By Tracey Levandoski, CRCM, CrossCheck Compliance LLC
Lending competition is accelerating as banks implement digital tools and embrace partnerships with financial technology firms (fintechs). Various industrial banks, in Utah and elsewhere, have created a successful business model working with fintechs to offer a variety of lending products. Now, traditional banks are also looking at accelerating their digital strategies as both businesses and consumers become increasingly comfortable with online lending. Partnering with a fintech can provide enhanced customer experience and accelerate the implementation of your digital strategy without the investment of time and human capital, which can be costly, especially to community banks that may not have substantial information technology and programming budgets.
With the many different technologies and third-party partners available in the fintech lending space, there are many risks to consider and decisions to be made. If there ever was a time to have a robust vendor management process in place, this is it. A rigorous vetting process will help ensure that your fintech partners will deliver what is promised and expected.
What are the best practices for evaluating your potential lending partners? And what are the issues that you, as the entity ultimately responsible for the third-party relationship, need to consider? All the federal banking regulators have issued guidance for managing third-party risk,(1) and bankers should have a good understanding of those expectations before selecting a fintech lending partner. At a minimum, the selection criteria should include consideration of:(2)
- The compatibility of the fintech’s vision and value proposition with that of the bank and the ability to execute: Does the product “fit” within the bank’s culture and its customers’ expectations?
- The functionality of the system: Can the product parameters be modified to meet the bank’s expectations and lending criteria? Is the system compatible with the bank’s current operations?
- Service and support: Is the product adaptable as conditions change over time? Does the fintech guarantee minimum service levels and provide for disaster recovery and business continuity?
- Subcontractors, consultants, or other third parties on which the fintech is relying.
- Cost/pricing.
- The financial stability of the fintech.
In addition to these standard criteria that are part of the evaluation of any third-party provider, bank management will want to consider the following elements that are more specific to the fintech lending partnership.
Lending Experience and Expertise
The functionality of the technology is an important consideration, and that is often the first part of the evaluation process. However, as you execute the due diligence evaluation, you will want to look carefully at the experience of the fintech’s management team. They should have a deep understanding of the lending process within the banking environment, the associated regulatory requirements, and how their particular technology impacts the entire borrower experience. In addition to getting to know the management team, you will want to speak with their existing clients about product adaptability, responsiveness, integration with current systems, and security.
Security and Privacy
A cybersecurity breach is one of the most significant risks a lender faces in today’s technology environment. The chief information officer should be comfortable that customer information maintained by the fintech is safeguarded, and controls are in place to prevent and detect a breach. Determine who will be hosting the application and the data collected. Do they fully understand state privacy requirements and the Graham Leach Bliley Act? Is adequate cybersecurity insurance coverage in place at the fintech, and how does it interrelate with the bank’s coverage?
Beyond the protection of your customers’ information, there is an emerging concern about the use of customer data. Banks have a lot of information about their customers. Is this data going to be shared with the fintech for marketing purposes? How will the data be accessed? How will it be stored? Will the bank’s privacy policies need to be updated to address amended information-sharing practices?
Regulatory Compliance Considerations
The culture of compliance in the fintech industry is shifting. Fintechs realize that to grow and form partnerships, regulatory compliance is a non-negotiable requirement. Having a compliance culture and all the correct pieces in place is essential. Does your potential partner have experienced compliance personnel with knowledge of banking regulations? Has an effective compliance management system (CMS) been implemented that includes board and management oversight, policies and procedures, training, monitoring or audit, a consumer complaint response, and a third-party service provider management program? Just like your bank’s CMS, the fintech’s CMS should address all relevant consumer financial protection regulations, including fair lending laws and Unfair, Deceptive, or Abusive Acts or Practices (UDAAP). If an effective CMS is not in place, how much hands-on guidance are you able and willing to provide?
The central feature of a fintech lending platform is the credit model. Bank management should determine if the model is adaptable to the bank’s lending policies. Also, because the lending decision is made almost instantaneously, bank management should determine if the methods by which the applicant is identified as required by the USA PATRIOT Act comply with the bank’s customer identification program requirements. With the increasing use of alternative data,(3) which can introduce unintended fair lending risk, along with artificial intelligence, which may not allow for effective documentation as the model changes, strong model risk management practices are essential, including model validation and fair lending reviews. Bank management should understand and evaluate the results of validation and other risk control activities before committing to the partnership.
Another significant compliance consideration is marketing and advertising given the regulatory requirements covering advertising not only with regard to the Truth in Lending Act but also to recent regulator focus on UDAAP if a loan’s terms and conditions are not clearly presented in marketing collateral. If the fintech will be engaged in marketing the product on the bank’s behalf, what expectations will bank management require for review and approval before advertising is published to any media?
The Regulatory Future of Fintech
Because the speed of technology has far outpaced the regulations, there are a lot of gray areas when it comes to deciding to embrace the unknown. The regulatory agencies are beginning to address this with the implementation of innovation offices. And in recent months, the OCC announced it is working to evaluate advanced technologies and produce specific underwriting model guidance. The FDIC issued a request for information on standard-setting and voluntary certification for models. Until these initiatives become a reality, banks will still need to evaluate potential partnerships with the right level of due diligence.
(1)FDIC FIL-44-2008: Guidance for Managing Third-Party Risk
OCC Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance
OCC Bulletin 2020-10: Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29
FRB Supervisory Letter SR 13-19/CA 13-21: Guidance on Managing Outsourcing Risk
CFPB Compliance Bulletin and Policy Guidance 2016-02: Service Providers
(2)From FDIC FIL-13-2014: Effective Practices for Selecting a Service Provider
(3)Alternative data considers financial factors about a consumer not
generally reported in the traditional consumer report such as cellphone, utility, and rent payments and cash flow data derived from bank account records, as well as non-financial factors such as whether the consumer is a college graduate, owns a cellphone, uses social media, or the type of email account the consumer maintains, etc.
Tracey is a director at CrossCheck Compliance LLC and a regulatory compliance and risk management professional with over 30 years of experience in the financial services industry. Having worked as both a prudential regulator and in banking institutions, Tracey has demonstrated expertise in compliance and the Community Reinvestment Act (CRA). Her expertise includes extensive knowledge of lending and deposit regulations, including fintech lending operations and the bank partner model. She is also experienced in financial institution accounting and operations. Tracey can be reached at tlevandoski@crosscheckcompliance.com.
This story appears in Issue 3 2020 of the Utah Banker Magazine.