Best practices for working with fintechs and integrating them, and common risk areas that banks & fintech partners have to focus on.
Key takeaway:
Core items to build out a successful compliance program with a Fintech firm
Transcript:
Christina Huntfuhr (00:04):
So we have no moderator today and we're kind of just going to facilitate a conversation with the two of us, but because we have no moderator and no slides, we're unfortunately going to look down at our phones a little bit to remember what we were going to ask each other. So we apologize for that in advance. Do you want to introduce yourself?
Babette Reynolds (00:22):
Sure, Thanks. So Babette Reynolds, I am the Head of the Enterprise Compliance Program office at Truist. I've got about 25 years of experience in the banking industry running enterprise wide and global operational risk compliance, risk and risk management programs.
Christina Huntfuhr (00:41):
And I'm Christina Huntfuhr, I've 32 years of work experience, which yes, I'm pretty old. About half that time was as a regulator for the FDIC and about half that time was most of it was spent at Green Dot Corporation as their Chief Compliance Officer helping them find a bank and build a compliance program. And most recently, I've just finished my second year at Klaros Group. We're a consulting firm. We work a lot with banks and fintechs, helping them partner together in responsible ways.
Babette Reynolds (01:11):
Great. Thanks Christina. So today we're going to spend some time talking about specifically how to manage compliance risks when banks and fintech's partner. For those of you who've been here for the last two days, you've heard various kind of presentations that touched on the new regulatory guidance. We'll talk about that briefly and then we'll also get a little bit more specific around when you've got regulatory laws, rules and regulations and the requirements that are associated with those, how do you manage those? We're going to get a little bit more granular, but first I think we wanted to do a little bit of a poll with the audience. How many of you are with banks? Okay, it's about half. And then how many of you're with fintechs? Okay.
Christina Huntfuhr (01:56):
I have another question. How many of you have read the new final guidance and done a line by line compared to the proposed guidance? None of you. Awesome, because I did that for you.
Babette Reynolds (02:08):
She's got some talking points on that. So just a few things that we're going to touch on today, and we really don't know how many of you have deep experience in managing this. So this is going to be a little bit of a granular level. So for those of you who know this, feel free to chime in if you feel like there's anything you'd like to add. So a few things is, one is you really need to understand the regulatory expectations for banks when managing third party risk. And so we're going to touch on that. Christina's going to go into that into some detail on the new guidance and then a few other kind of tips with your compliance risk management program and how that aligns to your third party risk management program. You really need to know who your third parties are. So having an inventory of the third parties, you really need to know your risks. And again, we're focusing on compliance risks. So what are the regulatory requirements that you have and mapping those to your third parties and then ensuring that you understand the controls that you need to have to manage those risks that'll influence your contract language. We're going to talk a little bit about that and then your ongoing monitoring for those. And then I think one other takeaway, and we'll touch on that as we talk is can't emphasize this enough, whether you're on the FinTech side of the bank side, bring your compliance partners and your risk partners in very, very early. For those of you who've done this before, if you bring them in late, it slows everything down at the end because these are steps that can't be skipped and it's better if you bring them in at the beginning so that the risk piece can be done in parallel with the other onboarding that you're doing and it doesn't slow down the process. I guess those are some of the opening points we're going to jump in. Now, Christina, I know you've done a lot of an in-depth review of the new guidance and you've got experience with the guidance that came out before from the OCC. And so what are some of the key differences that you identified in the new proposed guidance that just came out actually not proposed anymore, it's now final.
Christina Huntfuhr (04:06):
Right. Well, first of all, the proposed guidance and the final guidance are very similar to what the OCC had previously issued in their guidance. So if you're an FDIC bank or a Fed Bank, this is going to be more different for your banks. But I will tell you based on my own experience, the Fed and the FDIC have been holding people to the OCC guidance anyway, as far as the final guidance versus the proposed guidance, the biggest difference that I think you'll all hear is that it's more principles based. So they've removed a handful of very specific requirements, but we'll discuss a little bit later that I don't know that it's all that meaningful.
Babette Reynolds (04:40):
Yeah, that's right. Well, that is the next question if you want to give some examples of the prescriptive guidance.
