Performing Vendor Due Diligence on Fintechs: What Regulators Recommend for Community Banks

As banking customers demand more innovative products and services, community banks continue to see the value of utilizing financial technology (fintech) providers to increase efficiency and reduce costs. In response to this evolving financial landscape, the FDIC, the Federal Reserve Board and the OCC recently released Conducting Due Diligence on Financial Technology Companies - A Guide for Community Banks. Although community banks aren’t required to use this guide, it provides helpful suggestions and the six areas of due diligence to review for fintech companies.

6 Areas of Vendor Due Diligence to Review

1. Business Experience and Qualifications: It's essential to review the vendor's experience, goals, strategies and qualifications to ensure they can support your organization's needs. Verify all client references and/or complaints. This information can often be obtained from some of the following sources:
   • Company overview or organizational charts
   • Public records of legal or regulatory actions
   • Social media or news reports
   • Summary of operational failures
   • Employment policies
   • Professional information on board of directors or executive directors
2. Financial Condition: Financial records and funding sources should always be evaluated to ensure that the vendor will be financially stable enough to provide the outsourced activity well beyond the length of your contract. Organizations should also consider the scope of the vendor's client base, as the loss of a critical client may be significant enough to prevent the vendor's ability to maintain its obligations. Learning about the financial condition of your vendor can be accomplished by reviewing the following items:
   • Financial statements
   • Auditor opinions
   • U.S. Securities filings
   • Sources of funding
3. Legal and Regulatory Compliance: You should evaluate the vendor's legal standing and knowledge about legal and regulatory requirements. An inexperienced vendor will pose a significant risk should it fail to comply with applicable regulations. Request the vendor provide a five-year legal history, including any material litigation and judgments. And, research if the vendor has had any regulatory enforcement actions. Here are some resources that may help in evaluating your vendor's legal and regulatory standing:
   • Internal policies, procedures, training and controls related to industry regulations
   • Articles of incorporation, certificates of good standing and applicable state licenses
   • Form 10-K and/or 10-Q filing
   • Information related to lawsuits, settlements, customer complaints or enforcement actions
   • Proposed marketing materials
4. Risk Management and Controls: Your vendor's risk management program and controls should be thoroughly reviewed to ensure they're effective and consistent with your organization's risk appetite. Their risk management processes should provide details on responsibilities, reporting practices, testing results and how employees are trained to comply with procedures. Review the following vendor items:
   • Internal control and issue management policies
   • Training materials and schedules
   • Self-assessments
   • Results of control reviews and audit reports
   • Sample reports detailing key risk indicators and key performance indicators
5. Information Security: Protecting sensitive consumer information should be at the core of any information security program. It's essential to ensure the vendor's cybersecurity practices effectively prevent or identify and mitigate any vulnerabilities. Organizations are also encouraged to evaluate whether the outsourced function can be performed with an existing system or if additional IT investments would be needed. Consider reviewing the following information:
   • Information security policies and control assessments
   • Security awareness training for employees
   • Incident management policies
   • Overview of technology and processes that support the outsourced activity
6. Operational Resilience: Business disrupting events can occur at any time, so make sure you understand how well your vendor is prepared to continue its operations. Identifying and responding to these events is critical, as is recovering and learning from them. The vendor's tolerance for downtime and data loss and service level agreements should also be assessed to ensure they align with your organization's standards. The vendor's reliance on subcontractors (your fourth parties) is another important consideration. You can obtain this information from the following sources:
   • Business continuity and disaster recovery plans
   • Cybersecurity reports
   • Insurance information
   • Suggested service level agreements
   • Outsourcing and subcontracting policies
   • List of third parties

Fintech providers can strengthen an organization's competitive advantage through innovative technology. Still, it's crucial to recognize the risks that can come with these rewards. The due diligence process can be a complex and lengthy step within the third-party risk management lifecycle, but it's a critical activity that protects your organization.