6 Vendor Management Tips for Fintechs to Charm Their Clients

Fintech has certainly made some waves in the financial industry. With fintech organizations on the scene, gone are the days of having to rush to the bank to deposit a check or going to the ATM to check your balance. But, there are still a lot of people out there, young and old, who don’t quite love entrusting their earnings with the “new kids on the block.” Who’s to say fintechs understand the old school rules that should always apply in financial institutions?

If you’re a fintech looking to charm some hesitant prospects, consider a well-developed vendor management program. Here are a few surefire ways to run a tight third-party ship and ensure your clients continue to feel confident in your processes. 

6 Vendor Management Tips for Fintech Organizations

1. Develop a good foundation for third-party risk management practices.

Creating a thoughtful, practical and holistic structure from the ground up is the best way to ensure success moving forward. Some of the major players during the development phase will include establishing protocols for assessing vendor risk, conducting due diligence, managing contracts and vendor oversight. This can be an arduous task to set up, but once you’ve established a strong foundation, the upkeep becomes much less cumbersome.

2. Make sure to include the board.

According to guidance issued by the OCC in 2013, at the end of the day, the board of directors are responsible for the protection of customer information. In fact, there are more than ten inclusions in the OCC guidance around board involvement, which include establishing risk appetite, making sure appropriate risk controls have been established and making the final call on risk-based decisions. The board shouldn’t only be heavily involved in the vendor management process, but should be supplied with risk metrics in order to help make strong, risk-based decisions for the program and organization as a whole.

3. Stay on top of changing guidelines.

Whether you’re new to the game or been at this a while, staying on top of regulatory guidelines is just part of third-party risk management. Things are constantly changing, so it’s important to continue studying and learning the third-party risk management language. It’s truly critical to stay on top of changing guidelines.

Review the regulatory guidance often, which includes:

• FDIC FILs 26-2004, 44-2008 and 3-2012
• OCC Bulletins 2013-29 and 2017-7.

Additionally, on March 5, 2020, the OCC issued an updated series of FAQs to supplement their 2013 guidelines around third-party risk management. These FAQs highlighted more than a few fintech-specific topics including, but not limited to:

• Third-party relationships with cloud computing providers
• Third-party relationships with data aggregators
• Criteria for board of directors surrounding critical fintech activities
• Multi-bank collaboration using the same third-party fintech provider
• Mobile payment providers

With these at hand, you’ll have better insight around what the regulators require from the financial institutions you’re dealing with and have a stronger framework for your own third-party risk management protocols and procedures.

4. Respond promptly to the increased oversight requests.

As you likely gauged from the above, regulations are constantly changing, which requires agility throughout the industry to adapt to rapidly shifting requests and expectations… it’s just the name of the game. Should you hit an unexpected roadblock, or find you can’t meet a particular requirement, try to create opportunities for discussion with your client to come up with workable alternatives. Honest communication is key.

5. Evaluate your complaint management procedures.

It’s important to ensure your internal complaint management procedures align with your client’s expectations. The CFPB is the king of complaint management, and trust us, their enforcement powers have been large and in charge within many recent UDAAP actions. So, a word to the wise: get these in line now so you don’t find yourself scrambling later.

6. Don’t underestimate the value of external audit reports.

With the increasing importance third-party risk management, more and more organizations will be looking to have an easy way to vet out their service providers, especially fintechs. Having a SOC assessment available to demonstrate control effectiveness will be an immense strategic advantage over your less-audited competitors. You may also need to provide a Technology Service Provider Reports of Examination, which is a report of your most recent regulatory examination. 

It’s important to mention these SOC assessments will be analyzed to determine the effectiveness of your controls around the products and services you provide, and SSAE 18 standards include vendor management in the SOC assessment process.

We believe you can create a strong third-party risk management program that will not only protect your organization, but will continue to bring innovation to the industry and consumers alike.

Want even more vendor management best practices for fintechs? Download the infographic.