FinTech Reckoning Requires Elevating Our Governance, Risk and Compliance Cultures
May 28, 2024
Neepa Patel
"Many banks are still utilizing manual controls, processes and even spreadsheets to managecompliance and governance. We've been impressed with Themis' collaborative and centralizedmodules to increase efficiency, and reduce complexities and internal costs while helping tostreamline compliance controls"
-Candice Antinori, VP Compliance Management, CRA Officer at FinWise Bank
Over the last eighteen months, regulators have moved in force to evaluate, and where appropriate, issue consent orders to financial institution's running FinTech programs. Last year alone, according to S&P Global Research, banks offering Banking-as-a-Service to FinTech partners accounted for 13% of all enforcement actions a disproportionately high number for this cohort. Additionally, with Synapse entering into bankruptcy proceedings in the last few weeks, alongside Evolve Bank and Trust, Lineage and multiple FinTech programs, one could easily be forgiven for thinking FinTech categorically is facing a regulatory reckoning. Thankfully, we at Themis are extraordinarily privileged to work with dozens of financial institutions running successful FinTech programs, with varying technical, operational and business go-to-market strategies. Determining what models the bank will support in FinTech in turn affect decisions across risk, compliance & operational infrastructure required to serve FinTech partners. This article unpacks why we believe this regulatory reckoning will strengthen both FinTech and banks working to deliver safe, secure programs at scale for the benefit of consumers and businesses they serve. While many have rushed to fund technology to solve banking infrastructure, increasingly these relationships require a shift in bank and FinTech cultures and purpose built tooling to deliver strong third-party risk management service, appropriate governance risk and compliance oversight regulators are seeking in higher risk FinTech relationships.
Therefore, let's dig into:
- Exploring FinTech Go-To-Market Models:
- Three-Party Model, Funds Not Held in Perpetuity
- Four-Party Model, Funds Held in Perpetuity
- Technology Without Modern Governance, Risk & Compliance
- Elevating Your Governance, Risk & Compliance Culture Today
1.a) Exploring FinTech Go-To-Market: Three-Party Model, Funds Not Held in Perpetuity
Pouring over recent consent orders a consistent theme appears for banks supporting FinTech programs, standard operating procedures for bank Governance, Risk and Compliance must be redefined when servicing FinTech programs. And yet, across all consent orders, we’ve seen variations amongst bank strategies to serve FinTechs. Some focused on lending-as-a-service, others on treasury automation and still others delivering “Banking-as-a-Service” connected to middleware technology platforms. In an effort to help simplify how banks approach this space, we will focus on Three and Four Party Models, with the distinguishing feature of each being whether funds are held in perpetuity.
Why? Because, in the eyes of both the OCC and FDIC, any funds moved through a financial institution is done so on behalf of a customer of the bank. As a FinTech is an unregulated entity, it must rely on the bank to either offer some form of customer automation process (i.e., lending-as-a-service, banking-as-a-service) or operate within lower risk, bank-approved models. Starting with a simple use case, let’s explore a payments flow of funds (i.e., B2B bank payments) in a Three-Party Model, where funds move through a sponsor bank, but are not held in perpetuity. What, from a Bank Governance, Risk and Compliance perspective, does this look like?
Example of FinTech Go-To-Market: Three Party Model
In the Three Party Model, where funds are not held in perpetuity, the bank acts as a sponsor ODFI on behalf of the FinTech who are supporting money movement on behalf of their customers. Paramount to supporting this model is the bank understanding and approving the flow of funds, understanding the appropriate payment compliance requirements (i.e., NACHA) and ensuring the FinTech is meeting all of these requirements. Based on our reading of the most recent consent orders, Banks must monitor all FinTech programs daily, including appropriate compliance, AML/BSA transaction monitoring and operational activity. Ultimately the regulator views these relationships within the bounds of the bank's overall risk strategy, therefore the bank must tie all third-party risk management activity to executive and board reporting and approval, requiring significant internal coordination to ensure quality and competency.
1.b) Exploring FinTech Go-To-Market: Four-Party Model, Funds Held in Perpetuity
On the other hand, a FinTech seeking to offer demand deposit accounts (DDA’s), with debit cards, FDIC insurance and more, shifts into a four-party model (Banking-as-a-Service) scenario, requiring much greater technology, compliance, risk and legal coordination amongst bank control groups and the FinTech to act as a program manager. For the purposes of this article, Banking-as-a-Service (BaaS) is defined as the automation of bank customer onboarding, payment processing & digital servicing via online and mobile banking, whereby a FinTech acts as a “Program Manager'' on behalf of the bank to service the bank's customers. The key themes from these enforcement actions span Third-Party Risk Management practices, insufficient capital controls and an absent compliance committee. Paramount to any bank’s strategy is understanding the model’s risk, compliance and legal framework to ensure proper oversight, governance and controls are in place as the program shifts from a business case to functioning service.
