Avoiding Technology, Data, and Staffing Disconnects when Banking Fintechs

It’s been difficult recently to go a month without seeing a new regulatory consent order against a bank that is banking Fintechs. Two phenomena are contributing to this increase:

1. The increase in the number of financial institutions that are banking Fintechs, and
2. The increase in regulatory scrutiny over this space. Regulators are concerned that banks might not be monitoring risks of Fintech partnerships adequately and mitigating AML and Fraud risks.

Since partnering with Fintechs can be a lucrative business model for financial institutions, especially smaller institutions, we’re not likely to see an exodus of banks from this space. Therefore, the most likely outcome will be a rapid and robust improvement in risk management systems by financial institutions that are banking Fintechs, such that consent orders can be avoided.

Looking at recent consent orders for insight reveals three fundamental disconnects occurring in the AML and Fraud risk management systems of financial institutions that bank Fintechs, especially during the first few years of launching that business model. Those disconnects are occurring in technology systems, staffing, and data.

Case Study

To illustrate these issues, let’s discuss a fictitious bank we’ll call LowRiskBankcorp (the bank), a $1.1 billion bank, banking mostly small domestic mom-and-pop businesses and consumer households via a 10-branch footprint with basic internet and mobile access. When describing the bank’s business model, the word “vanilla” is more appropriate than “novel.” Below is a summary of the bank’s AML and Fraud technology systems, data, and staffing, followed by a typical scenario when the bank begins to partner with Fintechs.

AML and Fraud Technology Systems

The bank has been using a first-generation integrated Financial Crimes system for transaction monitoring alerts, fraud monitoring alerts, customer risk rating, and OFAC screening of customers.  The bank’s Enhanced Due Diligence (EDD) program over higher risk customers is basic, includes fewer than 100 consumers and businesses, and reviews take place outside of the Financial Crimes system in Excel and Word. The Financial Crimes department does not use a negative news or CDD screening system, or any other type of AML or OFAC software.

Staffing

The bank combines the BSA, AML, OFAC and Fraud functions under one Director of Financial Crimes/BSA Officer (Financial Crimes Officer), who has one Deputy Financial Crimes Officer and an analyst. The Financial Crimes Officer has been with the bank for her entire five year career, having started as an analyst. She has never worked with a Fintech, doesn’t understand the various levels of partnership, and doesn’t understand the flow of transactions associated with a Fintech partnership. She completes the BSA Risk Assessment every two years in Excel. It reflects the bank’s plain vanilla products, customers, and locations, with a residual risk of low/moderate. She also completes the OFAC Risk Assessment every two years and it shows residual risk of low. The annual BSA/AML/OFAC audit is completed internally by the bank’s only Internal Auditor. There were no findings last year.

Data

The Financial Crimes Department does not have a systems or data specialist to focus on AML, Fraud, or OFAC data. Similarly, there is no analyst in bank’s operations or IT Department that understands the integrated Financial Crimes system, its data fields, or its mapping. The bank performs what they describe as a “Model Validation Lite” every two years, which is more of a tuning exercise for alerts than a data exercise. Data is ingested into the Financial Crimes system from the bank’s core system and from the wire system. A true validation of the data being ingested in the AML system has never been performed.  No one in the Financial Crimes Department, the Operations Department, or the IT Department were with the bank when data from the core and the wire system were first mapped to the Financial Crimes system. Documentation of the mapping doesn’t exist. 

Challenges When Fintech Partnerships Begin

The bank partners with a Fintech that will cause a high volume of small transactions to flow into the Financial Crimes system. The bank will face challenges when bringing these Fintech transactions into the existing Financial Crimes system, since significant mapping with the new core needs to take place, and there is no analyst in any of the bank’s departments who understands the mapping exercise. There will also be challenges in trying to set appropriate transaction alerting thresholds once the Fintech transactions are brought into the Financial Crimes system, due to the new volumes and the smaller dollar amount of each transaction. There isn’t even certainty that the first-generation Financial Crimes system being used can handle the additional volume of transactions. 

The Financial Crimes department doesn’t have enough staffing to handle the alerts that will surely generate from the Financial Crimes system, at times excessively, until alerting thresholds are set appropriately. Most importantly, though, the current Financial Crimes Officer, who has never worked in a Fintech environment, doesn’t have the expertise to monitor the transactions or complete EDD on the new Fintech customer. Absent negative news screening or any other type of screening (fraud and AML) to know the new customers, there is no way to truly understand the new customers or their transactions flowing through the bank. The Financial Crimes Officer isn’t clear about whether she’s responsible for filing SARs on any suspicious activity associated with the Fintech’s customers, or whether the Fintech is – and if she files the SAR, can she communicate that filing to the Fintech?

How To Avoid

The above challenges (and corresponding risks) would have been revealed if the bank had done a comprehensive risk assessment on the onboarding and banking of the new Fintech business model and the new Fintech partnership. The need to assess the risk involved with each Fintech relationship is addressed in the joint guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies from June 2023. (See, for example, FIL-29-2023 FDIC: FIL-29-2023: Interagency Guidance on Third-Party Relationships: Risk Management.) A risk assessment on the Fintech relationship would have revealed the following with respect to Financial Crimes:

• Conversations must take place with the vendor of the Financial Crimes system to discuss whether transactions from another core can be brought in and how best to do this. This conversation would also address the volume of transactions. The responses to these questions would feed into the overall adequacy assessment of the Financial Crimes system. Should the existing Financial Crimes system not be adequate, conversations must take place about purchasing another Financial Crimes system to handle the Fintech transactions, or, manually monitoring the Fintech transactions.
• RFPs with other system providers, such as negative news screening, other CDD systems, and fraud prevention/ID Verification systems must be developed and sent.
• A Financial Crimes staffing level assessment must take place.
• An assessment of the skillsets among Financial Crimes staff as compared to the skillsets required must take place.
• The Financial Crimes Officer needs to determine SAR-filing protocols.
• The Financial Crimes Officer needs to update department policies and procedures to accommodate the new business model.
• An assessment of the skillsets among Operations and IT staff with respect to identifying existing and new transaction codes (trancodes) and getting them mapped correctly in the Financial Crimes system must take place.
• An overall fraud risk assessment must take place, as fraud can sometimes overtake AML as the larger risk when banking Fintechs.

It’s clear that LowRiskBancorp became HigherRiskBancorp by entering the Fintech space.

The strong message coming from all the regulators is that the risk assessment on the new Fintech relationship, along with the analyses and assessments noted as being required, would be completed and the risk mitigated before transactions start flowing into the bank.

When it comes to banking Fintechs, stronger risk management as the beginning of the relationship – meaning when discovery is still taking place – can help avoid challenges and risks down the road. It’s important for banks to do this because regulators are scrutinizing bank/Fintech relationships and consent orders seem to be the order of the day.

Additional Resources:

The Federal Reserve Announces Creation of Novel Activities Supervision Program (federalreserve.gov)

NCUA Board Approves Final Rule on Financial Innovation (ncua.gov)

Bates Group offers ongoing advisory services to a wide range of financial institutions and Fintechs. We offer Independent Reviews and Risk Assessments, Compliance Program Support, and Custom Compliance Training.

Contact Bates Group today to learn more.