In August 2021, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Board of Governors of the Federal Reserve System (the Federal Reserve and, collectively with the OCC and the FDIC, the Agencies) released a joint bulletin titled “Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks” (the Guide). The Guide is intended to be a resource for community banks assessing risks and performing due diligence when considering prospective relationships with fintech companies. In the introduction to the Guide, the Agencies note that, “[w]hile the [G]uide is written from a community bank perspective, the fundamental concepts may be useful for banks of varying size and for other types of third-party relationships.”
As described below, the Guide covers six main areas of due diligence: business experience and qualifications, financial condition, legal and regulatory compliance, risk management and control processes, information security, and operational resilience.
- First, the Agencies suggest that community banks evaluate a fintech company’s business experience, strategic goals, and overall qualifications in order to assess the fintech company’s ability to meet the bank’s needs. The Guide includes operational history, client references and complaints, and any legal or regulatory actions against the fintech as relevant considerations when evaluating a fintech’s business experience.
- Second, the Agencies suggest that community banks consider a fintech company’s financial condition in order to assess the fintech company’s ability to remain in business and fulfill any obligations to the community bank. The Agencies specifically suggest that community banks review financial reports, funding sources, and information regarding the fintech company’s competitive environment, client base, and susceptibility to external risks.
- Third, the Agencies suggest that community banks evaluate a fintech company’s legal standing, knowledge of relevant legal and regulatory requirements, and experience working within the relevant legal and regulatory frameworks. Community banks may wish to consider organizational documents, business licenses, charters, and registrations, review the nature of the proposed relationship, and assess the fintech company’s outstanding legal or regulatory issues (if any). Additionally, the Guide specifically suggests that community banks closely assess a fintech company’s regulatory compliance program prior to partnering with the fintech company.
- Fourth, the Guide states that “[e]valuating the effectiveness of a fintech company’s risk management policies, processes, and controls helps a community bank to assess the company’s ability to conduct the activity in a safe and sound manner, consistent with the community bank’s risk appetite and in compliance with relevant legal and regulatory requirements.”
- Fifth, the Agencies suggest that community banks evaluate information security measures in place at a fintech company in order to assess the adequacy and integrity of the company’s processes for handling and protecting sensitive customer information.
- Finally, the Guide proposes that community banks evaluate the ability of the fintech company to continue operations through a “disruption,” including a technology-based failure, human error, cyber incident, pandemic outbreak, and/or natural disaster.
While the Guide recognizes that community banks may benefit from the expertise fintech companies may provide by delivering access to innovative technologies, it also signals that the Agencies intend to pay increased attention to risk management conducted by financial institutions partnering with fintech companies.