Exams or Audits

 View Only
  • 1.  FinTech

    This message was posted by a user wishing to remain anonymous
    Posted 01-13-2020 01:05 PM
    This message was posted by a user wishing to remain anonymous

    Anyone else challenged with determining their criteria for FinTech vendors?


  • 2.  RE: FinTech

    Posted 01-14-2020 09:51 AM
    We set up an Initial Risk Committee at my prior company to consider all sorts of things for new fintech and emerging technology companies - had general counsel, audit, compliance, IT, IS, business unit, etc.... and we asked ourselves what sort of questions should we pose - do they have a good compliance discipline, are they financially stable, have they done any research into the legal basis of their business, do they have any sort of network or data diagram?


  • 3.  RE: FinTech

    Posted 01-15-2020 12:37 PM
    As a financial institution, our Bank has been onboarding many FinTech Partnerships. The OCC supplemental bulletin 2017-7 (I believe) regarding FinTechs recommends the same third-party processes as regular vendors - we find this to be a challenge because many companies are starts-ups/private and they won't share or have what we require for our expectations for due diligence.

    We have had so many challenges with FinTechs and it's still a gray area for many businesses, so here is what I can recommend to cover risks would be a sign off internally. We have created a sign off with checklist items for subject matter experts in areas such as Finance - Infosec - IT - Compliance/Risk/Legal - Vendor mgmt. - AML/BSA - project mgmt., where we setup calls for any exceptions to due diligence (which is common with many of these third-party FinTechs)

    Finance -If a FinTech is not willing to disclose their financials or investors their call/meeting with us will go over their things like their cash-burn, what they have for investments, if they are screening their investors, what is our expected return on investment etc. Then we do exception write-ups for what we go over. We also include clauses in our contracts for insolvency etc. and for concerns with staffing and performance we include SLAs and other measures to make sure they meeting expectations.

    Compliance - Generally, we have been finding many of these FinTechs are not able to afford or aren't subject to audits. From a compliance/risk/audit perspective, we make sure they have policies and controls documented for any regulatory matters they are subject to as a minimum requirement. Then we outline in the contract a time frame for when they need to have certain items provided (for ex: we require 6 months for them to start an SSAE18 audit or something along those lines). Sometimes we need to coach or help out with these policies/procedures/controls. We ask questions surrounding GDPR/Privacy/Data retention/Data centers etc. as well making sure they are compliant with those domestic and international regs/laws.

    InfoSec - we make sure depending on what kind of data they will have (NPI/PII usually). So this is where a SME in this field will need to come in and make sure their BC/DR/Incident response/Testing docs are acceptable. We usually have them pay for or we pay for vulnerability or penetration test and have recommendations for vendors who perform those types of test. It may be a good idea to find out what fourth parties would  through the process or providing their service/product would have access to our data and make them disclose through a clause in their contract. 

    IT - they need to know any systems access info or fourth-party data sharing info etc.

    Vendor mgmt. - make sure they are being risk assessed, evidence reviews for any exceptions, have contracts on file, annual ongoing DD, third-party vetting policies from them, who are their fourth parties, data centers, SOC reports, who internally (first line) is responsible for this FinTech, understanding the product/service etc. 

    BSA/AML - based on the nature of the relationship, we make sure they have proper controls/policies in place for KYC/BSA/AML/OFAC/Fraud, are they vetting their investors etc.

    Legal - MNDA ALWAYS! /LOIs/ Contracts/SLAs - The contract is where you can really set expectations and take away any liabilities or risks that potentially may arise. Any FinTech with access to data I would recommend the EU's contract template: 

    https://gdpr.eu/data-processing-agreement/

    Project mgmt.- follow ups on docs needed or follow-up items/making sure service level agreements are met/Key dates etc.

    In my opinion, having a sign off with checklist items of DD to go over is a great way for the second line to ensure every area of risk has been covered even if the due diligence is not meeting the standards.Clauses in contracts are key as well. We still have our challenges and are going to start a questionnaire to qualify if we even want to work with potential FinTech partnerships (we have been collaborating with the first line on that). We just want to make sure we are onboarding QUALITY potential vendors and not wasting time working on due diligence and working out the details if there is too much risk. Any advice there would help!

    I wrote this super fast, but hopefully it makes sense and helps! I would love to hear how others are vetting their third-party FinTechs! :)

    Thanks,
    Megan