• About
    • Our Clients
    • Our People
    • Careers
  • Our Services
    • Regulatory Compliance
      • Consultation
      • Assessment & Monitoring
      • Independent Compliance Reviews
    • Internal Audit
      • Compliance Audits
      • Operational Audits
      • Audit Function Development
    • Fair and Responsible Lending
      • Fair Lending
      • HMDA
      • CRA
    • Due Diligence
      • The CrossCheck Advantage
      • Rated Securitizations
      • Portfolio Acquisitions
    • Loan Review
      • Pre-funding Quality Assurance
      • Post Closing Quality Control
      • Commercial Loan Review
    • Litigation Support
      • Expert Testimony
      • Expert Support Services
      • File Review
  • Our Approach
    • Representative Engagements
  • Resources
    • Announcements
    • Articles
    • Speaking Engagements
    • White Papers
    • Industry Insights
    • HMDA Hub
    • Mortgage Chat
  • Contact Us
  • Ask CrossCheck your Compliance Questions
  • About
    • Our Clients
    • Our People
    • Careers
  • Our Services
    • Regulatory Compliance
      • Consultation
      • Assessment & Monitoring
      • Independent Compliance Reviews
    • Internal Audit
      • Compliance Audits
      • Operational Audits
      • Audit Function Development
    • Fair and Responsible Lending
      • Fair Lending
      • HMDA
      • CRA
    • Due Diligence
      • The CrossCheck Advantage
      • Rated Securitizations
      • Portfolio Acquisitions
    • Loan Review
      • Pre-funding Quality Assurance
      • Post Closing Quality Control
      • Commercial Loan Review
    • Litigation Support
      • Expert Testimony
      • Expert Support Services
      • File Review
  • Our Approach
    • Representative Engagements
  • Resources
    • Announcements
    • Articles
    • Speaking Engagements
    • White Papers
    • Industry Insights
    • HMDA Hub
    • Mortgage Chat
  • Contact Us
  • Ask CrossCheck your Compliance Questions
  • Home
  • Articles
  • Effective Partnerships Between Banks and Marketplace Lenders – Managing Third-Party Risk
  • Effective Partnerships Between Banks and Marketplace Lenders – Managing Third-Party Risk

    Articles
    Download PDF

    As published in Illinois Banker by Chris Ortigara and Jim Shankle, November/December 2016

    Marketplace lending (fintech) has undergone dramatic shifts since its inception as a “peer-to-peer” lending model. While technology-based startups are seeking more stable funding sources, banks have shifted their thinking from the potential disruption that may result from new business models, to effective collaboration with these entities.

    For the bank, the success of these partnerships will depend on its oversight of three critical components of third-party risk: the fintech’s Compliance Management System (CMS), the fintech’s vendor management processes and testing of the fintech’s proprietary platforms. For the fintech, success will depend on the strength of its business model, a strong compliance culture, and compliance with applicable federal and/or state laws.

    CMS Minimizes Regulatory Risk

    Each of the components within a CMS provides valuable insight regarding how the fintech adheres to and communicates key compliance issues throughout the organization. In a start-up, a complete CMS may not yet exist. Only policies and procedures related to compliance may have been developed. Banks can minimize their regulatory risk by helping their fintech partners understand the best practices for developing a comprehensive CMS. The bank will want to ensure:

    • Board/Management Oversight — The “tone at the top” of the fintech confirms that compliance is a significant part of their business model.
    • Compliance Program — The fintech has implemented compliance-related policies and procedures and that ongoing compliance monitoring is occurring that will protect the bank from risk.
    • Consumer Complaint Response Process — The fintech is tracking each consumer complaint received to ensure that regulatory requirements are adhered to when providing issue resolution to consumers.
    • Independent Audit of CMS — Either an internal or external source, independent of the compliance function, performs a comprehensive review of the fintech’s CMS to ensure all components are operating effectively and that corrective actions are taken when warranted.

