First Quarter Losses & Lax Compliance: Two Real-Life Fintech Due Diligence Mistakes to Avoid
Fintech relationships are game changers for financial organizations. These relationships help banks, credit unions, mortgage companies, and other fintechs satisfy consumer demands and keep pace in a rapidly evolving marketplace.
Yet these relationships are not without risk. As third-party fintech relationships grow more complex, due diligence takes on even more importance to avoid mistakes the Office of the Comptroller of the Currency (OCC) has identified, including:
- Failing to properly assess and understand the risks and direct and indirect costs involved in third-party relationships.
- Failing to perform adequate due diligence and ongoing monitoring of third-party relationships.
- Entering into contracts without assessing the adequacy of a third party's risk management practices.
- Entering into contracts that incentivize a third party to take risks that are detrimental to the financial organization or its customers, in order to maximize the third party's revenues.
Fintech fraud and start-up mode financials endanger safety and soundness of $1.6 billion-asset bank
What happens when a fintech partner can’t cover the cost of synthetic fraud? That’s what one $1.6 billion-asset community bank is asking as it charges-off $6.3 million in the first quarter while adding $1.7 million to reserves, according to American Banker.
The bank partnered with a fintech that provides unsecured lines of credit through a hybrid credit and debit product, also known as “crebit cards.” The product relies on non-traditional underwriting, including an analysis of real-time income and spending.
The problem is that since the relationship began in 2020, the bank has identified almost 25,000 fraudulent loans, while holding just over 54,000 loans with a balance of $31 million.
Those 54,000 loans look to be performing as expected, but the bank has concerns about the start-up’s ability to take back the 25,000 fraudulent loans it flagged—as required in the vendor contract. The fintech, which was founded in 2017, hasn’t achieved profitability yet.
Meanwhile, the large charge-off was a major contributor to the bank’s first quarter losses.
Now, in addition to setting aside millions preventatively, the bank has frozen new loans with the fintech and will require existing customers of the fintech relationship to undergo a fraud check.
Fintech vendor management & due diligence takeaways:
Evaluate the risk of an activity. The fintech vendor management lifecycle begins with a risk assessment that analyzes not just the risks a fintech vendor might pose, but the inherent strategic risk in choosing to outsource an activity in the first place.
Ask questions such as: Does the activity align with your financial organization’s strategy? What are the inherent risks of the activity? What controls are needed to ensure an acceptable level of risk? Does your organization have the in-house resources needed to manage the relationship?
In this case the fintech relationship aligned with the bank’s mission of reaching the unbanked and underbanked, but the bank may have benefitted from a deeper assessment of fraud risk and controls.
Fintech partner due diligence. Understanding the risks of working with a specific fintech partner helps a financial organization evaluate fintech vendors and consider ways to minimize the risk of working with them. In this case, key risks to address should have included:
- Is the fintech capable of repaying losses due to fraud?
- How do you know? (Financials, insurance policies, etc.)?
- To what degree?
- How does the fintech identify synthetic and other forms of fraud?
- What controls are in place to prevent fraud?
- How much fraud or loss is acceptable?
- What controls should the bank put in place to minimize loss?
- How will we monitor credit and fraud risk?
Clearly the bank has systems in place to identify and track fraudulent loans, but I wonder if in hindsight they would have frozen new loans sooner?
Fintech called out by Connecticut admits struggling with federal and state regulation
Ask any banker, credit union executive or mortgage broker about compliance, and they will be more than happy to talk about how time-consuming and expensive it is to stay compliant with an ever-expanding collection of federal and state regulations.
Yet, they manage to stay compliant because they must. They understand they operate in an industry where one must always ask for permission because forgiveness is in short supply. There is only enforcement actions, fines, and lawsuits.
Newcomers haven’t necessarily gotten this memo.
In May the Connecticut Department of banking issues a cease-and-desist order against a fintech that created a peer-to-peer lending platform where borrowers can take out small-dollar loans and tip their lender or the fintech for the service. The state said the company was acting as a loan company and a consumer collection agency but didn’t have a license.