Christina Huntfuhr (04:44):
Yeah, so one of the biggest differences is that is regarding subcontractors. So the prior guidance made it very clear their expectation was for a bank to perform similar due diligence on a third party's critical subcontractors, and that created a lot of burden on financial institutions. And in the final guidance, they've removed that requirement and they've basically said, it's okay if you just look at that third party's third party risk management program. And I do think that's really helpful. It is helpful. I worry that banks may see that and go, oh, great, check that off. We'll just get a list of subcontractors and now I don't need to think any further about them. But the problem is you need to think a little bit about them. You need to think about what are those subcontractors doing, and if they're doing really important things for you, you need to be doing more due diligence, particularly if your third party, it's that third party's vendor.
(05:36)
And if that third party can't answer questions for you about that vendor's activities, you better be asking more questions. I'm going to give one example. So we were doing a work for a client and we were doing some compliance work for reviewing a FinTech partner. We happened to be reviewing some Reg E compliance. And so this particular situation, the bank handled Reggie claims, so they thought they felt pretty good about it, but I'm like, well, there's the whole intake, the customer calls and who handles customer service? Oh, well, FinTech handles customer service. Okay, well, can we get some call scripts? So I can see that they're actually initiating the call to initiate a claim. One thing led to another, the third, the FinTech had outsourced customer service. The client wasn't even aware of it, and the FinTech had customer service can be really expensive. They had chosen a customer service vendor that was going to be reasonably priced for a reason because this customer service vendor really had no financial institution experience. And so anyway, needless to say, reviewing chat and email scripts and they were not complying with Reggie as far as intake. So the point is you may not have to do similar due diligence. You don't necessarily need to get financial statements and insurance certificates and all that level of detail, but think about what the third party's contractors are doing and make sure you understand those things and ask the right questions.
Babette Reynolds (07:09):
Yeah, those are all great points. Christina, I'll just add for those of you who attended the FRB and OCC discussion this morning, they made a point, which is not a new point, but they made a point of emphasizing it that banks can outsource services and products, but you can outsource the risk of those. You own the customer, you own the risk, and so it's on you if the third parties or the fourth parties aren't doing what is expected to ensure you're meeting your regulatory requirements. I think that's just a good point that they made. So Christina, you've talked a little bit about the impact of these changes, but do you see a, I guess a big change from what came out before other than what you just mentioned with the fourth parties?
Christina Huntfuhr (07:53):
Not really. And I really don't think it changes what a bank should be doing for its due diligence and ongoing monitoring. While it may have simplified some things here and there, there's enough inconsistencies in the document as well that for example, in one section, and they used to have oversight and accountability under board of directors, and it said the board should review and approve contracts with critical third parties. Well, that's no longer in that section anymore. So you think, okay, great. I don't have to go to the trouble of bringing this to the board. But then in another section, they did not take that out, but they added the board may as appropriate review contracts with third parties. So now I think it just creates a lot of room for disagreements with examiners. So I think in the end you should just review it and make sure you have a reasonable argument for your proposed approach to how you're going to handle your third parties.
Babette Reynolds (08:49):
Absolutely, agree. And then I think on the last point that we want to touch on for this section of our discussion is did you want to talk a little bit about some of the enforcement actions, recent enforcement actions and what they mean for the folks in the audience?
Christina Huntfuhr (09:05):
Well, I think a lot of people ask, is this final guidance going to create more burden on financial institutions? And no, I don't think so because the regulators have already intensified their scrutiny regarding third party risk management anyway. And we have seen that through some enforcement actions. They're public cross river and Blue Ridge, and while they didn't, I don't think either really cited third party risk management, one-sided BSA one-sided fair lending. When you really read the details of them at the heart of it, it was third party risk management program failures. So I think the regulators are looking at this very closely now, and I think you should just expect the continued focus in this area.
Babette Reynolds (09:51):
And I think you've pointed out that in these cases it was specific regulations that weren't really being adhered to. And that's what we're going to get into in a few minutes is how do you make sure that you're adhering to those regulations so it falls under third party risk management even though they cited those regulations. So that's going to be a great lead. So should we just kind of go to the next piece? I think you've touched on some of these. Sorry guys. We don't have a moderator, so we're trying to moderate on our own here. Yeah. So you want to skip to the next section. We talk about some of the key gaps and third party risk management that have led to increased compliance risk.
