News
Prudential Regulators Release Guide for Community Banks on Conducting Diligence on Financial Technology Companies
Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks
Introduction
Innovation and evolving customer preferences are changing the financial services landscape, including the way financial products and services are delivered. Some banks are exploring ways in which third-party relationships may assist them in responding to the changing landscape. These relationships are particularly relevant in situations in which community banks may benefit from additional expertise. By providing access to new or innovative technologies, companies specializing in financial technologies (or “fintech”) can provide community banks with many benefits, such as enhanced products and services, increased efficiency, and reduced costs, all bolstering competitiveness. Like other third-party relationships, arrangements with fintech companies can also introduce risks.1 Assessing the benefits and risks posed by these relationships is key to a community bank’s due diligence process.
This guide is intended to be a resource for community banks when performing due diligence on prospective relationships with fintech companies. Use of this guide is voluntary and it does not anticipate all types of third-party relationships and risks. Therefore, a community bank can tailor how it uses relevant information in the guide, based on its specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activity (herein, activities) offered by the fintech company. While the guide is written from a community bank perspective, the fundamental concepts may be useful for banks of varying size and for other types of third-party relationships. Banks should reference federal banking agencies’ relevant guidance.2
Due diligence is an important component of an effective third-party risk management process, as highlighted in the federal banking agencies’ respective guidance. During due diligence, a community bank collects and analyzes information to determine whether third-party relationships would support its strategic and financial goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements. The scope and depth of due diligence performed by a community bank will depend on the risk to the bank from the nature and criticality of the prospective activity. Banks may also choose to supplement or augment their due diligence efforts with other resources as appropriate, such as use of industry utilities or consortiums that focus on third-party oversight.
The guide focuses on six key due diligence topics, including relevant considerations, potential sources of information and illustrative examples. There may be other topics, considerations, and sources of information to consider, depending on the unique relationship and the role of the fintech company.
Endnotes
[1] Engaging a third party does not diminish a bank’s responsibility to operate in a safe and sound manner and to comply with applicable legal and regulatory requirements, including federal consumer protection laws and regulations, just as if the bank were to perform the service or activity itself.
[2] For institutions supervised by the Office of the Comptroller of the Currency (OCC), see OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance (October 30, 2013), https://www.occ.gov/news-issuances/bulletins/2013/ bulletin-2013-29.html. For institutions supervised by the Federal Deposit Insurance Corporation (FDIC), see FDIC Financial Institution Letter-44-2008 (June 6, 2008), https://www.fdic.gov/news/financial-institution-letters/2008/fil08044. html. For institutions supervised by the Board of Governors of the Federal Reserve System (Board), see SR letter 13-19 “Guidance on Managing Outsourcing Risk” (December 5, 2013), https://www.federalreserve.gov/supervisionreg/ srletters/sr1319.htm. On July 19, 2021, the Board, FDIC, and OCC (federal banking agencies) published for comment proposed interagency guidance for third-party relationships. See “Proposed Interagency Guidance on Third-Party Relationships: Risk Management,” 86 Fed. Reg. 38,182 (July 19, 2021). This guide draws from the federal banking agencies’ existing guidance and is consistent with the proposed interagency guidance.