External Oversight | Risk Series

This week we are continuing to explore risk management from the perspective of laws, regulations, and the regulators who uphold them.

There are two levels of “external” oversight. The first is oversight conducted by the Issuing Bank Partner to ensure its Fintech Partner program(s) and product(s) are operating well and that all regulatory compliance requirements are met. This is achieved through continuous communication, reporting, and audits. 

The second level of oversight is undertaken by regulators. Regulators mainly focus on the Issuing Bank Partner, as it is the Bank’s license that Fintechs operate under. Ensuring good outcomes from regulatory oversight, examinations, and audits starts with Programs and their Banks understanding regulatory requirements, reflecting these in their policies and procedures, meeting reporting requirements and, as a result, getting a clean bill of health when examined and/or audited. 

The Current Landscape

We are seeing increased scrutiny by regulators, due in part to recent high profile failures like Silicon Valley Bank and Synapse. These events have led to calls for changes in regulatory requirements for Fintechs. According to one regulator who spoke at a recent ETA forum, Fintech partnership regulatory agencies have issued 18 proposed or final rules, and completed 39 public enforcement actions since 2021. More rule-making can be expected - for example, the FDIC recently called for strengthening of Bank record-keeping including identifying and recording beneficial owners of all accounts held by the Bank along with their individual account balances at the end of each day. 

Failing to meet these requirements comes with penalties. According to a February 2024 article by the American Banker Association, “over 60% of fintech companies paid at least $250k in compliance fines in the past year, stemming from the lack of transaction monitoring, insufficient customer due diligence, and failure to report suspicious actions, to name a few”. 

A Note About Audits 

The Institute of Internal Auditors has a number of “Core Principles” to define internal audit effectiveness.The Principles are:

  • Demonstrates integrity 
  • Demonstrates competence and due professional care 
  • Is objective and free from undue influence (independent) 
  • Aligns with the strategies, objectives, and risks of the organization 
  • Is appropriately positioned and adequately resourced 
  • Demonstrates quality and continuous improvement 
  • Communicates effectively 
  • Provides risk-based assurance 
  • Is insightful, proactive, and future-focused 
  • Promotes organizational improvement 

Internal auditing, whether initiated by the Fintech or by its Issuing Bank Partner, is an independent process with the goal to improve processes and operations. This in turn keeps both the Fintech and its Issuing Bank Partner profitable and in good standing.

Regulations and the Regulators Who Oversee and Enforce Them

There are too many laws, regulations, and regulators to name them all here, but a few of the key regulatory bodies to pay close attention to include the Consumer Financial Protection Bureau (CFPB), the Office of the Comptroller of the Currency (OCC), the Federal Reserve, the Financial Crimes Enforcement Network (FinCEN), the Federal Deposit Insurance Corporation (FDIC), Financial Industry Regulatory Authority (FINRA) and the U.S. Securities Exchange Commission (SEC). The United States is particularly complicated due to its federal and state structure, requiring Fintechs to follow both federal and state regulations for all of the states they operate in.  Requirements differ according to product type and program structure, so good legal counsel is important - getting this wrong can be extremely costly. 

Privacy regulations are a good example of how tricky it can be to navigate both state and federal level requirements. There is no definitive federal privacy law although both the Gramm Leach Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) have some privacy requirements. To fill this void, there is a growing number of states with their own privacy regulations. Generally speaking, the easiest way to manage multiple state requirements is to pick the most rigorous and abide by that for all states.

Data requirements 

The first thing that comes to mind when looking at data in the Fintech world is the data related to payments and fund transfers. While this kind of data is certainly a backbone of the business and is required for your product to exist in the first place, there are a lot more data points involved in successful, profitable, and continuous operations. Regulatory compliance, customer protection, and fraud detection call for more than just the transactional data.

If you are performing compliance checks on your own, utilize external vendors, or are required to submit compliance related data to a sponsoring financial institution (FI), these are some basic data sets you may need to have available:

  • Complete set of data points that would allow you to achieve accurate KYC/KYB identification. This is also a basis for being compliant with many of FinCEN, OFAC, FDIC and the rest of the above alphabet requirements such as 314a, CIP, and other policies.
  • Data points on chargebacks, disputes and customer complaints to ensure you are staying safe in the consumer protection lane as defined by regulations E, Z, and various other rules and regulations.
  • Information on other events that revolve around the customer using your products. Some examples of these types of data can be: correct recording of events that can potentially trigger required consumer disclosures; data exchange with Credit Bureaus in order to comply with FCRA; and even collection activities logging to comply with FDCPA and TCPA. The list can go on.

Technology

Technology plays a transformative role in fintech (financial technology), revolutionizing traditional financial services by improving efficiency, accessibility, and customer experience. Here are some tools that are available to help with data requirements and compliance in general:

  • Cloud Data Platforms that can be utilized for centralized data warehousing, analytics and reporting across various (and a lot of times fragmented) data sources. Low cost development and administration solutions such as Snowflake provide flexible and powerful data management options.
  • Data movement tools are emerging beyond legacy secure FTP file transfers and towards APIs and Direct Data Sharing among partners’ data sources. The benefits of instant data delivery that doesn’t require extensive infrastructure are not to be overlooked. 
  • Adjacent to data movement are data quality and data reconciliation tools (not to be confused with accounting reconciliation). It is unfortunate that it is still considered a normal practice quite often to accept data sets from partners/vendors without validating data quality and integrity. For example: are all the required fields populated and their values are properly formatted. Balancing incoming files to the system of record is also highly recommended.
  • Regulatory Technology (RegTech) is a new buzz word in the industry. RegTech is the use of information technology to enhance regulatory and compliance processes. RegTech puts a particular emphasis on regulatory monitoring, reporting and compliance and aims to enhance transparency as well as consistency and to standardize regulatory processes, to remove ambiguity from regulations and provide higher quality outcomes at a lower cost.

In closing, if you are considering setting up a Fintech, or if you are a Bank considering becoming an Issuing Bank Partner, do your homework. Know what you are getting into. If you set everything up well and maintain good oversight your risk will be lower and your chance of success higher. 

If you are already in the Fintech space and have thoughts about how regulators are managing risk, key regulators issued a joint statement and RFI in July and the deadline for weighing in on bank-fintech arrangements has been extended to October 30, 2024. The regulators are particularly looking at third party risk. 

Finally, here’s a handy resource to leave you with - the OCC Model Risk Management Handbook

Check in next week for a discussion on Operations

This is the third in a series of collaborative articles by iLEX Consulting Group and iDENTIFY

About iLEX  Since 2012, iLEX Group LLC has been a leader in delivering expertise in the FinTech industry, with a robust background in compliance, operations, and client management. We bring our client’s visions to life with our ingenuity, partners, resources, and leadership.

About iDENTIFY  iDENTIFY has become a leading fintech software company by providing banks with the tools necessary to unify their customer data. With several years of providing solutions for the banking industry, our vision is to streamline internal operations, create convenience for our clients, and give banks faster-to-market solutions. 

Stay Updated

Stay updated with our
latest news & offers

Sign up to get our Newsletter.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.