Three Focus Areas for Banks Conducting Diligence on Fintech Firms
2016 marked the beginning of a détente between banks and financial technology (Fintech) firms. After years of adversarial jockeying, banks and Fintechs determined they are better allies than rivals.
Banks that once feared Fintechs would replace them now appreciate Fintechs as valued partners capable of fast innovation. Fintechs are likewise realizing they can leverage banks’ established infrastructures to scale and reduce customer acquisition costs. These complementary strengths have prompted banks to partner with, and acquire, Fintech firms.
This article highlights three regulatory focus areas for banks as part of the diligence process in a Fintech partnership or acquisition.
Banks considering a Fintech partnership or acquisition should evaluate the firm’s compliance with anti-money laundering (AML) laws and regulations. At a minimum, diligence must assess the adequacy of a Fintech’s AML compliance program, including its internal controls to mitigate money laundering and related financial crimes.
Diligence should target trouble areas based on the breadth and complexity of the Fintech’s operations. For example, an online lender originating small business loans faces different AML considerations than a money services business, which is directly subject to AML regulation. In targeting blind spots, banks should proactively identify risks associated with foreseeable misuse of a Fintech’s products and services.
The diligence process is also an opportunity for banks to define AML expectations, requirements and responsibilities for Fintech firms in a partnership or acquisition. For example, a bank may require a Fintech to hire specialized AML personnel, undergo audits and allow regular monitoring by the bank or an independent AML specialist.
Banks and Fintechs should use the diligence period to work together to remediate compliance gaps to prevent AML violations. Fintechs can also leverage feedback from the diligence process to calibrate their AML programs to satisfy regulatory scrutiny and related third party risk management standards.
Banks should view cybersecurity as a separate and more involved area of the diligence process.
Unlike other firms, user data and intangible assets comprise a significant portion of a Fintech’s enterprise value. Zero-day attacks and cyberbreaches may lead to private lawsuits and regulatory enforcement actions. These incidents erode a Fintech’s value and damage the reputation of a partner or acquirer. Therefore, banks should conduct extensive cybersecurity diligence to identify vulnerabilities, and comprehensively assess a FinTech’s internal policies and vendor management systems.
As a baseline, Fintechs should maintain robust cybersecurity infrastructures that require systems testing, monitoring, and incident response plans. These plans must provide for external reporting to authorities, customers, and affected third parties. Banks may also consider restricting a Fintech’s access to specified parts of its technology network.
During diligence, banks may consider retaining independent cybersecurity experts to better understand a Fintech’s threat exposure, data management, and security practices. Banks should ensure partnership and acquisition agreements contain appropriate indemnification provisions, and tailored representations and warranties addressing cybersecurity.
Consumer Protection Laws and Regulations
Banks partnering with or acquiring Fintechs must diligently assess the Fintech’s compliance with consumer protection laws and regulations.
Depending on the scope and type of product or service offered, banks will evaluate an array of consumer protection laws and regulations. These laws are enforced by state attorneys general and the Consumer Financial Protection Bureau (CFPB), and range from fair lending laws to the prohibition of unfair, deceptive, and abusive acts or practices (UDAAPs). The CFPB has defined UDAAPs through enforcement activity, and federal banking statutes provide little guidance as to what constitutes an “abusive” act or practice. Therefore, banks should be prepared to make certain adjustments to the value of a partnership or acquisition based on a firm’s compliance with UDAAPs.
A well-designed diligence process focused on consumer compliance can uncover regulatory issues, mitigate risk, and assist banks and Fintechs in appropriately valuing partnerships and acquisitions. Fintechs should be prepared to discuss details of its internal consumer compliance policies, regulatory issues encountered, and the resolution of such issues with prospective partners or acquirers.
Strategic diligence is a key component of a successful Fintech partnership or acquisition. Fintechs maintaining robust AML, cybersecurity, and consumer protection practices will have superior bargaining power in negotiations, and be well-positioned for a partnership or exit. When conducting diligence, banks should retain teams of internal and external professionals familiar with the regulatory landscape and focus areas above.