Example of FinTech Go-To-Market: Four Party Model
In the Four Party Model, where funds are held in perpetuity, the bank acts as a sponsor ODFI on behalf of the FinTech who are supporting money movement, as well as the bank entity serving the FinTech customers (meaning the FinTech’s “customers” are the bank's customers). Paramount to supporting this model is the bank understanding and approving the flow of funds, understanding the appropriate payment compliance requirements (i.e., NACHA) and ensuring the FinTech is meeting all of these requirements. Unfortunately, this is where many bank programs have fallen down in the last 18 months, attempting to outsource key compliance, AML/BSA and third-party risk management functions to the FinTech (or middleware BaaS provider) with disastrous results. Most recently, a major BaaS platform is in litigation with $50-$150M in contention between itself, the FinTech’s it supports and the bank partners. There are many critical factors to get right between all actors in the Four Party Model, so what can financial institutions do to ensure they approach this space safely and soundly?
2) Technology Without Modern Governance, Risk, Compliance Cultures
Now that we’ve unpacked Three and Four Party models, which only scratch the surface of the policies, procedures and practices a bank must put in place to support their FinTech program, let’s discuss how financial institutions bring these partnerships to bear. Over the last several years, considerable VC capital has poured into Fintech “infrastructure” companies, with promises to hasten Go-To-Market efforts primarily supporting the lack of technology services banks offer. Unfortunately, while we could launch programs more quickly, the primary groups responsible for ensuring safety and soundness of the bank; legal, third-party risk management, AML/BSA, fraud, privacy, regulatory compliance, information security and audit, were largely an afterthought behind proving the technology and use cases generated significant financial returns. The deluge of consent orders in the last 18 months bear witness to a significant lack of internal coordination, proper controls and oversight to support FinTech as a high-risk bank segment. In short, banks rushed to turn on middleware, bank FinTechs and have suffered the consequences since. As a FinTech brings the required technical expertise to facilitate efficient software service integrations, the bank plays the role of managing compliance, regulatory and risk frameworks to ensure both the FinTech, and the underlying customers served, maintain healthy activities within the bounds approved by the bank. Before technology decisions are made, Banks must first develop a FinTech strategy which demonstrates the appropriate evaluation, diligence, risk assessment documentation, approval flows, contractual commitments and documented onboarding and oversight policies and procedures the bank will hold each FinTech program accountable to (and the subsequent customers served). In order to develop an adequate control framework, the key stakeholders across the bank's risk, legal and compliance functions must come together with the lines of business to successfully partner and implement these controls with the first FinTech program they support. These efforts are no small task.
3) Elevate Your Governance, Risk and Compliance Culture Today
In either the Three or Four party Model, banks managing complex FinTech relationships will not survive as an isolated business unit without proper engagement across all bank control groups, as these consent orders have demonstrated. Additionally, managing these relationships, processes, policies and exceptions, require direct engagement across bank and FinTech leadership. This is why Themis was built; to help financial institutions manage complex relationships across internal control groups and to help Fintech’s level up their own governance, risk and compliance cultures. Over the last two years, dozens of financial institutions have partnered with Themis to eliminate confusion, drive efficiencies and most importantly, ensure safety and soundness in serving FinTech programs. One case study of note comes from the team at nbkc who saw considerable efficiency gains in their approval workflows and have accomplished their goal of unifying communication with their fintech partners. The Themis platform has been so successful for the team at nbkc that they have reduced the necessary headcount on the approval and communication process by 50% and reduced the turnaround times for approvals by 40%. As The nbkc team shared:
“The product is very intuitive and easy to use - it takes less than a day to get fintech partners added to the software and less than 15 minutes to onboard them. The feedback we’ve received from our partners thus far is that ‘this was the easiest way to upload information we have used’ and we are excited to continue our growth alongside Themis”
So, let’s explore a few areas banks are leveraging Themis to elevate their GRC cultures.
FinTech Risk Assessments
Enables banks to simplify, consolidate, score, and automate risk reviews and the due diligence process, accelerating onboarding of partners and saving material amounts of time. These risk assessments play a vital role in laddering up control group risks to the overall relationship risk to the bank, allowing the Banks legal team to factor outstanding gaps into the contracting process between the Bank and FinTech. Additionally, any contractual commitments made by the FinTech to address those gaps can be in turn tracked in Themis to completion.
Marketing & Advertising Workstream
Sending out newsletters, social media messages or even marketing emails can be downright dangerous without proper collaboration between FinTech’s and their bank partners. Themis’ real-time document collaboration process ensures a streamlined experience for the FinTech and the right approvers at the bank can review, edit and comment on the marketing materials as they move through the approval process.
Complaint Management
Complaint management has become a key regulatory focus brought forward by primarily the CFPB and in order to address this, Themis offers real-time collaboration software to streamline your complaint resolution processes. Effective complaint management is crucial for maintaining customer satisfaction and regulatory compliance. For FinTech’s, Themis streamlines the upload process to ensure the bank has both the complaint noted, and outcome of the FinTech process with the end-user. For the Bank, complaints offer a crucial window, beyond transaction processing, to ensure your FinTech partner is meeting and exceeding their customers expectations for the experience.
And this is just the beginning! These are just three of over two dozen modules built in Themis powering a few dozen bank programs today. Whether you're a bank leaning into working with FinTech, or a FinTech seeking to ensure you meet bank grade governance, risk and compliance requirements, get in touch today to see how the Themis platform can help you on your journey.
Thank you Walt Cox (Valley National Bank) and Robert Keil, Candice Antinori and Nick Chiappetti (FinWise Bank) for the comments and feedback.