsible for FinTech Risk Management, Executive Management, and the Board
- Demonstrates that the FI is taking a comprehensive approach to FinTech Risk Management
- Allows for identification and remediation of any gaps in risk management
- Can be used to educate the Board on FinTech risks and risk management
- Creates an open dialogue between the FI and Regulators through a common language
It is necessary to look at each FinTech partner’s risk management program and mitigations and, in the case of FinTech startups, there are often critical risk exposures in the areas of financial stability, operational events, legal/regulatory risk, and cyber/IT resilience. These risks, along with classical categories such as strategic, credit, and market risks, must be considered for each FinTech in isolation but also a “portfolio” or “bird’s eye” view of all the FI’s FinTech partners must be developed. Such a portfolio illuminates key concentrations, correlations, and inter-relationships across the risks of the full basket of FinTech partners.
Policies and Procedures
As with other risk and compliance areas of the FI, robust Policies and Procedures are an absolute must. An overarching FinTech Policy needs to be in place that defines the type of FinTech Partnerships that the FI is willing to consider. This centers largely on the risk appetite of the FI and must reflect the FI’s business goals, strategy, and capacity for adverse outcomes. Some key components include:
- The types of relationships allowed – BaaS, LaaS, other
- Direct relationships, indirect through platforms / aggregators
- Products and services allowed and those prohibited
- FinTech maturity considerations – early, mid, late stage, public/private
- FinTech market analysis and outlook
- FinTech risk ratings, KRIs, and publicly available financial information
- Alignment with the FI strategic plan
- Approval requirements (Executive and Board level)
- Exception criteria
- Monitoring and reporting requirements
- Responsibilities and accountabilities
Comprehensive policies and procedures create the foundation on which to move forward with FinTech Partnerships. They establish the rules of the road and are subject to change over time as the FI matures and risk appetite increases or decreases. Evolution in the FinTech space is rapid, so policies and procedures must be dynamic to allow for regular review to ensure the risk management approach remains agile and effective.
Continuous Monitoring is Critical for Success
While necessary, performing initial due diligence and then monitoring risks on an annual basis is not sufficient when it comes to risk management of FinTech relationships. Risk-based monitoring on a quarterly, monthly, or even continuous basis is needed to identify changes in the risk profile of a FinTech Partner that could negatively impact the FI and its customers.
The scope and frequency of monitoring needs to consider the products and services offered through the FinTech, regulatory requirements related to those products and services, the number of accounts and customers that could be affected, the risk management and controls at the FinTech, and the difficulty of replacing those products and services should the FinTech fail.
Some key areas monitoring should capture include:
- Financial health of the FinTech (capital adequacy, ability to meet forecasts, profitability, strength of investors, etc.)
- Key operational metrics and SLAs
- Regulatory Compliance
- Consumer Complaints
- Information Security (vulnerability assessments and penetration test results and remediation)
- Resiliency (Incident Response and DRP testing and results)
- Business Strategy
- Oversight of the FinTech’s key third parties
- Tracking and monitoring the status on all commitments related to improving risk management and controls (SOC 2 Type 2 and other attestations)
- Key Risk and Performance Metrics should be identified and tracked on a frequent basis(automating the data transfer and analytics from various sources into the Risk Management system)
A risk management technology solution is a critical component to enable a comprehensive and scalable FinTech Risk Assessment and Ongoing Monitoring Program. It enables consistent risk assessments, periodic or continuous updates, and timely reporting and communication within the FI. Due diligence efforts and results can be housed in the system, while risk categories and risk attributes can be tracked and updated regularly to clearly show improvements or declines within each Category.
Top risks and risk improvement activities can also be tracked and reported to those who implement the appropriate risk response, control or mitigation. Both accurate information recording and the timely flow of information are pre-requisites for an effective program.
FI and FinTech Partnerships call for new risk management
Nearly all revolutions in the financial world come with both risk and reward. The threats and challenges FIs face are evolving at a breakneck pace and so too must risk management programs, mitigations, and monitoring capabilities. An FI partnering with a FinTech is seen as both an asset and a liability, but with the right FinTech risk management framework in place, management can make more informed decisions from a risk-adjusted return perspective. FinTech partnerships are today’s prime example of this double-edged sword of risk vs reward.
MICHAEL GLOTZ, MBA, CRP
CEO and Co-founder
Mr. Glotz is the Chief Executive Officer, Founding Partner of Strategic Risk Associates (SRA) and is the firms’ practice leader for risk management, governance, capital management and internal audit activities. He has led numerous risk management and capital planning engagement efforts for national, regional and community organizations. Mr. Glotz served as Senior Vice President and Strategic Financial Officer for Crestar Bank and later SunTrust Bank through acquisition. During his tenure with SunTrust Bank, he held various senior financial positions including Strategic Financial Officer and head of Strategic Cost Management (EMC2 Play.) Immediately before SRA’s founding, Mr. Glotz was a Managing Vice President with Capital One Financial Corporation. Mr. Glotz held a number of senior positions with Capital One including Managing Vice President of Corporate Audit and Credit Review Services for Capital One Bank ($80 Billion in Assets at the time), which included the oversight and development of over 100 audit and risk professionals. Mr. Glotz also supported the implementation of Enterprise Risk Management and lead independent assessments of bank acquisition and integration activities for large-scale mergers. Mr. Glotz is Risk-Reward Co-Chair of the American Association of Bank Directors and is a faculty member of the Institute of Bank Director Education. Mr. Glotz was a Faculty Professor of the Virginia Bankers School at the University of Virginia where he taught Risk Governance and ERM. He has delivered Bank Director training for many State Banking Association, and individually for a number of Boards. Mr. Glotz received a BBA Degree in Business with the University of Wisconsin, an MBA with the University of Richmond and completed the Executive Development Program at Wharton, University of Pennsylvania. He is a Certified Risk Professional.
AL PALMER,CISA, CCCP
Chief Risk Officer and FinTechRisk Services –
Al is a highly experienced audit, risk management and compliance professional and serves as SRA’s Chief Risk Officer with responsibility for coordinating all ERM related activities across our Company. During his career, Al has established and implemented Risk Management related functions for financial services companies ranging from start-ups to a Top Ten Bank. He has assisted and guided organizations through the challenges of Consent Orders and other regulatory enforcement actions. He has leveraged systems and technology to implement Automated Compliance Management Systems, Business Monitoring and Internal Audit Programs that significantly expanded coverage in a cost-effective manner. He has established and Chaired Executive and Board level Risk Committees. Al also participates in credit portfolio reviews and due diligence engagements. Most recently, Al served as the Compliance Officer and General Auditor for Global Lending Services LLC, a rapidly growing Auto Finance Company that had to comply with Federal regulatory requirements as well as those of 47 states. He previously worked for Capital One where he served as Audit Executive for several business lines and worked on numerous due diligence reviews and integrations for Bank and other business Acquisitions. Al has an MBA from Virginia Commonwealth University, is a Certified Information Systems Auditor and a Certified Consumer Compliance Professional.