Banks beware – regulators are only increasing scrutiny of bank-fintech partnerships, and they’re focusing more and more on just how effective compliance controls are.
Regulators are moving away from traditional dip sampling methods toward 100% automated compliance testing. And banks and fintechs should view this as an opportunity to invest in your future growth: knowing your controls are working exactly as they should means you can safely, confidently, and more aggressively pursue new revenue lines.
The OCC, FDIC, and Federal Reserve just released a joint statement on the “potential risks” between banks and their fintech partners that provide deposit products and services.
Regulators emphasized the risks in these three areas:
1. Operations and compliance
2. Growth
3. End-user confusion
The guidance that regulators provided focused on developing adequate internal controls, policies, and procedures to manage risk in these areas.
Considering that this comes after a slew of consent orders this year, it’s clear the underlying sentiment is that financial institutions need to improve their risk management and compliance programs, and ensure that they are effective. If they don’t, it could cost them time, money, and growth opportunities – and, in worst cases, cause them to fail.
“When it comes to compliance testing, the biggest challenge financial institutions face is testing with enough frequency and coverage to confidently identify issues early on,” says Jame Sloan, banking risk management advisor at Cenerus.
Dip sampling has long been the default method to test effectiveness of controls, and it has its flaws. It’s still a primarily manual process and only tests a small percentage of accounts. How can banks and fintechs confidently say that their controls are working and that they are compliant if they’re only testing 1-5% of accounts?
The effectiveness side is really where we see the biggest gap,” says Katie Savitz, Co-founder and Chief Customer Officer at Cable. “More often than not, when I ask a customer or potential customer how they know their controls are working, the answer is a lot of horror, followed by, ‘Huh, I guess we don’t’ – and regulators are increasingly saying that is not an acceptable answer.”
Historically, effective compliance testing required significant time and resources to manually review. Expanding that to include multiple fintech and/or BaaS partners – all of which might have different types of customers, data, and controls – increases the complexity exponentially.
Trying to manually perform 100% monitoring and testing presents an obvious problem.
Cable’s Automated Assurance removes that barrier. Instead of doing periodic manual dip sampling, Automated Assurance lets banks and fintechs test their controls and regulatory requirements – 24/7, in real-time, with 100% coverage, and without having to increase manpower.
Financial firms no longer have to wonder if their compliance controls are working – they’ll know right away. Now, compliance teams have the power to be proactive in identifying and fixing any regulatory breaches or control failures.
And any new controls that you add are tested from Day 1. So whether you’re expanding your products and services, or entering new markets, you can proceed with confidence and speed.
Noncompliance is the real roadblock to growth – not compliance.
“Ignoring compliance will hinder growth when your strategy gets shut down, [which we’ve seen] in recent enforcement actions,” says Sloan. “Involving compliance professionals in the earliest and ongoing stages of product development will accelerate efforts – applying an afterthought approach will only slow progress.”
Take the FDIC consent order against one of the biggest fintech partners in the industry, Cross River Bank. Regulators found that the bank engaged in unsafe or unsound fair lending compliance practices related to its credit product. As a result, Cross River now must obtain FDIC approval before entering any new third-party partnerships, in addition to conducting risk assessments and developing fair lending controls.
Cross River’s business model hinges on fintechs. Having to first get FDIC approval before proceeding with new fintech partnerships and credit products will slow down their ability to onboard new partners and grow.
“Regulators expect banks to define success, and plan for and execute monitoring and testing to confirm processes are working as intended,” says Sloan. “100% effectiveness testing of automated processes can help to compel confidence in [a company’s] ability to detect issues early.”
Aside from the financial consequences, banks and fintechs need to consider the potential reputational damage. Losing the trust of your customers and regulators can be nearly impossible to overcome – just look at Wells Fargo.
By taking a proactive approach to compliance and effectiveness testing, banks and fintechs can avoid negative headlines, and build trust with both consumers and regulators – which also smooths the road to future growth.
Banks need to be able to show regulators that their controls are working. That helps build trust and strengthen their relationship with them, which is integral to growth. Having that open dialogue with regulators is important: If they understand what your firm is trying to do and know that your firm has effective controls in place, they will be more open and supportive of innovation and strategic partnerships.
The financial industry is increasingly becoming automated – which can improve efficiencies in many areas, but also add risks in others.
Effectiveness testing isn’t new but being able to automate 100% of that compliance testing is, and it’s clear the industry overall is headed in that direction. As early adopters, firms can provide strategic guidance and shape expectations for the industry and its regulations.
“As banks turn increasingly to fully automated banking operations, Cable and other compliance and risk technology should become a standard part of the tech stack, like AML transaction monitoring is to money movement,” Sloan believes.