As published in Illinois Banker by Chris Ortigara and Jim Shankle, November/December 2016

Marketplace lending (fintech) has undergone dramatic shifts since its inception as a “peer-to-peer” lending model. While technology-based startups are seeking more stable funding sources, banks have shifted their thinking from the potential disruption that may result from new business models, to effective collaboration with these entities.

For the bank, the success of these partnerships will depend on its oversight of three critical components of third-party risk: the fintech’s Compliance Management System (CMS), the fintech’s vendor management processes and testing of the fintech’s proprietary platforms. For the fintech, success will depend on the strength of its business model, a strong compliance culture, and compliance with applicable federal and/or state laws.

CMS Minimizes Regulatory Risk

Each of the components within a CMS provides valuable insight regarding how the fintech adheres to and communicates key compliance issues throughout the organization. In a start-up, a complete CMS may not yet exist. Only policies and procedures related to compliance may have been developed. Banks can minimize their regulatory risk by helping their fintech partners understand the best practices for developing a comprehensive CMS. The bank will want to ensure:

• Board/Management Oversight — The “tone at the top” of the fintech confirms that compliance is a significant part of their business model.
• Compliance Program — The fintech has implemented compliance-related policies and procedures and that ongoing compliance monitoring is occurring that will protect the bank from risk.
• Consumer Complaint Response Process — The fintech is tracking each consumer complaint received to ensure that regulatory requirements are adhered to when providing issue resolution to consumers.
• Independent Audit of CMS — Either an internal or external source, independent of the compliance function, performs a comprehensive review of the fintech’s CMS to ensure all components are operating effectively and that corrective actions are taken when warranted.

Regulatory Scrutiny of Third-Party Vendor Relationships

Banks considering a fintech partnership will require assurances that the fintech has adopted robust vendor risk management processes, which include vendor selection, due diligence (especially regarding financial stability and data security), “right to audit” clauses, Service Level Agreements (SLAs), and ongoing monitoring of any of its vendors’ performance. While the due diligence process may have documentation supporting the executed third-party agreement, the fintech may not actually be completing a comprehensive third-party vendor risk assessment of all third parties or performing ongoing monitoring. Once the vendor selection process has been completed for each third-party arrangement, the vendor oversight process should include a review of the policies and procedures detailing the expectations of all third parties. These expectations should be built into each agreement and serve as the foundation for the “right to audit” requirement.

An effective method for prioritizing the level of oversight requires the completion of a comprehensive risk assessment of all third-party relationships. For each relationship, various risks should be considered to determine the potential impact to the organization of those third parties performing critical roles on behalf of the organization. The assessment should consider operational risk, credit risk, regulatory compliance, reputation risk and strategic risk.

The Vendor’s Vendors Increase the Potential Risk

One of the more challenging aspects of monitoring vendor relationships is understanding the roles and risks associated with the “vendor’s vendors.” These relationships should be identified and incorporated into the risk assessment process and monitored accordingly. Even though the fintech as the third party may have engaged additional vendors to perform services, the ultimate responsibility for the oversight of any vendor’s vendors ultimately rests with the fintech. One example of a relationship of this type is an “off-shore” company the fintech’s primary vendor has engaged to assist in completing quality control assessments of the underwriting function (particularly in periods of high-volume originations). Additionally, within the loan servicing function, third parties involved in default processing have on occasion utilized the services of additional debt collection entities working under the direction of the fintech.

Once the risk assessment has been completed, strategies should be developed for the monitoring process of those third parties considered to be of the highest risk. These strategies can include periodic on-site visits as well as scorecard reviews that not only focus on the SLA performance but also incorporate regulatory requirements and processes to minimize the issues identified through the risk assessment. It is important for the bank to gain assurance that the fintech has proper controls in place to prevent any consumer harm.

Importance of Platform Systems Review

Many of the fintechs have developed creditworthiness models as well as other proprietary systems that involve complicated algorithms and data-capturing ability from external sources. Fintechs may have proprietary systems for both loan-origination and servicing functions. As part of the due diligence process, banks looking at a fintech partnership will require assurances that these systems are operating as intended and comply with existing laws that apply to all creditors, even those that are not banks. The requests for these assurances may involve aspects typically included in model validation audits required by prudential regulators within the banking industry. These requirements may include any of the following:

• Data validation testing;
• Data security procedures, including “attack and penetration testing” to identify any system vulnerabilities;
• Administrative controls and system access;
• Change control tracking and monitoring;
• Business continuity/disaster recovery plans and test results; and
• Product development life cycle process to ensure that appropriate parties within the organization are involved prior to product roll-out.

Conclusion

Despite the current regulatory uncertainty in the fintech space, the implementation of a comprehensive fintech CMS, a strong fintech vendor management program, and thorough testing of the fintech’s proprietary systems will be essential to the successful partnership between the fintech and the bank.