Partnering with a FinTech? The Compliance Buck Stops with You

July 24, 2024

By Ogie Sheehy and Jovilyn Herrick

Credit union vendor profiles have only gotten larger and more complex as the demand for digital banking experiences has grown. To earn and maintain member business, credit unions are partnering with a plethora of innovators—some well-established, others still in startup phase.

Despite fintech organizations having the ultimate say on how they will operate and the rules they will follow, credit unions remain solely responsible for staying in compliance with strict rules and regulations when partnering with a fintech vendor.

Upfront vendor due diligence takes many different forms depending on the scope of the potential partner’s access to sensitive data, the credit union’s policies and procedures, and of course, the credit union’s risk tolerance framework. Regardless, a credit union’s main goal should always be a thorough investigation of the fintech partner’s culture of compliance.

Locating FinTech Partners on the Compliance Culture Continuum

Across the industry, fintech compliance cultures fall on a continuum that ranges from reactive to basic to proactive. Determining where a potential partner lies on that continuum can tell a credit union a lot about the safety and soundness of a possible collaboration. It can also give credit unions an idea of what life with this partner will be like long after implementation.

In today’s fast-paced and highly connected environment, three key questions are particularly well-suited to uncovering a fintech partner’s culture of compliance. Credit unions should consider including these in all relevant requests for proposals (RFPs), which should be distributed to a minimum of three providers where possible for a well-rounded assessment.

Q1: What is the Turnaround Time for Technical Issues?

Aside from ensuring the vendor is committed to providing a good partner experience, the answer to this question can also impact a credit union’s complaint management program—something consumer protection regulators are increasingly eyeing as a measure of a financial institution’s management.

Credit unions are expected to document the collection, analysis and response to all consumer complaints. It’s important to evaluate a vendor’s level of awareness and commitment to collaborating for compliance success in this area. Given the average credit union’s high dependence on technology, a fintech partner’s willingness to respond swiftly and thoroughly when needed could be the difference between a satisfied member and an exam finding.

Specificity is important here. Can the fintech partner articulate its tech-issues response process in detail with time frames? There may be tiers of response, but it’s important to understand what those tiers look like so the credit union can assess the adequacy of the vendor’s likely response.

Q2: What is the Minimum Amount of Member Data you Need to Perform?

Many fintech vendors are digital natives with large appetites for data. For some, accessing and brokering data is more important to their business model than revenue. Credit unions should always limit the amount of member data leaving their systems, and fintech providers with an innovative culture of compliance will be willing to get creative to solve for any deficiencies that reduced data sharing brings up.

It's important to watch out for scope creep here, as well. Will the vendor require different pieces of personally identifiable information (PII) down the road? Is a Phase 2 or 3 of implementation coming up, or a new platform module expected to be added in the future? If so, how will that change data-sharing expectations? And if those expectations are not met, what are the performance or experience trade-offs the credit union can expect?

Q3: What is Your Data Breach Response Plan?

Although this is a fairly standard RFP prompt nowadays, there are some important partner-forward procedures to sniff out to pinpoint a vendor’s culture of compliance. Because third-party breaches are often more severe than first-party breaches, it’s important to understand who is responsible for which tasks should a fintech partner’s breach impact a credit union’s systems or its member’s PII. Essentially, the credit union wants to know how much ownership a partner is willing to take in the circumstance of a breach.

Some of the finer points to include or watch for in a response to this question, include:

• Who is responsible for the credit union’s costs associated with a breach response if a fintech partner is compromised?
• Which state data breach notification rules govern the fintech provider’s response, and how willing are they to also adhere to the credit union’s own state rules should it become necessary?
• What are the markers of a successfully completed breach response, and is the partner’s experience considered when making such an assessment?

Ongoing Compliance Culture Evaluation is Essential

Upfront vendor due diligence is, of course, just one piece of the compliance culture investigation. New ownership, a change in executive leadership or board personnel, market pressures—any number of things can redirect a fintech’s governance, risk and compliance strategy.

Ongoing requests for required documentation, periodic threat assessments for high-risk vendors, and good old-fashioned, human-to-human conversation are essential for keeping an eye on partners’ compliance commitment. Particularly for those credit unions with a long list of vendors to manage, a technology platform or software product can help manage evaluations, ongoing collaboration and task management, contract renewal deadlines, oversight and reporting.

Originally published in Finopotamus on July 22, 2024. 

Back