Christina Huntfuhr (10:29):
Yeah.
Babette Reynolds (10:30):
What do you think some of those are?
Christina Huntfuhr (10:31):
Based on my experience, I think what I see is the biggest gap is when you're partnering with a third party, not taking the time to understand roles and responsibilities and in particular, what services are going to be provided by the third party, what are you going to be responsible for? If they have subcontractors, what are they going to be responsible for? And in that, if you haven't gotten a clear understanding of that, then you can't make sure you have a contract that's going to address the key things you might want to have in a contract to protect yourself as far as reporting obligations and things like that.
Babette Reynolds (11:10):
Yeah, I think that's a great point. I would add some of what I've seen, and so just to add a little bit more to my background was that Citibank running their global third party risk management program, and we were doing a lot of work with fintechs, especially in Asia and wanting to get the product and service to market faster. And so there was a sort of drive from the business to do this faster, get things done faster. So some of what I think I've seen in my experience, whether at city or some of the other places I've been is it's really important that you have an inventory of your applicable laws, rules and regs. And most banks, I would say all large banks, I'm assuming most of the banks that are here have that, but you have to also have that inventory of your applicable laws, rules and regs mapped to your service engagements. And that's something that I think doesn't always happen is that kind of really ticking and tying at the regulatory requirement level because that then leads you to what language do you need in your contracts, what controls do you need to have, what SLA, what ongoing monitoring. We'll talk a little bit more about that in a few minutes, but I think the lack of those kinds of inventories just puts you in a position where you're not in a good place to really be able to take and tie all those expectations.
Christina Huntfuhr (12:21):
Exactly. And I wanted to highlight another, a few areas in particular that I think we see often some gaps. It's regarding marketing complaints and BSA. So if your examiners, if they can find out more about your programs, then you know about your programs, you're going to be in trouble. So if they can go to the fintechs website and look at their marketing materials and identify right off the bat that there's a part 328 violation because they're advertising themselves as a bank and they're not a bank or there's something else concerning on Udap or something we've seen that happen where the regulators are going to the websites, they're starting to ask questions and the bank, if the banks themselves aren't reviewing those websites, then it doesn't make them look, it causes red flags and concerns rightly so. I think you'd all agree on BSA, AML. One thing we've seen is the examiners will go so far as to open accounts. If you're partnering with fintechs, they are going to go in and they're going to try an open account. So you said you got the fintechs BSA policy, and you said, okay, CIP. Yes, they're going to collect four things and they're going to verify that. But as we all know, the devil's in the details. So they collected birthdate, they collected an address, but how did they verify that? So we've seen the examiners go through the process and they intentionally lie and they give fake addresses. They actually put in prison addresses and they say, I thought you told me your CIP process didn't accept prison addresses. How come this got approved? Or I thought, why is it that I made up a birth date that's nowhere near my age, or I gave a city that's in a state way far away and how come I got approved for that? So the devil's in the details, and when it comes to very specific, CIP is a very big high risk subject for the regulators. Marketing is a very big high risk area and complaints. So on complaints, one thing we see a lot is the FinTech is responsible for customer service, but the bank hasn't set any expectation for what even defines a complaint. And the regulators, they want to know how are you getting information on complaints to analyze it and identify potential problems. So those are some really big areas that I think we often see issues, but there's others as well.
Babette Reynolds (15:00):
Yeah, I agree with that. So I think we wanted to go into a little bit more detail on the inventories of laws, rules and regs.
Christina Huntfuhr (15:10):
Yeah, Why do you think are best practices there as far as you come from a larger bank, and I think we see a lot of people questioning how far down in the weeds do you need to go when you create these regulatory inventories and try to map the controls? What have the regulators expectations been for you?
Babette Reynolds (15:27):
Well, in general, I think the expectation is that you treat the third party as an extension of your own operations. And so the bank is responsible for complying with the regulatory requirements at a pretty granular level. And so one of the things I think that's important to start with is understanding an end-to-end process and where does that regulatory requirement occur in that process? And so you've got to have the inventory, I talked about that before, but if you have that process end-to-end exactly where that regulatory risk presents itself, and if that's a part of the process that the third party handles, then you'd be expected to put the kind of control in place that you would put if you were executing that activity internally. And I think that's where I remember, I'll give you a good example of one internal business client that I supported as a compliance officer, and they were getting ready to outsource a pretty significant activity for the bank I was with.
