Stephen Curry is CEO of Endurance Advisory Partners, a bank risk management consulting firm.
Lessons for Banks of all Stripes
Regulators are paying closer attention to banking as a service banks and fintech clients, signaling heightened concerns about potential risks in the system.
Brought to you by Endurance Advisory Partners
The past decade has witnessed significant advancements in payments technology, with automated clearing house (ACH) payment rails serving as a cornerstone of modernization. Despite the convenience this technology offers consumers, it still poses unseen risks to transactions and financial flows. Having discovered these risks during their bank examinations over the last nine months, regulators are taking steps to address vulnerabilities. In an era of increased regulatory scrutiny, banks need to pay close attention to these developments.
Fintech firms and technology vendors often lack the robust controls and effective risk-management practices that have been developed in the banking industry. Banks tend to underestimate these risk factors when assessing fintech relationships, potentially leading to unrealistic expectations of their operational resilience. Some fintechs also experience volatile funding, have opaque operations or employ excessive leverage.
In some cases, a fintech might have solid risk-management controls in place, but the underlying data management discipline is deficient, rendering those controls ineffective. Irrespective of the maturity of a fintech’s risk-management practices, the sponsoring bank retains the second line of defense oversight responsibilities. In some cases, banks lack the resources to provide appropriate oversight of the risk management activities that fintech partners are supposed to perform.
Another significant concern is the ability of nonbanks to meet customer redemptions promptly. Whether dealing with fintechs, money market funds or hedge funds, the rapid movement of money can present challenges. Few nonbank financial firms are able to maintain adequate liquidity during peak flow requirements. Liquidity problems can escalate during times of market stress, as witnessed in the FTX, Signature Bank and Silicon Valley Bank collapses.
To address these issues, banks can assess the capabilities of fintechs and vendors in the following areas:
- Key Control Roles: Evaluate the qualifications and experience of key personnel. Monitor for departures and turnover.
- Board-Level Controls: Ensure appropriate oversight and control procedures at the board level.
- Cash Flow and Funding Plans: Analyze the fintech’s cash flow requirements and funding required to finance operations.
- Risk Management Frameworks: Review partners’ risk management practices and customer complaints, especially in areas that have contributed to past incidents.
- Segregation of Funds: Ensure proper segregation of customer funds from company funds and verify internal controls.
- Cash Management Processes: Scrutinize cash management processes for transparency and control. Request copies of internal and external audits.
- ACH and Wire Transfers: Take nothing for granted. Ensure the bank maintains controls and close oversight over all payments processing.
- Liquidity Management: Assess liquidity management practices and identify vulnerabilities.
- Information Security: Review data-handling practices for security and compliance. Banks must retain access to customer and transaction data to comply with BSA requirements.
- Technology Performance Tracking: Evaluate technology performance and related contingency plans.
- Proof of Reserves and Liabilities: Require evidence of reserves and liabilities through audits.
- Regulatory Compliance: Ensure compliance with relevant regulations and industry standards. Validate and test customer verification procedures as well as ongoing customer and transactions sanction screening.
- Legal Agreements: Establish clear service-level requirements and termination rights.
Internally, banks should involve the board in third-party risk management, maintain robust policies and controls for ACH and wire transfers, closely monitor performance, develop exit strategies, conduct stress tests, validate risk management processes, diversify relationships, establish security operations centers and implement incident response escalation processes. It will become increasingly difficult for banks to consider BaaS as a small side business.
The cost of building the appropriate risk and compliance oversight will likely lead to mergers between BaaS banks and lead to further consolidation in the fintech arena. Smaller fintechs which cannot absorb these are also likely to face pressure to merge or change their business model in 2024.
As fintechs continue to reshape the financial landscape, regulators are bringing intense scrutiny to ensure banks recognize and manage the associated risks. It’s essential for banks to approach these partnerships with the same scrutiny they apply to credit risk and other risk mitigation and regulatory compliance efforts.