On August 27, the Board of Governors of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, the “Agencies”) issued “Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks.” While the guide is primarily intended to help community banks assess risks when considering prospective relationships with financial technology (fintech) companies, the Agencies note that the fundamental concepts may be useful for banks of varying sizes and for other types of third-party relationships.
The guide covers six key areas of due diligence that community banks should consider when exploring arrangements with fintech companies, as well as potential sources for information:
- Business Experience and Qualifications. Evaluating the following factors allows a community bank to consider a fintech company’s experience in conducting the activities to ensure the company can meet the community bank’s needs: business experience, business strategies and plans, qualifications and background of directors, and company principals.
- Financial Condition. Conducting a financial analysis and reviewing market information assists a community bank in assessing the company’s ability to remain in business and fulfill any obligations.
- Legal and Regulatory Compliance. Evaluating a fintech company’s legal standing, its knowledge about legal and regulatory requirements, and its experience working within the applicable legal and regulatory framework enables a community bank to ensure the fintech company can comply with such applicable laws. This may include a review of incorporation documents, SEC filings, internal policies and procedures, customer-facing documents, marketing materials, and customer complaints. Though the guide doesn’t expressly mention it, we believe it’s important to also review the fintech’s compliance management system (CMS) in the due diligence process.
- Risk Management and Control Processes. Considering a fintech company’s internal risk management policies and procedures, control review/audit schedule and results, and training materials and schedule helps a community bank assess the company’s ability to conduct the proposed activity in a safe and sound manner.
- Information Security. Reviewing a fintech company’s incident management and response policies, information security and safeguards policies and procedures, and security and privacy training programs allows a community bank to judge the adequacy and integrity of its processes for handling and protecting sensitive information, including customer information.
- Operational Resilience. A community bank may evaluate a fintech company’s ability to continue operations through a disruption. Depending on the relationship, a community bank may review the company’s business continuity planning and incident response plan, service level agreements, and reliance on subcontractors.
We believe this guide highlights practical sources of information that may be useful when evaluating fintech companies and provides good illustrative examples of the types of issues that banks encounter from time to time.
The Agencies issued the guide just one month after the Agencies requested comment on proposed interagency guidance concerning risk management with third-party relationships.