Risk and compliance considerations for fintech startups and their bank relationships

In remarks made in early November before the American Fintech Council, Acting Comptroller of the Currency Michael Hsu emphasized the need to modernize what he called the “bank regulatory perimeter,” in which he indicated fintechs and cryptocurrency firms should be subject to the same regulations as traditional brick-and-mortar banks.

“Increasingly, the three cornerstones of banking—taking deposits, making loans, and facilitating payments—are being reassembled functionally and digitally outside of the bank regulatory perimeter by certain firms,” Hsu said. Referring to these firms as “synthetic banking providers,” he added, “We need to remove the disparity between the rights and obligations of banks and the rights and obligations of synthetic banking providers by holding SBPs to banking standards.”

Many fintech startups, still in the nascent stages of product development, face a variety of unique hurdles that make building a compliance program an especially intimidating task. For starters, unlike large global banks, fintechs typically have limited resources and a small team of individuals whose core area of expertise often rests in technology, not banking compliance, says Rick Bachman, an external compliance officer with Scale Consulting.

The questions with which fintech startups grapple are varied and many: How can we manage compliance in the easiest and most cost-effective way? Should we work with a specialty compliance service provider, a banking-as-a-service (BaaS) provider, or both? Or should we just go it alone and build our own compliance program? Would a bank partnership be beneficial? If so, with whom should we partner?

“[Compliance] isn’t necessarily about getting from zero to 100 overnight. It’s more about building and scaling as the operations scale. Compliance needs to grow as the business grows.”

Sheetal Parikh, Associate General Counsel and VP of Compliance Solutions, Treasury Prime

For answers to these questions, many fintech startups turn to an external compliance officer like Bachman to help build their compliance program from the ground up. “I am the first exposure a lot of them have to compliance,” he says.

As an external compliance officer, Bachman says the first step is understanding where the company is on its compliance journey. For example, some fintechs turn to Bachman for guidance on which compliance service provider would be the right fit for them. With so many to choose from, that process alone can be a dizzying decision for a startup.

Providers like Alloy, Middesk, and Unit21, for example, each offer customizable identity verification and transaction monitoring solutions to meet the unique needs of each fintech from a regulatory compliance and risk standpoint and help prevent fraud and money laundering risks in real-time. The added benefit of partnering with a compliance service provider is that compliance with regulatory banking laws, like know your customer (KYC), Bank Secrecy Act (BSA), and anti-money laundering (AML), is built into the technology itself.

Another option is to work with a BaaS provider, which serves as a middleman between fintechs, licensed bank partners, and compliance service providers. Essentially, a BaaS provider is a one-stop shop for fintechs.

In practice, it works like this: A licensed bank lends access to its banking solutions to a BaaS provider through application programming interfaces, which then enables the BaaS provider’s fintech clients to integrate the functionality of the bank’s solutions into their products for their end users.

However, beware of any provider who claims to offer a general, one-size-fits-all compliance solution, which might not address each fintech’s unique risk profile, says Sheetal Parikh, associate general counsel and vice president of compliance solutions at BaaS provider Treasury Prime.

“Because of the very nature of financial services and how regulated it is, compliance has to be at the core,” Parikh says. “There is no true offloading or outsourcing it.”

Only the fintech is in position to know its customers, specific use case, and specific risk profile, she says.

Fintech-bank partnerships

Increasingly, financial institutions—smaller community banks, in particular—are choosing to directly join forces with fintechs. When fintechs first entered the banking space, they were perceived as major disruptors, but today that perception has evolved to being a valuable partner, Bachman says.

Through a fintech-bank partnership, a community bank can realize many benefits—enhanced products and services for their customers, increased efficiency, and the ability to compete with larger financial institutions more easily—while a fintech gains access to the bank’s customers.

According to Cornerstone Advisors’ “What’s Going on in Banking 2021” report, out of the 260 senior executives at U.S.-based, mid-sized financial institutions polled, 48 percent of bank respondents and 42 percent of credit union respondents said they have partnered with fintech startups in the past three years. Asked what fintech capabilities, products, or services interests them, respondents’ top answers were digital account openings, fraud/risk management, mobile wallet, and data breach protection.

Risk management considerations

Fintech-bank partnerships do not come without compliance regulatory risks for either party involved. In August, the Federal Reserve Board, Federal Deposit Insurance Corp. (FDIC), and Office of the Comptroller of the Currency (OCC) released a guide for banks on how to conduct due diligence on prospective fintech partners.

The voluntary guide focuses on the following six due diligence topics: business experience and qualifications; financial condition; legal and regulatory compliance; risk management and controls; information security; and operational resilience. The guide also includes relevant considerations, potential sources of information, and illustrative examples for each topic.

In addition to banks, fintechs should read the guide to familiarize themselves with the due diligence expectations banking partners consequently will be placing upon them when evaluating a potential partnership. For example, fintechs can glean insight into what specific information and documents they may need to produce (e.g., financial reports, customer complaints, regulatory actions); what relevant laws and regulations apply to them; what policies, processes, and internal controls they should have in place; and more.

Additionally, the Federal Reserve Board in September published its own guide on fintech-bank partnerships.

“This paper is intended to serve as a resource for community banks as they embark on responsible innovation,” the Federal Reserve Board stated. “It provides an overview of the evolving landscape of community bank partnerships with fintechs, including the benefits and risks of different partnership types, and key considerations for engaging in such partnerships.”

“Fintechs cannot exist without bank partners,” Parikh says. So, the more comfortable fintechs can make bank partners in showing them they understand their compliance regulatory obligations, the more it “will create greater access for them to banking relationships and strengthen those relationships,” she says.

Fintechs also should keep in mind compliance is a gradual endeavor, and each fintech should move at its own pace, Parikh adds.

“It isn’t necessarily about getting from zero to 100 overnight,” she says. “It’s more about building and scaling as the operations scale. Compliance needs to grow as the business grows.”