On August 27, 2021, the Board of Governors of the Federal Reserve, FDIC, and the OCC published new guidance aimed at community banks that are looking to expand their reach and service new customer bases through partnerships with financial technology companies (FinTech). While aimed at community banks, the regulators said the fundamental concepts could also be adopted by other kinds of banks and for other kinds of outsourcing partnerships. The regulators stated that the guidance was recommended but not mandatory and emphasized that it did not cover all types of third-party relationships.
The guide sets out six nonexclusive areas of due diligence that community banks should consider when engaging with FinTechs. The six key due diligence topics are: business experience and qualification, the companies’ financial condition, legal and regulatory compliance issues, risk management and control process, information security, and operational resilience. The guide then provides direction on potential sources of information under each of the six steps and includes illustrative examples.
Business Experience and Qualifications
- Business experience
- Business strategies and plans
- Qualifications and backgrounds of directors and company principals
- Financial analysis and funding
- Market information
Legal and Regulatory Compliance
- Regulatory Compliance
Risk Management and Controls
- Risk management and control process
- Information security program
- Information systems
- Business continuity planning and incident response
- Service level agreements
- Reliance on subcontractors
Given the regulators’ recent and recurring emphasis on vendor management, the board of directors and senior management of all banking organizations should consider whether their vendor management policies and procedures comply with the Proposed Guidance and include the areas addressed in the Guide when engaging FinTechs.