Managing Cybersecurity and Privacy Risks in Fintech Relationships

As consumers spend more time and money online, they also expect to conduct their financial transactions and manage their accounts electronically. Credit unions are looking to use more digital channels to meet member expectations and employ a variety of technological innovations to help offer more products, improve efficiency and lower operating costs. Partnerships with financial technology or “fintech” providers may present a wealth of opportunities for credit unions.

However, credit unions must consider the potential risks of doing business with fintech providers and manage those risks appropriately. The due diligence and oversight a credit union conducts and maintains in connection with any third-party relationship applies to evaluating a potential fintech partnership.

Credit unions bear the ultimate responsibility to safeguard member “nonpublic personal information” (NPI) and their financial transactions. Credit unions must ensure that fintech providers understand and implement similar safeguards to address potential information risk (which includes cybersecurity and privacy risks).

Manage Information Risk Throughout the Lifecycle of the Fintech Provider Relationship

The management of information risk is an ongoing process or project assessed and adjusted based upon particular circumstances. What is effective now (based on current technologies, threat landscape, or legal and regulatory requirements) is unlikely to be adequate or applicable in the future. Consider the ways the credit union will monitor its relationship with a fintech provider in order to evolve and adapt to change.

The “lifecycle” of a fintech provider relationship includes these milestones:

• Planning: Identify the potential information risks associated with a fintech provider before those risks arise.
• Fintech provider selection: Evaluate and choose providers with an eye toward addressing and minimizing those risks.
• Contract negotiation: Insist upon written contracts that consider the value of information assets (such as NPI) and address information risk.
• Ongoing oversight: Monitor provider performance over the life of the relationship.

Conduct Advance Planning (Identify Information Assets and Risks)

• Designate those individuals and groups with specific responsibility for managing the relationship that will continue throughout the term of the contract.
• Identify those information assets (NPI, other confidential information) that will be shared with a fintech provider.
• Consider the laws and regulations applicable to the relationship between the credit union and the fintech provider.
• Plan for how the credit union will assess potential fintech providers, negotiate a contract with information security and privacy provisions, and oversee the fintech provider’s performance of the parties’ contract.
• Determine the potential negative consequences (financial, legal and regulatory, and reputational) that a fintech provider security incident, system outage or network intrusion might have on the credit union’s business and operations.

Undertake a Robust Selection Process (Make Sure the Fintech Provider Can and Will Protect Information)

• Investigate before selecting a provider. Due diligence at a minimum requires an assessment of a fintech provider’s legal and regulatory compliance, financial condition, and business experience and reputation.
• Consult reference information available on the web and elsewhere (including background and reference checks through the Better Business Bureau, Federal Trade Commission, state attorneys’ general offices, state departments of consumer affairs, etc.) to learn about a prospective partner’s business and history, customer complaints or litigation, Securities and Exchange Commission and other regulatory filings, and its website and other marketing materials. For startup companies with little operating history, insist on references from other credit unions or similar financial institutions with whom the provider has done business.
• Review the provider’s risk management and information security programs (and any written documentation, including policies, processes and internal controls, which may be associated with those programs), consider any certifications (ISO/IEC, NIST) the provider or individuals associated with it may hold, and review the results of any information security assessment or audit the provider may have conducted.
• Evaluate the provider’s resilience, or ability to respond to various service disruptions or breach events. Does the provider have a disaster recovery or business continuity plan? And what kind of incident reporting and management programs does the provider have in place? Has the provider considered information risk in creating its own processes and systems?

Contract Negotiation (Define Rights and Responsibilities)

• Negotiate a written contract specifying the rights and responsibilities of the parties, addressing particularly the credit union’s direct Gramm-Leach-Bliley Act privacy and information security obligations. If a provider will have access to NPI or other confidential or sensitive information, then the contract must define the specific information provided to the provider and the provider’s obligations regarding that information. If other legal or regulatory requirements govern information provided to the provider, then the provider’s compliance with all such authority should be spelled out clearly in the contract.
• Limit the purposes for which the fintech provider can use and share NPI. Will the fintech provider use NPI in a manner consistent with the credit union’s privacy policy?
• Be very clear about the parties’ responsibilities if the credit union’s systems will interface with those of the fintech provider, especially if those interfaces will require testing to ensure compatibility.
• Spell out the information security safeguards to be employed by the provider, and the credit union’s oversight rights to ensure provider compliance with those safeguards. The credit union may require annual third-party assessments, audits and/or examinations of the provider’s security systems and practices to ensure ongoing compliance with the contract.
• Designate the requirements and procedures to be followed by the provider in the event of a security incident, including timely notification, full cooperation and assignment/allocation of responsibility for response, mitigation and remediation activities.
• Include reimbursement, indemnification and applicable insurance requirements (including cyber liability insurance, if appropriate).
• Define the events that will bring about default and termination under the contract, and consider the transition from that provider to another provider (or migrating those functions back to the credit union) and the effect it may have on the credit union and its ongoing operations.

Ongoing Oversight (Assess, Adjust and Adapt)

• Maintain clear roles and responsibilities for monitoring the performance of the provider over the life of the relationship.
• Evaluate a provider’s performance and compliance periodically. As a credit union must continually assess, adjust and adapt to evolving information risk, so too must its business partners.
• Consider whether information security standards, insurance requirements and other obligations set out in the contract must be revised based upon the parties’ experience, changes in the legal or technological landscape or other factors. It is said that “you can outsource responsibility, but not accountability.” While exploring the many opportunities fintech providers offer to credit unions and their members, make those providers accountable in the areas of cybersecurity and privacy.

Jack Pringle is a Partner for Adams and Reese. He can be reached at jack.pringle@arlaw.com.