Greg Matthews, Nicole Trawick and Sarah Gross at KPMG on a guide to third party risk management and financial services partnerships.
So, you met a vice president of a large financial services institution at an industry conference and convinced her that your brand new product is critical for the next phase of their project build. Awesome!
Then, you pitched the product to her boss and confirmed with the bank’s technology team that your product will integrate into their existing tech stack. Even better! But don’t start fantasising about a global launch quite yet… even with the business, technology and operations on board, there are stakeholders within procurement, risk and compliance who need to sign off on the deal.
Unfortunately, for many tech startups, these control functions can appear to be impenetrable gatekeepers that want to stifle innovation.1 However, it may only take a little understanding and preparation on your part to transform the vendor onboarding process from a Herculean task to a predictable and instructive exercise. This article offers guidance to fintech and insurtechs on how to avoid a protracted onboarding timetable when selling products and services to regulated financial services (FS) organisations.
Understand the implications
Onboarding implications differ, based on how fintechs structure agreements with a bank or FS organisation. While this is only one lens through which to view your potential business dealings with the FS organisation, it is an important consideration – if speed for signing the contract (and receiving payment) is a key concern. Your two choices are acquisition/joint venture or subscription service/standard vendor contract.
Acquisition or joint venture Banks are required to manage the risk from services provided by their affiliates or joint ventures. Therefore, fintechs that are acquired in whole or part may still field inquiries from the bank’s third-party risk management (TPRM) team – from initial onboarding, through risk assessment, ongoing monitoring and termination.
Subscription service or standard vendor contract Run-of-the-mill, third-party service agreements between fintechs and FS organisations will go through the full procurement and TPRM processes, including (as applicable) competitive bid and request for proposal (RFP) processes.
Forewarned is forearmed for TPRM
TPRM defined Third party risk management is consistently listed as a regulatory priority across jurisdictions globally. In 2019, the European Banking Authority (EBA) refreshed its outsourcing guidance with granular and proscriptive requirements for FS organisations to identify, assess, monitor and manage third-party risk. The general theme across all TPRM regulations is that while FS organisations can outsource an activity, they cannot outsource accountability for the risk and therefore need to assess the fintech’s ability to meet its control standards in delivering a product/service.
The TPRM lifecycle and what it means for you Due to the regulatory burden, client and customer scrutiny as well as board oversight, mature FS organisations have developed comprehensive TPRM programmes that adhere to a consistent, multi-phased lifecycle. Any fintech that contracts with an FS organisation will interact with the TPRM team before, during and after contracting.
Initial risk assessment Your business contact (in this case, the vice president from the meet-up whom you convinced needed your product) will likely fill out a form with basic information about the product that will calculate an inherent (for which read initial) risk score for the third-party relationship.
Due diligence Not all fintech products or services are created equal when it comes to TPRM. Offerings that help the FS organisation fulfil regulatory requirements, involve the sharing of confidential data, or underpin the business continuity of the business, will trigger a higher inherent risk score. Based on the inherent risk score, a series of due diligence questionnaires covering various risks associated with your service (e.g. information security if you handle data, compliance if you interact with customers) will be triggered and sent to you to complete.
Make sure you have the right programmes and discipline at your end to give the FI comfort that the fintech product or service is being offered in alignment with its standards. Well-documented policies, procedures and risk management frameworks with experienced employees will greatly expedite the due diligence process.
Be timely and thorough when responding to these questionnaires; we find that the back and forth between subject matter experts and fintechs can be the most painful and cumbersome part of the TPRM process. Due diligence may uncover findings or issues that the FS organisation will work to remediate with you by strengthening your risk and compliance processes and programmes.
Contracting The due diligence process may lead to additional terms and conditions being included in your contract with the FS organisation. Banks will have a list of clauses that likely include the right for the FS organisation to audit you (potentially on site) and/or receive SOC 2 reports or the results of internal controls testing.
Ongoing monitoring Both the risk and criticality of the third-party fintech product or service will determine how often – and how strenuously – the FS organisation will conduct ongoing monitoring. This could include the aforementioned audits and control testing, but ongoing monitoring also relates to adverse media, corporate actions and performance metrics, including adherence to service level agreements (SLAs). The main takeaway here is that TPRM is not a one-time exercise; expect continuous baseline monitoring with periodic due diligence reassessment.
Termination Sadly, all good things must come to an end. When you and the FS organisation decide to part ways, it will want assurances that, among other things, data was destroyed and fintech employees with access to the FS organisation have their accounts deactivated. Additionally, some FS regulations will mandate that you maintain records for a given period of time.
What banks can do to help
Despite the challenges, incorporating fintech offerings has become a business imperative for established FS organisations as they work to satisfy customer expectations and remain competitive. Many leading FS organisations are pursuing the following actions to go to market quickly with fintech start-ups:
1: Developing a ‘white glove’ service within the TPRM process to advise fintechs on how to complete the due diligence questionnaires and mature risk and compliance processes and programmes.
2: Funding innovation labs and accelerators to shape the growth of fintech startups and watch them over time before investing or partnering.
3: Building a data sandbox to move forward on proof of concept with dummy data in parallel with procurement and TPRM processes.
4: Integrating with a third-party assessment utility, like KY3P or TruSight, so that fintechs need only complete due diligence assessments once; the same assessment can be leveraged by multiple banks and FS organisations.
Coming back to you, tech founder and your next steps
You’ve gotten to the end of this article and are now briefed on the complexities of the procurement and TPRM processes. Additional actions to consider include the following:
1: Structure the deal in a way that matches your appetite to take on your share of the TPRM requirements (acquisition, partnership, or subscription service).
2: Prepare your risk and compliance teams to answer a plethora of TPRM assessment questions; invest in these functions to bring them up to maturity.
3: Communicate actively with your advocates in the FS organisation; if they want to close the deal, they will help shepherd you through the assessments and paperwork.
While the TPRM process may seem overwhelming, the good news is that banks and FS organisations are working to streamline these processes to expedite decision-making and onboarding. Additionally, for fintechs and FS organisations who get this right, the rewards can be valuable. According to a 2019 Thompson Reuters study, ‘the greatest perceived potential benefits from fintech include enhanced productivity, efficiency and accuracy, better product delivery and customer experience, as well as improved compliance monitoring and reporting’.3
1https://www.forbes.com/sites/ronshevlin/2019/10/14/ bank-fintech-partnerships-the-fad-is-over/#6769e0fe7527 2https://eba.europa.eu/eba-publishes-revised-guidelines-on-outsourcing-arrangements 3Fintech, Regtech and
the Role of Compliance in 2019, Thompson Reuters
This article was first printed in the Winter 2020 edition of Ethical Boardroom Magazine and is being republished with kind permission of the Ethical Boardroom Group Ltd.