For a financial institution, a fintech acquisition or partnership can open the door to a variety of new business, operational and customer engagement opportunities. However, this effort can also be fraught with risks. Rigorous practices related to internal controls and regulatory compliance diligence are essential when integrating these new services into the existing financial institution. Failure to address fintech risks could lead to criminal threats, security breaches, steep financial penalties, damage to organizational reputation and more.
Here are five key risk areas to address when acquiring or partnering with fintech companies or third-party fintech providers:
1. Anti-money laundering compliance
Company, your organization will want to perform a Bank Secrecy Act (BSA)/Anti-money laundering (AML) risk assessment in order to identify vulnerabilities to money laundering and terrorism financing. It is important that the financial institution identifies the owners and affiliations of the fintech, and is aware whether the fintech business operates outside the United States. After the assessment is completed and risk areas are identified and addressed, on a periodic basis the financial institution should re-evaluate and assess to capture changes in the risk environment.
2. Controls alignment
Map your organization’s financial and operational controls and processes with that of your acquired fintech to identify gaps and risks. Conduct detailed controls assessments following integration as well and adjust as needed to ensure alignment. Consistent monitoring is key here to make sure the financial institution and fintech are united in finance, accounting, and operations policies and procedures.
3. Security and privacy issues
More than likely, your fintech integration will include the sharing of sensitive data, information that requires the utmost security and privacy measures. Your fintech solution will need to address a variety of cybersecurity risk areas, including compliance with industry standard requirements like GLBA, PCI, HIPAA, HITECH and more. Other areas of risk assessment may include whether the fintech has information security controls in place such as policies, procedures and audits; whether the fintech works with subcontractors; whether it has encryption, document destruction policies and disaster contingency planning, and more.
4. Regulatory compliance
While fintech and third parties may not be subject to the rigors of strict banking compliance, as soon as they become engaged with your financial institution, these parties must shoulder the same standards and regulations as your organization does. These include mortgage regulation; fair lending; unfair, deceptive and abusive acts or practices (UDAAPs); the Consumer Financial Protection Bureau; and BSA/AML compliance. Clearly there are a variety of compliance measures to consider and align.
5. Cultural fit
As in any integration of two companies, organizational cultural alignment is also essential to the service launch success. Partnering with fintechs who share common business values with your financial institution is ideal. For instance, if the acquired fintech has an aggressive marketing and sales function while your institution is built on a more low-key sales strategy, this solution may not be the best fit in the long run. Choose fintech companies and providers that share similar core values and business philosophies.