Banks entering into a third-party partnership with a fintech need to define the maturity level of the potential partner and craft a flexible governance and control framework that adapts to the various growth stages of the firm.
That’s according to new guidance released by the Alloy Labs Alliance, a bank technology consortium comprised of community and mid-size institutions.
The guidance, which was created by sourcing feedback from a dozen of the consortium’s member banks in addition to input from consulting firm Crowe LLP, promotes the use of a risk management framework called the minimal acceptable maturity model.
The model, which was crafted by Crowe, outlines the risk management practices banks might expect from fintechs at varying stages.
A fintech at the “ad hoc” or first stage, might have a reactionary risk management process that identifies risk events after they happen, whereas, a more mature firm, such as one at the “optimizing” stage, may have risk management requirements embedded in their first-line process execution, according to the guide.
The model aims to give firms an idea of how risk-management oversight from the partnering bank may change or evolve as the fintech’s maturity develops.
“You essentially need to develop a risk management program that’s incremental and adaptable,” said Clayton Mitchell, managing principal of fintech at Crowe.
When a bank enters into a partnership with a fintech, the level of risk associated with that partnership is dependent on a number of factors, such as client exposure, control over decision making and service-level agreements, Mitchell said.
Banks should use the model as a guide, ensuring that as their fintech partner crosses key thresholds, banks have a governance and control framework that adapts to that growth, Mitchell said.
“The level of maturity or the level of rigor that goes into your people, process, technology and data, and the investment that you make, should be consistent to drive that governance and control over the relationship, commensurate with the opportunity and revenues that you’re seeking to generate, such that you develop a sustainable long-term growth model,” he said.
Evaluating the maturity level of a potential fintech partner can also help banks determine how much time and energy a certain tie-up will require.
In that respect, Mitchell said he hopes the guide can help give firms a realistic idea about what to expect when crafting a risk-based, compliant partnership with a fintech.
“For the organizations who have been in this business for a long time and have struggled to execute risk-based due diligence and ongoing monitoring, it gives them almost a sanity check against what they are doing and why they’re doing it,” he said. “I think it also gives the organization that’s looking to get into this business a bit of a realization that the opportunity doesn’t come without the cost. You have to go into it with the realization that there’s a lot of work here.”
The guidance comes as regulators have stepped up their scrutiny of bank-fintech partnerships.
Interagency guidance released by the Office of the Comptroller of the Currency, Federal Deposit Insurance Corp. and Federal Reserve in June, emphasizes that banks have a responsibility to deploy proper risk-management practices in their dealings with fintechs.
“[A]s part of sound risk management, it is the responsibility of each banking organization to analyze the risks associated with each third-party relationship and to calibrate its risk management processes, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships,” the guidance said.
Alloy’s guide aims to help financial institutions translate that regulatory guidance into actionable steps for financial institutions, said Lauren Houpt, fintech program manager at Alloy Labs.
“Our members were telling us they needed something digestible, almost like a checklist,” she said.
A portion of the guide outlines certain scenarios a bank might encounter in a partnership, detailing examples of what could go wrong and steps a bank can take to resolve the issue.
“The heart of this effort is to actually create a standard so that the banks know what they need to do and the fintechs know what they need to do,” Alloy Labs CEO and co-founder Jason Henrichs said. “Either the bank does it, or the fintech does it, but someone has to do it. You can’t just outsource.”