Transcription:
Penny Crosman (00:03):
Welcome to the American Banker Podcast. I'm Penny Crosman.
The past few years have been rough in the world of bank-fintech partnerships. Many banks have received consent orders from their regulators about shortcomings in their fintech partners' compliance with banking rules, and in a case involving banking-as-a-service middleware provider Synapse, about $96 million worth of customer funds are still unaccounted for. Synapse and its main partner bank Evolve
Joining us today is Sima Gandhi, co-founder of the Coalition for the Financial Ecosystem Standards, a group that has recently produced a framework of industry standards for risk management and compliance on bank-fintech partnerships. Welcome, Sima.
Sima Gandhi (00:59):
Hi, Penny. Thanks for having me.
Penny Crosman (01:01):
Thanks for coming. So when you think about what's been going on with bank-fintech partnerships over the past year or two, what are some of your biggest concerns?
Sima Gandhi (01:12):
Well, I think that bank-fintech partnerships play one of the most important roles in enabling innovation within financial services. If you think about some of the larger players in the space and some of the most important advances in product, they've really come from this nexus of banks operating with fintechs. And when I think about what's happened over the past few years, I think that one, the challenges in operationalizing TPRM [third-party risk management], which has really been written for a vendor relationship, has translated into a lot of uncertainty around how banks and fintechs should manage each other in a way that enables safety and soundness while also promoting innovation. And that balance has been really troubling for the market, resulting in consent orders and just making it more difficult for companies and entrants to be in this space. And then I'd say the second piece and sort of related is that the cost of compliance, the cost of operating these partnerships, I'd say is disproportionately higher than it should be because of that uncertainty and that challenges the business model. And these business models are vital for innovation and for community banks to be able to have a shot at competing in what is an increasingly digital and software driven economy. So my hope is that we can address both the economics and the efficiencies of these models, as well as enable more market certainty through a set of standards that addresses the risk and compliance priorities.
Penny Crosman (02:43):
What are some things you think banks could or should be doing differently with their fintech partnerships?
Sima Gandhi (02:49):
I think that answer depends on the bank. A lot of the big banks in the space have been here for 10 years running these partnerships and have a lot of lessons learned. And I'd say there's probably not that much more they should be doing differently because they've really ironed out the wrinkles and their processes. And candidly, they probably enjoy a bit of an advantage in this space. And I think there's a different question around whether compliance should be a competitive advantage or whether that should just be table stakes for business. But for those banks, I think they've got great processes and there's probably opportunity for efficiency, especially when it comes to enabling technologies. But for a lot of the other banks that are looking at this opportunity, there's a real pressure, rightly so, to be investing in the right types of compliance frameworks and resourcing. And I think that there's a real opportunity there for them to share the cost of that due diligence in that framework by using something like an industry standard or certification process.
Penny Crosman (03:59):
And on the other side, is there anything you think fintechs should be doing differently or more when it comes to their bank partnerships?
Sima Gandhi (04:08):
Yeah, I wrote an op-ed on this last summer, and I think the reality is that fintechs need to be doing more. This isn't just the bank's problem to solve when it comes to regulators or enabling really great risk management and compliance. The fintechs need the banks just as much as the banks need the fintechs. And that's partly one of the defining thesis of CFES is that the fintechs can band together, invest resources, time, effort, and pull together standards that help hold themselves accountable to the banks as well. And I think that while banks are obviously an important part of that conversation, fintechs can take the first step in that direction and really partnering with them to ensure that there are aligned expectations around fintech and what compliance and risk management looks like within that space.
Penny Crosman (04:59):
How about the banking-as-a-service middleware providers? Do you think there are some lessons learned for them in all that's happened?
