As many within the financial industry have noted, over the past several decades financial products, services and methods to meet customers’ needs have continued to evolve. More recently, we’ve seen what is tantamount to a revolution of innovation moving far more quickly to satiate customer demands. This revolution of technology and ideas often acts as a double-edged sword. On one side, increased demands can create more customer options and positive impacts on pricing and speed of services. On the other side, efforts to meet increased demands for options and speed can impact the design and implementation of products and services that may not adequately or appropriately prioritize compliance, security, and governance considerations.
As financial services continue to evolve, financial institutions are partnering with fintech companies to expand product options and customer base, generate income, and keep pace with customer demands. Third party risk management is a dual responsibility – and it can be a sharp and dangerous sword if both sides of a partnership do not take compliance and governance obligations seriously. Just last week the Federal Banking Agencies issued a Request for Information on this very topic asking how these partnerships work, how responsibility for compliance is delegated and how key risks are properly managed. This is not a punitive move, but should be seen as an opportunity to inform updates to law, regulation, or supervisory guidance. It’s time to show the regulators how it can work well for all parties. Show that these innovative partnerships can meet customer demands, while maintaining the integrity of the financial system, and preventing potential consumer harm.
A change in perspective will go a long way for both financial institutions and Fintechs in this endeavor. As stated above, innovation and technology advances are moving rapidly, and law and regulatory guidance can’t keep pace. So, part of the challenge with this level of agility and speed is understanding where a product, service, rail, customer type, etc. fits within the regulatory landscape. Instead of analyzing a product or service using the lens of “but the definition doesn’t . . .” or “historically . . .” or “no one else requires that . . .”, think about the purpose of the law, regulation, or supervisory guidance. What was the intent of that guidance? What was it trying to protect, promote, prohibit, or prevent? What are the framework, criteria, and characteristics of guidance? Speaking from experience, most guidance documents are intentionally drafted to inform the audience of how to think about risk management, but not dictating specific, required actions. This permits flexibility and addresses many different facts and circumstances situations. Innovation is thinking outside of the box. Responsible innovation is not completely ignoring or squashing parts of the box without understanding why it was square in the first place.
Financial institutions looking to partner with a fintech or stand up a BaaS Program should approach this activity in the same way they would if introducing a new line of business or supporting a new business type. You wouldn’t begin to offer commercial lending, wealth management products, or provide services to companies involved in cannabis sale without having expert resources on hand to understand the operations, compliance requirements, and risk management expectations for those products. The same standards should govern partnerships with a fintech. Bank teams must take the time to understand the fintech space and different models and use cases. This isn’t a one size fits all arena - “commercial payments” is a very broad category with multiple different use cases. The bank should first understand why they are looking to partner with Fintechs. The program discussion should further explore which use cases match up to the bank’s risk appetite, resources, and expertise to implement and govern the relationship and more importantly – which do not?
Fintechs looking to “faster track” sponsor bank engagements need to remember what the “fin” in fintech represents. I’ve heard too many times, “But, we’re not a bank!” No, but you want to provide financial services. If the product you offer looks like, acts like, and sounds like financial services – guess what, you might be quacking! This means bringing the right folks together as a team to understand all the potential compliance and risk management implications as the product is being designed and built, not scrambling to draft an answer, flowchart, or policy when a sponsor bank requests it. Accept and embrace the fact that your sponsor bank will review and, in many instances, need to approve your compliance program policies and processes. I’m not suggesting that the fintech shouldn’t push back when warranted. But a good way to differentiate your fintech is to show that it’s not just good intentions, but you understand your role in the ecosystem and have prioritized risk management protocols appropriately.
I know that this message may not immediately be embraced by all audiences. But regulatory change and additional guidance is on the horizon. We have an opportunity to inform and influence expectations. My advice to both financial institutions and Fintechs is simple. Instead of challenging regulatory oversight as intrusive and demanding “frictionless” requirements in all instances, work with the regulators to help them understand what guidance currently covers relationships and use cases and where there are gaps and risk management topics that need addressed. Updated guidance should be viewed as a good thing. It will ultimately level the playing field so there is clarity of expectations across this vertical. If you don’t engage in this process with the intention of informing versus complaining, there’s a good chance you will not favor the results. Think about the energy certain factions exerted lobbying against Know Your Customer requirements versus the resulting Customer Identification Program requirements. A step in the right direction is understanding the risk profile of the business and use case(s) you offer or sponsor. An honest assessment of risk is the key to understanding regulatory expectations. In our next installment we’ll walk through the risk assessment process.
Kimberly Hebb, Co-Founder & CRO of BalancedTrust
Great insights! "Responsible innovation is not completely ignoring or squashing parts of the box without understanding why it was square in the first place."