Fintech Due Diligence: A Nearly Exhaustive List of Documents

Entering a fintech partnership—or following up to make sure partners remain in good standing—means conducting a lot of due diligence. 

While due diligence is essential in any third-party vendor relationship, it can be especially tricky for fintechs. Whether the fintech is a startup, new to working with financial institutions (FIs) and their regulatory compliance requirements, or offers a new, untested product, FIs need to understand the risk of working with a specific fintech, the controls to mitigate that risk, and whether that level of risk aligns with the FI’s risk appetite. 

What Fintechs Need to Know About Compliance and Vendor Management

That’s why it’s so vital that the Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) released Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks in August 2021. Strong vendor management is essential to safety and soundness and the fact that the agencies published a new guide suggests it’s an area where banks are falling short of the mark. 

The guide doesn’t offer any new regulation or guidance. It simply takes existing third-party vendor management guidance and frames it in terms of fintechs—providing an extensive list of potential documents to gather and review.  

This not only indicates that the agencies are seeing issues with how banks manage fintech relationships, but also gives us further insight into how the regulatory agencies are collaborating as they seek to meld their separate vendor management guidance into one cohesive approach.

Related: Will the CFPB Examine Fintechs Soon?

One takeaway: They expect FIs to really dig into due diligence and cover a wide area. It’s not enough to skim a SOC report and call it a day. Good due diligence requires thorough research. 

Here is the list of items the agencies suggest as potential sources of information: 

• Company overview 
• Organization charts 
• List of client references using the activities being considered 
• Volume and types of complaints, including those available from the fintech company, regulatory agencies, and other public sources 
• Public records of any legal or regulatory actions and to establish corporate standing, if applicable 
• Media reports mentioning the fintech company 
• Summary of any past operational failures of the fintech company 
• Mission statement, service philosophy, and quality initiatives 
• Geographic footprint information (such as locations of offices and operations)
• Overview of strategic plans and/or expansion strategies 
• Patents and licenses 
• Summary of key personnel and subcontractors (if utilized)
• Employment policies, including background check and hiring practices 
• Fintech company website and social media sites 
• Ownership information 
• Biographical and professional information on board of directors’ and executive directors’ backgrounds, often available on company websites and in public records 
• Resource plans (including succession plans) 
• Financial statements and auditors’ opinions as available 
• Annual reports 
• U.S. Securities-related filings, often available from the Securities and Exchange Commission  
• Internal financial reports and projections  
• List of funding sources 
• Publicly available market information on competitors 
• Information on client base 
• Charters, articles of incorporation, certificates of good standing, and licenses, such as those recorded with the relevant state 
• Other relevant public information, such as records related to patents and intellectual property 
• Lawsuits, settlements, remediation, enforcement actions, fines, and consumer complaints 
• Form 10-K filing  
• Form 10-Q filing 
• Policies, procedures, training, and internal controls pertaining to compliance with legal and regulatory requirements 
• Proposed contract terms that specify performance of legal and compliance duties 
• Information regarding customer-facing delivery channels or applications (for example, mail, online, and telephone) 
• Proposed marketing materials and regulatory disclosures with product details such as fees, interest rates, or other terms  
• Methods used to monitor, remediate, and respond to customer complaints  
• Customer complaint records involving the fintech company 
• Policies, procedures, and other documentation related to the prospective activity 
• Policies and procedures related to the fintech company’s internal control environment and overall risk management processes 
• Information on risk and compliance staffing 
• Recent results of control reviews and audit reports related to the prospective activity 
• Issue management policies, procedures, and reports  
• Schedule of planned control reviews and audits  
• Self-assessments  
• Training materials and training schedule  
• Inventory of key risk, performance, and control indicators  
• Sample key risk, performance, and control indicator reports 
• Project plans associated with any planned changes to systems or reporting capabilities
• Sample reports to the fintech company’s board of directors 
• Completed information security controls assessments 
• Incident management and response policies  
• Incident reports with associated postmortem and remediation activities  
• Information security policies (for example, access management, data center security, backup management, change management, and anti-malware policies)  
• Information security and privacy awareness training requirements for staff  
• Policies addressing relevant safeguarding and privacy laws and regulations 
• Information technology policies (for example, data protection including data classification, retention, and disposal)  
• Overview of the fintech company’s technology and processes supporting the prospective activity 
• Completed controls or standards assessments Business continuity plans 
• Disaster recovery plans 
• Incident response plan 
• Documented system backup processes 
• Business continuity, disaster recovery, and incident response test results  
• Cybersecurity reports and audits 
• Insurance documents 
• Proposed service level agreements 
• Evidence of status meeting existing service level agreements 
• The fintech company’s policies on outsourcing and its use of subcontractors 
• Independent reports or certifications regarding subcontractors 
• List of third parties used by the fintech company 

When assessing the risk of working with any third-party vendor, including a fintech vendor, make sure your FI is conducting thorough due diligence and ongoing monitoring. While an SSAE 18 audit and the accompanying SOC report may address some of these data points, others may be excluded. Depending on the type of agreement your FI is entering, that might be a real oversight.  

Read also: 3 Ways BaaS Platforms Can Help Fintechs Work with Financial Institutions—and 3 Critical Ways They Can’t

The best way to know for sure is with a thorough vendor risk assessment. When your FI identifies and assesses the risks of a vendor relationship, it needs to thoroughly understand the controls in place—and those that are missing. It’s the only way to know if the fintech relationship your FI is entering (or continuing) is aligned with the institution’s strategic goals and risk appetite. 

Failing to do this critical research has the potential to damage the safety and soundness of your FI, making fintech (and general vendor) due diligence a must. 

Fintechs Lead the Way for Digital Transformation in Financial Institutions