(16:23)
And I remember him saying, I said, well, how are you going to govern this? This is a pretty broad outsourcing across a number of our different geographies. And he said, oh no, that's the beauty of it. I'm outsourcing this so I don't have to worry about that anymore. And I just remember having to have a long conversation with several long conversations with him because it just wasn't resonating. He was saying, well, now I have a throat to choke. And it just wasn't resonating with him that he still owned the risk and he had to have a way of overseeing that. And so I think that kind of gets into having the process clearly identified. Where does the risk occur? What regulatory requirements are there? What controls do you need to have? And then that flows into making sure that you've got the right contract language and the regulators touched on that earlier today. You've got to have the right contract language to ensure that you can get from the third party what you need to oversee their execution of the activities in a way that they're adhering to the requirements, but also that you have evidence of that because that ties back to your oversight and ongoing monitoring and the governance you'd be expected to do.
Christina Huntfuhr (17:29):
Yeah. What about GRC tools? At what point in, let's say you have a bank that's only partnering with a few fintechs and they don't have GRC tools. At what point would you recommend they start to leverage a GRC tool? I think you all know what that stands for.
Babette Reynolds (17:45):
Yeah, governance risk and compliance tools. So Archer an example. We use a Truist right now. That's a really great question. I don't think that's a simple answer. I would say in my long career in running governance, risk governance programs, manual processes, manual inventories, manual checklists, excel-based spreadsheets just tend to be prone to lots of errors. And so unless you just only have a few things that you need to keep an eye on, I think it's almost just critical that you build some type of tool. Now, how big that needs to be, how complex, which vendor, I'm not going to make recommendations on that, but I would say, as I mentioned before, you need to have your risks identified. So in this case, we're speaking about the compliance risks and that's part of your risk taxonomy, your list of risks, and then you need to be able to tie that to which third parties do these risks manifest themselves in their engagements? What are the controls that are linked to that? What's the contract language, what's the ongoing monitoring? And if those things sit in different databases or different modules, you need to be able to connect those so you can tell the story in a way that's not manual and that you can easily see through workflows if steps haven't been completed or if someone's late on getting something done, turning in their ongoing monitoring results or whatever it might be. I think it's really critical to be able to track that. And whether it's a formal GRC tool like Archer or you build something in house, I think it's just really critical that there be a tool that you can easily look at to see if steps were missed, if things are above threshold, if folks didn't sign off on approvals. I think manual processes just tend to be open for too many misses.
Christina Huntfuhr (19:37):
At Klaros, we've been doing a lot of looking at different GRC tools and there's a lot of really good options out there that do a lot more than just a regulatory inventory. They can do your learning system, they can be so many things in one place, it's fantastic.
Babette Reynolds (19:55):
Absolutely. And tying it back to the reporting that you need to do, right to manage your risk overall, because this is obviously just one area of risk for a bank. Christina, you do a lot of work with banks bringing fintechs into their environments, and are there things that you would recommend for fintechs to prepare for engaging in banks due diligence and ongoing monitoring processes?
Christina Huntfuhr (20:18):
Yeah, absolutely. So I end up doing a lot of due diligence on fintechs on behalf of financial institutions. And the one thing I have found is that, one, they're not very familiar with the regulatory guidance. So the fintechs should be as familiar with the regulatory guidance as the banks, and they should think about the story they want to tell and they shouldn't make the bank. And you get a lot of complaints from FinTech saying, oh, this process is so burdensome. It took way longer than I thought. But the fact of the matter is it doesn't have to be that way. And you can control this if you do read the guidance. And yes, the regulators have said this is illustrative and it's not meant to be a checklist, but I think we at Klaros would think we would advise, you should consider it a checklist as each item is relevant. Of course you can put not applicable in certain situations, but if you're a FinTech, look at it, put together a really thoughtful package, and when you get approached by the bank, hand them the package and you shouldn't make the bank have to beg for information. If your last audited financial statement is 2021, don't just give them that and then be silent. They're going to come back to you and want something more current. It just creates red flags and lack of confidence between the bank and the FinTech when the bank has to keep asking for information. And if your interim financial information shows you've never made a penny in your life and you don't have capital, have a story and be prepared to tell it. And in a perfect world, maybe you've already put some materials together that address all of these things, and we like helping people put together these packages. So I will just say we hear so often that the process is burdensome, but it really can be quick and efficient if you just put the right materials together.