Sima Gandhi (05:07):
Yeah, I think look, at the end of the day, let the market dictate. I think that obviously more players involved increases the number of touch points and makes the conversation around accountability that much more difficult. But I don't think that's an insurmountable issue at all. And I think that there's actually a lot of benefits that come with these enabling softwares because of the expertise that they bring to the table, their ability to cut across the industry. And especially when you look at smaller companies entering the space, this is done right, the ability to rely on program managers to do things the right way. So I would say what needs to happen is the conversation needs to be focused on the outcomes, and that's where I think a certification or a framework can help us align on that. Then how it's delivered, whether it's through an enabling software or a direct relationship or a vertically integrated bank that's starting to offer its own applications, it should not matter. That should just be market dynamics. And so we really just need to take the obfuscation out of the conversation by making the facts of the case much more clear so that there's more accountability and transparency.
Penny Crosman (06:21):
What do you think about the so-called Synapse rule that the FDIC proposed, which basically would require banks holding custodial accounts for fintechs to ensure that their account records are accurate and that there is a reconciliation every single day for every customer? Is that something that was needed, do you think?
Sima Gandhi (06:44):
I feel sometimes I have a bit of a contrarian perspective on this one, which is the actions that happened at Synapse were arguably in some way malicious, fraudulent, criminal, whatever you want to call it, and that if that had happened within a bank itself where funds were being diverted from custodian accounts to operating accounts, you have the same problem. And so I think that it's very hard for rules to prevent that type of behavior. With that said, I do think that in principle, having accurate records and ledgering systems is critical, and that should definitely be a standard, and we have that encompassed within our framework as well. But I do think that the market and the partnership itself should have some flexibility in how that's adopted. A 24-hour cycle or a real-time cycle is quite prescriptive and doesn't always make sense. Think about the fintech with 20 large commercial accounts where the flow of funds is quite slow, to impose the same type of burden on all of the fintechs or to specify where exactly that ledgering and reconciliation should happen is from my perspective, putting form over substance. And I really like the conversation to be focused on the substance. So we're moving away from compliance theater or things that make people feel better and really focused on accountability around the outcomes.
Penny Crosman (08:16):
So tell us a little bit about this framework that you and your members have created. What are some of the basic elements of it?
Sima Gandhi (08:25):
Yeah, so first, the defining thesis behind this was we need to operationalize TPRM. I think the industry has been asking for more clarity around what risk management and compliance should look like regularly. Just point to TPRM 30-point risk management guidance. They put out another guidebook last year. But a lot of that is really within the context of the vendor relationship, not necessarily the partnership. And these bank-fintech partnerships are so varied. They can look so different, as you yourself mentioned around the middleware, that having one model is difficult to fit them all into. And so the framework we adopted was really taking the spirit of TPRM and the guidance provided within it to identify six different compliance categories. And then within those six different compliance categories are nine different program elements, think of a matrix approach where within each of the six, you're really looking across nine different categories, whether it be governance or training or testing and monitoring.
(09:25):
So that we're able to assess a fintech's risk management and compliance practices in a way that's comprehensive in a way that's consistent and in a way that's calibrated risk. And our hope is that by using industry-led standards, that's common across all fintechs. It makes it easier for banks to assess. It makes it easier for examiners to assess, and it makes it easier for fintechs to hold each other accountable. And I think that type of transparency then enables the type of competitive and innovative ecosystem we want and gives comfort that it's being done in a way that's safe and sound and aligned with regulatory principles.
Penny Crosman (10:03):
How can a bank be sure that its fintech partner is doing all of the compliance and risk management practices that you're talking about? I mean, without being in their offices all the time, how can they know that this is actually happening on an ongoing basis and therefore it won't come back to bite them in some way?
Sima Gandhi (10:28):
Yeah, that's the accountability point. And look, I think asking for accountability 24/7, 365 days of the year is the standard we should be aiming for. But the practical reality is that we have to take steps that enable us to measure that in a way that is effective and efficient and pragmatic. And the way that I conceive this is, and CFES thinks about this is there are certifications that happen, but expert independent third parties that not only test or assess a fintechs policies and ensure that they're saying the right things, but also get into the weeds and look at how they're operating against those policies. And as you can imagine, the conversation between the bank and the fintech is how often should that assessment be happening? And for a slower, younger fintech maybe that happens once a year; for a very fast, quickly growing fintech whose risk profile might be increasing as its scale increases or the complexity of the product increases, that might need to happen every six months. And that's a conversation that should happen between the bank and the fintech. At the end of the day, the regulators have made very clear that the bank has the responsible party, and we want to put banks in the risk management driver's seat. They should be making those decisions around risk management and what works for them. And our jobs would be to empower them in making those decisions as best as they can.
