FinXTech Intel 2023 report final 2 - Flipbook - Page 17
4. Having the board of directors and management oversee
is exploring — for insights on best practices and regulatory
the banking organization’s risk management processes,
expectations. Bankers should also solicit feedback from their
maintaining documentation and reporting for oversight
consulting and technology advisers that have done integra-
accountability, and engaging in independent reviews.
tions with specific companies to “hear … what the experience
is really like and what the pitfalls are,” he says.
5. Conducting ongoing monitoring of the third party’s
activities and performance.
6. Developing contingency plans for terminating the relationship in an effective manner.
Setting Up for Success
Third-party risk management and due diligence is an ongoing
Executives should pay special attention to third-party rela-
responsibility that continues for the duration of the rela-
tionships that support a critical or significant function at
tionship. “Initial due diligence is important to fully vet and
the bank. Excerpted from the guidance, critical activities are
understand the opportunity and risk, while ongoing moni-
defined as functions or capabilities that:
toring to includ[e] enhanced monitoring based on triggering
events, is warranted due to the nature of these relationships,”
•
Could cause a banking organization to face significant
wrote Alloy Labs and Crowe LLP in a white paper focused on
risk if the third party fails to meet expectations.
fintech partnerships.
•
Could have significant customer impacts.
Due diligence should help executives establish where its part-
•
Require significant investment in resources to implement the third-party relationship and manage the risk.
ner stops and the bank starts, and who is responsible for
what aspects of the relationship. Banks may also want to
know who their vendor’s vendors are, given that a number of
•
Could have a major impact on bank operations if the
malicious actors have hacked into large service firms to gain
banking organization has to find an alternate third
access to their clients. Fintech partnerships are another entry
party or if the outsourced activity has to be brought
point that can allow a hacker to gain access to a bank, so it’s
in-house.
important to understand how the fintech firm manages its
own security and privacy, as well as the bank’s and the bank’s
Failure to update a bank’s own risk parameters and
customers, if applicable. Behringer says it sometimes feels
third-party risk management program can result in scrutiny
like “fourth-party due diligence” but that at the end of the
from regulators. One specific area of focus is bank informa-
day, banks should know what risks they’re taking.
tion technology issues, or BIT. BIT concerns are “elevated”
among national banks and make up 25% of all cited supervisory concerns, said Acting Comptroller Michael Hsu in a
For more on cybersecurity, skip to page 20.
September 2022 speech. He said a majority of these issues
tie back to the “fundamental elements” of risk management,
Executives should bring up the expectation for ongoing due
such as board oversight, governance and internal controls.
diligence with prospective partners during negotiations,
Common BIT issues include insufficient information secu-
Behringer says. They may also want to bring up the possibility
rity controls, issues with managing and making changes for
of evolving regulatory expectations and how those changes
emerging products and services and IT operational resilience.
will be managed, especially in areas that are uncertain or
rapidly changing, like crypto assets.
Banks do not have to manage this responsibility alone. John
Behringer, a financial institutions leader and risk consulting
Fintechs also have some unique characteristics that may
partner at RSM US LLP, recommends executives engage
challenge or complicate some aspects of a bank’s third-party
external legal counsel that has experience in the financial
due diligence. Most are newer companies, and they have vary-
technology space — especially in the particular area the bank
ing levels of sophistication and maturity.
FINDING FINTECHS: HOW DO YOU DECIDE? | 15