    Regulatory Scrutiny of Third-Party Vendor Relationships

    Banks considering a fintech partnership will require assurances that the fintech has adopted robust vendor risk management processes, which include vendor selection, due diligence (especially regarding financial stability and data security), “right to audit” clauses, Service Level Agreements (SLAs), and ongoing monitoring of any of its vendors’ performance. While the due diligence process may have documentation supporting the executed third-party agreement, the fintech may not actually be completing a comprehensive third-party vendor risk assessment of all third parties or performing ongoing monitoring. Once the vendor selection process has been completed for each third-party arrangement, the vendor oversight process should include a review of the policies and procedures detailing the expectations of all third parties. These expectations should be built into each agreement and serve as the foundation for the “right to audit” requirement.

    An effective method for prioritizing the level of oversight requires the completion of a comprehensive risk assessment of all third-party relationships. For each relationship, various risks should be considered to determine the potential impact to the organization of those third parties performing critical roles on behalf of the organization. The assessment should consider operational risk, credit risk, regulatory compliance, reputation risk and strategic risk.

    The Vendor’s Vendors Increase the Potential Risk

    One of the more challenging aspects of monitoring vendor relationships is understanding the roles and risks associated with the “vendor’s vendors.” These relationships should be identified and incorporated into the risk assessment process and monitored accordingly. Even though the fintech as the third party may have engaged additional vendors to perform services, the ultimate responsibility for the oversight of any vendor’s vendors ultimately rests with the fintech. One example of a relationship of this type is an “off-shore” company the fintech’s primary vendor has engaged to assist in completing quality control assessments of the underwriting function (particularly in periods of high-volume originations). Additionally, within the loan servicing function, third parties involved in default processing have on occasion utilized the services of additional debt collection entities working under the direction of the fintech.

    Once the risk assessment has been completed, strategies should be developed for the monitoring process of those third parties considered to be of the highest risk. These strategies can include periodic on-site visits as well as scorecard reviews that not only focus on the SLA performance but also incorporate regulatory requirements and processes to minimize the issues identified through the risk assessment. It is important for the bank to gain assurance that the fintech has proper controls in place to prevent any consumer harm.

    Importance of Platform Systems Review

    Many of the fintechs have developed creditworthiness models as well as other proprietary systems that involve complicated algorithms and data-capturing ability from external sources. Fintechs may have proprietary systems for both loan-origination and servicing functions. As part of the due diligence process, banks looking at a fintech partnership will require assurances that these systems are operating as intended and comply with existing laws that apply to all creditors, even those that are not banks. The requests for these assurances may involve aspects typically included in model validation audits required by prudential regulators within the banking industry. These requirements may include any of the following:

    • Data validation testing;
    • Data security procedures, including “attack and penetration testing” to identify any system vulnerabilities;
    • Administrative controls and system access;
    • Change control tracking and monitoring;
    • Business continuity/disaster recovery plans and test results; and
    • Product development life cycle process to ensure that appropriate parties within the organization are involved prior to product roll-out.

    Conclusion

    Despite the current regulatory uncertainty in the fintech space, the implementation of a comprehensive fintech CMS, a strong fintech vendor management program, and thorough testing of the fintech’s proprietary systems will be essential to the successful partnership between the fintech and the bank.

    Category: Regulatory Compliance

    Speaking Engagements

    • Bank Administration Institute (BAI) Webinar – Addressing Regulatory Change Management and its Impact on Policies and Procedures
    • American Bar Association (ABA) – 2025 Consumer Financial Services Committee Meeting
    • Central Florida Compliance Association (CFCA) 2025 Annual Conference
    View All

    Courses and Guides

    • ABA 34th Edition of the Reference Guide to Regulatory Compliance
    • ABA 33rd Edition of the Reference Guide to Regulatory Compliance
    • MBA Course – Managing Consumer Complaints for Compliance Professionals
    View All

    Announcements

    • CrossCheck General Counsel Appointed as Co-Chair of the Corporate Counsel Committee of American Bar Association’s Business Law Section
    • CrossCheck Compliance LLC Strategic Alliance with Gate House Compliance
    • CrossCheck Compliance LLC Added to DBRS Morningstar List
    View All

    White Papers

    • Implementing an Effective Internal Audit Function
    • Building Your Defenses: Compliance Management for First-Line Operations
    • Why Mortgage Companies Should Embrace Internal Audit
    View All

    810 W. Washington Blvd.
    Chicago, IL 60607

    LinkedIn




    Print Page

    312.346.4600



    Privacy Policy | Terms of Use