Babette Reynolds (22:14):
I think those are great points. And speaking from the bank perspective, I agree with that. And that's one of the reasons that I wanted to come and give this panel discussion is because I think that there's a benefit to us all in the industry. The more that we all know about these regulatory expectations, the better that we all get at this, the more comfort the regulators will have that we all kind of understand the expectations. And I've heard a couple of really good conversations around the third parties that are being very proactive about this and saying, okay, well, we are going to come with that story so that when a bank for example comes and says, well, we've got to create, these are the regulatory requirements or operational risk requirements, whatever they might be, and they say, well, we have to have these contract terms and we have to be able to get this data from you all and in an ongoing way, provide this information to us. That shouldn't be a tough negotiation point. And it can be sometimes a lot of pushback from the third party, but that just creates, I think, a lack of comfort, especially from the risk partners at the bank to say, well, why wouldn't you be comfortable giving us that information on an ongoing basis? And I think the more that we all can just become more knowledgeable that these become just expected things rather than tough negotiation points, I think it'll make the individual onboarding much more successful for a particular FinTech with a particular bank. But also I think overall just get us to a better place in the industry where there's just a comfort level that we all know what's expected, we all just do it, we don't fight about it. And there are plenty of folks out here that are willing to help folks navigate whether that's on the bank side or the FinTech side. So I don't know if you had any other points that you wanted to make, Christina.
Christina Huntfuhr (24:01):
I just wanted to highlight something you said earlier at the very start, but that has run the third party risk management programs, and I think we see a lot of institutions create a third party risk management department, which is fantastic because it's a lot of work and if they can simplify the process of gathering materials. But the one thing I would caution every bank about is it's not sufficient for a third party risk management program office to just gather documents and checks some boxes. You need to have those stakeholders, like you said, involved and at the table because they're the experts. So you should have legal compliance, information security risk.
Babette Reynolds (24:41):
Early, involve them early. And if you're on the business side of the bank, don't resist the risk folks either, because with the new guidance coming out, you see that these requirements aren't getting lessened. I think they're here to stay and these are boxes that have to be checked, but there's meaning behind it and they can't be skipped. The earlier you bring the risk partners in the more smoothly I think the overall onboarding is going to go and it won't slow things down at the end. I've been in that position, which is very uncomfortable, where my team wasn't brought in early enough and they were ready to kind of go live ready to sign things because the business partner knew the FinTech head of the FinTech and they kind of did their own thing on the side. And so they were going super fast and then all of a sudden they found that all these boxes hadn't been checked and the risk pieces weren't cared for, and we had to put the brakes on everything. And that creates just a lot of frustration for everyone. So bring your partners in early and also learn about the requirements yourself. So it just becomes part of how you manage your business too.
Christina Huntfuhr (25:46):
And one more thing, not only bring your partners in as well, but make sure those partners are staffed appropriately. Because what we see is bank partners with one FinTech, then next thing you know they've got 10 and then it's 20. And the compliance team is still two people and there's a lot. And of course they only can do so much. So I'm always rooting for more staffing and compliance, but there's a lot to do to oversee the vendors and partners for that matter. And again, if you build the right processes through the G R C tools and the inventories, and hopefully you can automate when you put your inventory together and you say, here's your regulatory requirement, here's our control. And the first thing you think of is, what automated control can I put in place?
Babette Reynolds (26:41):
Absolutely.
Christina Huntfuhr (26:42):
And then for those, you can't have to have other monitoring and testing. So hopefully you streamline your process somewhat, but still your compliance and your risk teams and all the supporting groups have to scale with the programs.
Babette Reynolds (26:55):
Absolutely. I think we have a few minutes left. Don't know if folks have any questions that we could answer.
Christina Huntfuhr (27:02):
Yes.
Audience Member 1 (27:06):
Can maybe give some specific insight into what exemptions on this new guidance there are for affiliates of banks from maybe some of the supervisory stuff like the gating mechanisms or talk about.