Penny Crosman (11:57):
Yeah, sure. That makes sense. And how might this framework be enforced, if that's the right word, is this basically a set of recommendations that you're hoping people will adopt? Could there be some sort of approval program or something that some third party might do?
Sima Gandhi (12:21):
Both of those things? Penny, I think one of the reasons we decided to release the standards in its detail format we had initially talked about more higher level format is that we wanted to provide a resource to the industry so anyone could look at it, any fintech could look at it and understand their expectations. Over time, expectations should be aligned between the bank and the fintech. But then the second, we also wanted to make these meaty. We wanted to have them. And so there is a certification process against them. Fintechs can get certified against them in a lot of ways. You could think of it as analogous to A-B-S-M-L audit, but I like to say that these are actually much more robust than an audit. An audit is generally against a set of behaviors that you yourself represent. And so it's verifying that you're doing what you say you're doing, whereas this is verifying or assessing a fintech against what the industry benchmark should be. So if you're not doing something that you should be doing, that's going to show up and that's much more robust than a standard audit. And we're doing this across six different compliance categories. So the certification is definitely part of the conversation, and my hope is that those certifications help, again, ensure more consistency and language across the different fintechs, the banks and examiners, and strip some of the taxonomy conversations or piecemeal conversations out of the picture and keeps folks focused on the four corners of a document in a report.
Penny Crosman (13:55):
And who is actually going to do that auditing and certifying?
Sima Gandhi (13:59):
Yeah, great question. We contemplate that independent firms will do those and they need to be expert in what they do. And so we look at the PCI models and sought two as really great standards for how this has been done before where bodies like CFES set those standards and training programs so that other firms can come in and get certified to do that in a way that's credible so that the certification holds weight when it's done.
Penny Crosman (14:30):
Okay. So what might the next year look like for you and for this new-ish group? Are you going to be basically refining this and seeking adoption of this framework? Do you have other projects you're working on?
Sima Gandhi (14:49):
We have a lot of work ahead of us, penny, so I really appreciate you covering this and helping us get the word out. This is really our first compliance module. It's the core basic risk management and compliance module. And our next steps are really to create the lending module that sets on top of this. So we don't, in this one, cover things like Tela or credit policies. This is really the core compliance across ops risk, business continuity, complaint management that really any fintech partnership should have in place. And so we want to get much more modular. So lending is a set of standards that we'll need to work on. Payments when you're starting to move money is another set of standards that we'll work on. And we also aspire to really be a resource for bank and fintechs that are identifying other areas where standards could be of use. And one area is B-S-A-M-L, that is a set of standards or statutory requirements that's been put together, but that are no longer really relevant or applicable to a more digital age. So there's an opportunity for us to work together and using the same type of mindset that look to modernize some of these financial regulations and guidances in a way that's more reflective of the reality that companies are operating in today.
Penny Crosman (16:14):
Yeah, that sounds important. I think every consent order against a bank, I've seen that related to fintechs talked about B-S-A-M-L. It seemed to be like the number one thing that regulators have been drilling in on, at least for the past three years, I would say. So getting some kind of firm grasp on what that should look like for fintech partners would really be useful, I think.
Well, Seema Gandhi, thank you for coming and sharing insights on the work you're doing and to all of you, thank you for listening to the American Banker Podcast. I produced this episode with audio production by WenWyst Jeanmary. Special thanks this week to SEMA Gandhi at Coalition for Financial Ecosystem Standards. Read us, review us, and subscribe to our content at www.americanbanker.com/subscribe. For American Baker, I'm Penny Crossman and thanks for listening.