Third-Party Risk Management for Proof of Concept Engagements

The world of fintech is constantly expanding and evolving, so choosing the right fintech partner can be challenging. To win your organization’s business, many fintech firms offer a "try before you buy" approach.

These proof of concept (POC) engagements demonstrate their capabilities and show a possible use case through a series of tests. The best part is that it usually won’t cost your organization a penny. But there’s a catch – to perform these tests, your organization must turn over real data, typically about 1 to 2 years’ worth of information. The data is the most effective way to conduct a POC, which is advantageous for all parties.

If not handled correctly, these engagements can increase risk for your organization, and it’s important to keep in mind that POC projects may not always deliver on their promises. The scary part isn’t the tests themselves. Many POC engagements aren’t considered actual vendor engagements. So, many organizations may be neglecting standard third-party risk precautions.

Let’s dive into some of the risks of proof of concepts and best practices to mitigate them.

The Risks of Proof of Concept With Fintech Vendors

A seemingly harmless proof of concept can cause more harm than good, resulting in increased liability rather than benefits. Before undertaking any POC engagement, fintech or otherwise, it’s important to understand the potential risks:

• The use of sensitive customer information – Your organization has a duty to protect customer data and privacy. Even if the intention is to provide your customers with better service options, protecting their data should always be a priority.
• No contract in place – POC agreements don’t typically have the same legal protections as a full contract that’s developed to ensure both parties are meeting specific obligations, especially when it comes to:
  
  • Data security 
  • Privacy
  • Permissible use of data 
  • Other regulatory requirements 

Many POC agreements amount to little more than a broad scope of work and don’t include the essential details to protect your organization and customers against risk.

• The third-party risk management team has no visibility of the engagement – These tests may be performed in isolation at the department level because, sure, why wouldn’t someone want to know they have a great solution on their hands before offering it up to your top management? Someone at your organization may be establishing a POC test engagement and your third-party risk management team is none the wiser.
• Lack of due diligence – Without going through the proper third-party risk management processes, there may be a lack of adequate due diligence – or none at all. Without a full understanding of the fintech firm’s risk practices and controls, there’s no way to know what precautions are in place to protect your customers’ data and how they ensure regulatory compliance.
• No visibility of fourth parties – Fintech firms outsource just like everyone else. Knowing which of their vendors are involved in providing the final solution to you is essential. It’s equally important to know how the fintech vets, manages, and monitors those vendors.

Best Third-Party Risk Management Practices With Proof of Concepts

When managed correctly, POC engagements can be an excellent opportunity to evaluate and scale new solutions. You can put the right protections in place to be able to test the product safely.

To minimize risk, and ensure a healthy proof of concept environment, follow these basic rules:

1. Clarify the rules of engagement – Everyone in your organization should understand that any test or POC engagement must be treated the same as any other vendor engagement. The third-party risk management rules apply. Before beginning any POC, it’s important to conduct an inherent risk assessment to understand what risks are present. Ensure that no work begins before due diligence has been completed.
2. Conduct appropriate due diligence – Don’t offer up anything to any vendor, fintech or otherwise, before you know who you’re dealing with. It’s important to understand and validate their risk management practices and controls. 
3. Use special POC contracts – You can enact a proof-of-concept contract that clearly defines the expectations and requirements around:
   
   • Information security 
   • Privacy
   • The return or destruction of any sensitive information used during the test
   Your contract should be specific to the test only. If the solution works out, you’ll need a separate and more robust contract for a permanent engagement.
4. Check the regulations – Any use of customers’ personally identifiable information (PII) must fall under a “permissible use” category. For example, you don’t want to use real customer PII (even in a test) to market new products if the customer has opted out of such activities. 
5. Anonymize data whenever possible – To ensure customer confidentiality in the event of a data breach, it’s recommended to replace actual customer names or account numbers with a unique code or other identifier that can be used during testing but can’t be traced back to the customer.
6. Investigate the fintech’s third-party risk management practices – Make sure you review and understand how competent the fintech firm is when it comes to third-party risk management. Ask to review their policy and see evidence of risk assessments, due diligence, management, and monitoring. 
7. Know who the fourth parties are – Make sure you have a record of all fourth-party vendors (your vendor's vendors) that are significant in delivering the solution, have access to PII, or conduct offshore work.

Fintech encompasses a wide range of products and applications, yet it remains a fiercely competitive industry. There are many fintech firms vying for market share. If your potential fintech partner offers a POC engagement to demonstrate their value, it may be the best way to determine if they can truly deliver on their promises.

However, it’s essential to prioritize data security, privacy, and regulatory compliance when considering new products or services for your organization. Don’t become too captivated by a potential POC without first ensuring that these concerns are adequately addressed.

If your organization takes a careful approach and implements strong third-party risk management practices, exploring fintech's new products or services can be a truly enlightening and exciting opportunity.