Community bank–fintech partnerships can bring lucrative opportunities for both parties, but they come with a unique set of compliance challenges.
Before signing on the dotted line with a new partner, community banks should refer to federal banking regulators’ June 2023 Interagency Guidance on Third-Party Relationships, which spells out the key elements of a compliance framework for such partnerships.
Data security and privacy is top of mind for regulators in any bank–fintech partnership, says Rafael DeLeon, senior vice president of industry engagement at Ncontracts and a board member of $2.2 billion-asset MainStreet Bank in Fairfax, Virginia.
“Regulators expect you to make sure your vendors are protecting customer information with the same rigor you would internally—encryption, access controls, incident response, the whole package,” DeLeon says.
“Consumer protection is another area where outsourcing won’t shield you,” he adds. “If a vendor mishandles complaints, misleads customers or creates [Unfair, Deceptive, or Abusive Acts or Practices] risk, it’s the bank that’s
accountable. That’s why
strong third-party risk management isn’t optional.”
Regulators are also looking to see if bank–fintech partnerships are complying with Bank Secrecy Act and anti-money laundering requirements, as well as monitoring for potential bias per fair lending laws, DeLeon says.
According to Dan McGonegle, regulatory compliance senior manager at Chicago-based Crowe LLP and former manager of the Federal Reserve’s Novel Activities Supervision Program, the key to robust compliance is making sure the fintech shares information about bank customers using their services and transactions, in near-real time.
“This is an area that has been missing in a lot of partnerships, and it’s contributed to more visible issues in the way of BSA and AML deficiencies and the ability to apply effective ongoing monitoring over the third party,” McGonegle says.
What’s the risk?
During the risk assessment process, banks must ensure their due diligence is comprehensive enough to understand not only the fintech they would like to partner with but also all the risks that could come about from such a partnership, according to Bradley Wallace, director of compliance at CSI in Paducah, Kentucky.
None of those risks are more important than data security risk, says Steve Sanders, CSI’s chief risk officer and chief information security officer.
“To understand the risk to the bank, it’s essential to understand where the data resides, how it’s managed, how it’s protected, when it’s purged and how it can be obtained if the relationship ends,” Sanders says.
This includes a clear understanding of the fintech’s expectations relating to computer security incidents, he says. Depending on the data stored by the fintech, it’s important to understand how access to data is protected from data breaches and insider threats.
DeLeon recommends embedding compliance and risk requirements directly into vendor contracts, essentially “using contracts as a control.” Banks should include specific clauses around cybersecurity standards, regulatory obligations, performance metrics and clear termination rights.
“These aren’t just legal protections,” he says. “They give the bank real leverage and recourse if a vendor underperforms or creates compliance issues.”
Contracts should also specify which party—the bank or the fintech—is responsible for which compliance and risk management procedure, says Clayton Mitchell, Crowe’s fintech managing principal.
“The [regulatory obligations remain] the same; you just have [multiple entities] involved and you have to define what those roles and responsibilities are early,” Mitchell says. “Frankly, it doesn’t matter who does it, so long as it happens in line with the regulatory requirements.”
He adds that when determining roles and responsibilities, banks should employ a “responsible, accountable, consulted, informed matrix,” or RACI, to determine specific roles and responsibilities for each business line or function involved within the bank–fintech partnership. This should also include who on each side of the partnership will be responsible for audits, monitoring and managing overall risks and audits.
“Create a very transparent culture so that you don’t have an ‘aha’ moment in the worst way as you start to operationalize the program,” Mitchell says.
“I’ve yet to see a bank–fintech partnership that’s elegant and works perfectly,” he says. “You’re going to run into issues, and when those happen, you work together to figure it out.”
The parameters for outsourcing
According to McGonegle, it’s very clear within the interagency guidance that a bank can outsource particular activities but can’t outsource the risk for the responsibility for that activity.
“Banks that are engaged in this space say it almost acts as like an extension of their charter,” he says. “They ensure that risk management and compliance is a function that’s applied to the entire supply chain of the relationship, as opposed to just the bank.”
Community banks should implement “comprehensive lifecycle management” of the partnership, DeLeon says, establishing a structured, repeatable process that covers every phase, from initial vendor onboarding through monitoring and eventual offboarding.
“This systematic approach is crucial, because it eliminates blind spots and maintains consistency even when vendors change or staff turnover occurs,” he says. “Community banks especially benefit from this structure, since they often have leaner teams managing multiple responsibilities.”
As part of this, banks should focus on the forms of information they are able to collect throughout the lifecycle of the relationship and what rights they have for requesting and expecting remediation of deficiencies they observe, Wallace says.
An often-overlooked component of third-party risk management is governance and reporting, Sanders says. In many cases, it would benefit the bank to have a third-party risk management committee with the responsibility to weigh in on vendor risk and report its findings to the board of directors.
Ongoing monitoring includes periodic testing and business reviews to gauge the performance of the relationship, Mitchell says. Banks should track whether budget, volume and activity goals are being met, as well as whether the service-level agreements laid out in the contract are being met.
Finally, don’t forget about training. Compliance is ultimately every bank employee’s responsibility.