It also found that every loan originated to Connecticut residents between June 2018 and August 2021 included a tip of some kind (on average $21 for lenders and $10 for the fintech)—making the department question the assertion that tipping is optional and why information about tips aren’t included in loan disclosures.
The fintech stopped including tips in loan disclosures in April 2021 even though borrowers committed to tipping before taking out the loan. The fintech withdrew the tip from borrowers’ accounts at its partner bank—an action the state called misleading. When calculating finance charges, APRs ranged from 43 percent to 4,280 percent, the state said.
In an interview with American Banker, the fintech’s founder said “the state-by-state complexity, the federal complexity, it's a lot. And I would tell you for our tiny company, we're doing the best that we can.” He also commented that “The states have raised questions” offering the example that Minnesota classified the fintech as a “debt recovery company” and asked them to get a license for that activity.
Additionally, the state of Connecticut says that at least one consumer collection agency the fintech used didn’t have a license.
The fintech has a bank partner where borrowers and lenders have accounts so they can send and receive money. It’s a good opportunity for the bank to open new accounts and market to new customers—but it’s a not great when their partner is withdrawing funds from borrowers without including it in Truth in Lending Act (TILA) loan disclosures.
Fintech vendor management & due diligence takeaways:
Compliance is critical to due diligence. Your financial institution has enough on its plate without partnering with a vendor with a cavalier attitude towards compliance. The due diligence process should address compliance. This includes documentation about its compliance management system (CMS) and internal controls for managing compliance and regulatory change. It’s also smart to look for news stories, lawsuits, and other coverage that could reveal compliance shortcomings.
It's also important to verify documents like licenses, insurance policies, and other credentials.
Being told “for our tiny company, we're doing the best that we can” should be a red flag. Examiners don’t give out an A for effort. They care about results.
Watch out for fourth-party risk. How well do your fintech partners manage their own vendors for operational, compliance, financial, and other risks? Use the due diligence process to learn about how a potential partner handles vendor management. If they don’t have a documented vendor management system, you could experience blowback when they hire vendors that don’t have the proper licensing.
How strong is your fintech due diligence and vendor management process?
Before partnering with a fintech company, make sure your financial organization has a strong system for risk and vendor management, including due diligence.
Your organization needs to know who it’s doing business with and have controls in place to ensure that the relationship won’t expose your organization to an unacceptable amount of risk.
Many of these controls can be addressed in fintechs contracts and vendor agreements. Contracts should outline the rights and responsibilities of both the fintech vendor and your organization, including provisions that ensure the institution has access to due diligence documents.
Topics to address include: confidentiality, dispute resolution, subcontracting, business continuity and contingency plans, frequency of data reports and audits, data privacy, compliance, and ownership of intellectual property. It should also ensure transparency into fourth-party vendors (the vendor’s vendors).
Risk is a moving target. As the world outside changes, so does the risk profile of fintech vendors. A new regulation or an internal change with the vendor can change the amount of risk a vendor poses. Make sure ongoing due diligence includes regularly assessing the effectiveness of fintech vendor controls to understand whether they are performing as expected, including if your fintech partner remains compliant with all laws and regulations.
Controls should be tested regularly, and your organization should track whether vendors are meeting service-level agreements, performance metrics, and other contractual terms as well as complying with legal and regulatory requirements. This ongoing due diligence should include monitoring the quality of service, risk management practices, financials and controls and reports.
The results, along with the institution’s policies and procedures, should be used to decide if a vendor needs to be terminated or put on probation.
Fintech relationships should be a source of growth and success, not another problem to manage. Make sure your organization has the risk and vendor management processes it needs to build and maintain effective, profitable fintech relationships.
Want advice for how fintechs and financial institutions can work together?
Our on-demand webinar has got the scoop.
Topics: Risk & Compliance