STARC Framework for Bank-Fintech Risk Management

Before community bankers ink a new fintech partnership, senior management often must quell their own fears that a headline-grabbing problem will land them in the regulatory penalty box. While regulators repeatedly warn bankers to vet and monitor third-party relationships, doing so is easier said than done.

Some relief for the headache of overseeing third-party fintech risk management is apparently here. In March 2025, the Coalition for Financial Ecosystem Standards (CFES) arrived, introducing the Standardized Assessment for Risk Management & Compliance, or STARC. 

STARC can certify that a fintech has achieved dozens of measurable standards in core compliance areas ranging from BSA/AML to compliance management systems, operational risk, and complaint handling.

“If a fintech can align with the standards set by CFES, then that de-risks the program for the banks involved—and really for the entire space,” says Ana Liza Grandner, chief payments officer for $2.1 billion-asset First Bank of the Lake in Osage Beach, Missouri.

The “common app” for fintechs?

An unabashed supporter of banking–fintech partnerships, CFES cofounder Sima Gandhi views anything that can increase information about third-party risk management as beneficial.

“I want there to be more [fintech] partnerships with companies, with banks feeling like they have clarity and aligned expectations,” she says. “For many community banks around the country, partnering with fintechs is the way forward.”

Gandhi does acknowledge that in recent years, consent orders issued against banks for due-diligence failures in selecting and overseeing fintech partners has had a devastating effect on the banks involved and a chilling effect on the industry as a whole. 

“For a smaller bank,” she says, “a consent order could kill the program and end viability financially.”

Enhancing compliance

Given the stakes involved, Gandhi sees the type of partnership between fintechs and the financial industry that CFES has forged as the best way to achieve compliance successes.

She also notes that using STARC doesn’t mean a bank abdicates its role in investigating the governance of a prospective fintech partner. To the contrary, she likens certification to completing the “common app” for college admissions. A bank can use CFES’s standards as a starting point and still ask potential partners for whatever supplemental information is deemed important.

“We want to help [bankers] get from zero to eight [in collecting relevant information], and then they can close the gap between eight and 10 however they like,” says Gandhi.

Gandhi anticipates that banks will ask prospective fintech partners to get certified by STARC as a condition of finalizing partnership deals with them. She estimates that when it comes to small fintech programs, certification would typically be achieved in two to three months.

“A teaching tool”

CFES’s solution has analogs in other industries. Michael Emancipator, senior vice president and regulatory counsel for ICBA, suggests that community banks picture STARC as the equivalent of SOC 2 certification for a cybersecurity audit. 

Emancipator also points out that STARC expands upon statements by the regulators, such as the third-party risk management guidance finalized on June 6, 2023, and issued by the FDIC, the Federal Reserve Board and the Office of the Comptroller of the Currency.

While published guidance amounts to a good first step, he says STARC has the advantage of being able to quickly adapt to developing technologies, many of which are evolving so rapidly that they’re hard to track.  

“If you’re a bank, sometimes you might not even know the questions to ask to vet a third party to know if what they’re offering is sufficient, or risky, or whether you’re going to get something valuable,” says Emancipator. “With STARC, you’re able to tap into the expertise of a centralized body to have more certainty that a third party is sound.”

Used well, STARC can streamline fintech vetting processes while making compliance expectations clearer for everyone involved.

FinWise Bank in Murray, Utah, works with 18 fintech partners and has plans to add more each year. Vetting prospective fintech partners currently involves 12 to 15 team members, “not counting executive oversight,” says Michael O’Brien, the $900 million-asset community bank’s chief compliance and risk officer and corporate counsel.

O’Brien points out that the STARC framework can serve as “a teaching tool for our compliance and risk professionals, as well as others in the organization.”

A public–private partnership

Over time, Gandhi envisions the CFES model of a public–private partnership among rule-makers, banks, regulators and fintechs becoming widely recognized.

She points out that the current regulatory model, which relies on lengthy and cumbersome notice and commentary periods, is ill suited to the rapidly evolving fintech space. 

“We need to iterate standards quickly, because technology moves quickly,” she says. “How do you meld together the expertise of risk management and compliance people with technology and banking people? That’s the magic—and that’s what we’re doing.”

---