Christina Huntfuhr (27:27):
Yeah, so I think the question was about if there's any exemptions for affiliates of the bank. And in the preamble you'll read that some people wanted them to carve out affiliates and they did not. So maybe you could, there's a lot of discussion about tailoring the entire guidance as appropriate and as relevant. So I think there's probably room to tailor some of the due diligence and ongoing monitoring that you'll do. And I definitely know from experience the regulators expect a bank to be looking over its affiliates.
Babette Reynolds (28:04):
And I would say even more specifically, my experience has been in some of the large banks I've been with that there need to be affiliate agreements where there are services being provided back and forth within the bank that some parts of the bank would be considered a third party to the other part of the bank. And so it gets even more complicated. And then if you have global banking subsidiaries, then some of those local governments have even more very specific requirements that sometimes the, so US based bank Polish subsidiary, Polish government expects the US-based bank's technology group to be treated as a third party to the Polish subsidiary. So it gets even more complicated.
Audience Member 1 (28:49):
So is it fair to say that there really isn't the carve out then at all for affiliates that we should be treating affiliates in the same way as third parties for site purposes?
Babette Reynolds (28:57):
Yes.
Audience Member 2 (29:05):
I invest in run tech companies across to businesses, work in finance. It's quite frighten on a banking, I get it. Compliance risk, huge responsibility to society. But I'm just wondering, just observing, I'm wondering how much for tech, how much Customer Centric do you think about, this is our if you want to, that's it. Do you leave on the table for companies? I know that won't go into finance because it's just too cumbersome because they don't want to invest in compliance teams and they'd rather invest in their technology.
Babette Reynolds (29:54):
So I think the question is for tech vendors, how can banks make it easier, especially for tech vendors that don't come from the finance space? I guess I'll start and then maybe Christina, you can add on. I think that's actually part of why I'm here is to say that I don't think these steps can be skipped, but I think we can all do better together so that we all get more familiar with what the expectations are. So for a particular bank, if a FinTech came to my bank, I would say for FinTech partners, talk to the business person that you're working with and say, I want to talk to your risk and compliance people. Now if it looks like you're going to start to move down that path, and I'd be happy to sit down with any FinTech that wants to do business with Truist and walk them through what's coming. And even if you're in early days, we have a Truist Ventures where we have partnerships with fintechs, and I'm happy to go and speak to them and just say, even before you're even interested in doing some specific work with us, here's what you need to build in terms of your own compliance expertise as it was Christina was mentioning, become familiar with it. There's plenty of folks that would help you. For me, like I said at the beginning, I see this as a community service for me to kind of go spend time, I wouldn't, I am not a consultant Now, I can't say Christina, that's what she does for a living. But I think that there are opportunities, but I think you have to take it upon yourself to learn now as you're trying to get into it. And then I just don't think the steps can be skipped. It's not, the banks aren't making it more onerous because we just love this stuff, right? Yeah. We have to do it. So I don't know if you doubt it.
Christina Huntfuhr (31:32):
Well, and again, I think it comes down to exactly what services the third party's providing, and it can be very tailored. You can skip half the due diligence if half of it's not relevant. So it's really just making sure you understand what is relevant and putting together a package that addresses those things. And one thing we see a lot too is on monitoring and testing and do we have to duplicate efforts? Do they have to do it and we have to do it? And isn't this a waste of time? And as Babette has said, the regulators expect it's the bank's product, it's the bank's customers in the end. And so they do always expect the bank to be doing some monitoring and testing. Now, having said that, if you have a third party that's doing its own monitoring and testing, they should be, it's proactive. They're trying to identify issues and have a good product, and they want to identify issues before the bank is coming to them or a regulators coming to them. But that doesn't mean you both should be doing the exact same thing. Maybe the bank can look at what the monitoring and testing program is of the partner and leverage that, maybe use sampling of instead and just get comfort with that instead of having to do it all over again.
Babette Reynolds (32:42):
Yes, And we do that. I would send my testing team and sample, get some comfort that you can rely on the monitoring that's being done by the third party, periodic sampling and yeah, not retesting everything. I think we might be over time. I think we are over time. If you have any questions, feel free to follow up with us. And thank you for your time.
Staying ahead of the regulatory landscape for Fintech firms
June 28, 2023 2:27 PM
33:14