Managing Third-Party Risk in Fintech Partnerships

Gain an insider perspective on fintechs and third-party risk management.

Overall, credit unions are aware of the many benefits of fintech. By partnering with fintech firms, credit unions can expand their membership and offer members convenient, top-of-the-line services, but not all fintech firms are the same, especially in regard to risk management. I learned firsthand some pitfalls every potential fintech client should avoid, but before we get to that part, let me share my story.

An Insider Perspective on Fintech and Third-Party Risk Management

About seven years ago, many of my friends and colleagues were leaving their conventional finance, accounting, law and consulting careers to work for technology firms. These firms usually offered high salaries, great benefits, a more casual work atmosphere and, most importantly, innovative opportunities. After nearly two decades working in traditional large banks, I, too, was itching for a change. I soon landed a position as director of third-party risk oversight for a fintech specializing in peer-to-peer lending. It was an exciting time in my career, but fraught with hard lessons, and I developed a unique perspective shaped by my own experiences and those of my peers and colleagues in risk management roles at various fintech firms.

My memories of that time remind me of the scene from “The Wizard of Oz” where Dorothy’s dog, Toto, pulls back the curtain behind the “great and powerful Oz” to reveal only a befuddled man pulling levers and blowing smoke. Every fintech application has more to it than meets the eye. Underneath the engineering, behind the code and beyond the marketing, it’s just a bunch of people. It’s people, not technology, who pull levers and make decisions, and the majority of those people are brilliant, hard-working and under extreme pressure, and despite their best intentions sometimes have tunnel vision.

Traditional business culture typically separates finance professionals and technologists, each with their own language, experiences and concerns. For example, to safeguard members’ interests, a credit union must first adhere to regulatory requirements, even if it means taking longer to implement a new system or forgoing a faster process in favor of better data security. Meanwhile, a technology provider may focus on revolutionizing conventional service delivery, fixing system bugs or experimenting with solutions.

The term fintech is a portmanteau representing the joining of finance and technology, and to succeed, fintech firms need both technology and finance expertise. Many fintech firms have struck the right balance between these two poles. Still, some fintechs employ finance professionals purely as a necessity and technology drives the business.

So, why is this relevant to credit unions? Despite the ample information available to any credit union considering a fintech partnership, third-party risk management is rarely discussed. Fintech firms must be treated as third-party relationships and undergo appropriate due diligence. Their third-party risk management practices must be carefully scrutinized as part of that process.

How Strong Is the Fintech Firm’s Third-Party Risk Management?

Fintech firms engage many service providers and other technology companies to bring their unique products to market. Those products need lots of data to improve financial services for your members, meaning that their vendors may have access to sensitive information. Many of those vendors are also focused on innovation and may even be startups with only two or three employees. Information security, privacy and regulatory compliance should be top concerns.

Yet, third-party risk management is often a weakness for fintechs, especially early startups.

When considering a potential fintech partner and its third-party risk management practices, do the following:

Review their third-party risk management policy. No policy or an inadequate policy should be a red flag.

  • How well does the policy align with best practices and NCUA regulations?
  • Are third-party risk management fundamentals covered, including planning for vendor relationships, evaluating risks associated with vendor engagement, conducting due diligence and setting clear expectations for ongoing risk monitoring during the relationship?
  • Do they have appropriate governance and oversight over third-party risk management, and are senior management and the board engaged?

Interview the third-party risk program manager. Examine the resume, background and experience level of the employee responsible for third-party risk.

  • Have they got the right practical experience and how qualified are they?
  • How well do they understand NCUA requirements?
  • Are they able to describe the third-party risk management lifecycle accurately?
  • What are their program’s general strengths and weaknesses, and plans for improvement?

You don’t want to be surprised if the head of third-party risk management doesn’t have the expertise, or if the role is simply a side task for an administrative assistant or legal team member.

Require a list of the fintech firms’ critical third parties. Credit unions and their members can be materially impacted by your fintech partner’s critical third parties.

  • Do they have a list of their critical vendors, including what they provide, who is responsible for them and if there are any open issues?

Failure to identify and adequately manage their critical vendors spells trouble.

Request proof. An excellent way to understand how robust a fintech firm’s third-party risk management practices and controls really are is to ask them to “show their work.”

  • Can they provide samples of inherent risk assessments, due diligence evidence and subject matter expert reviews?

Ask about their subject matter experts. Remember, subject matter experts should have robust knowledge, skills and expertise in their specific risk domains, and as a best practice hold professional certifications and credentials in those areas.

  • Who reviews vendor due diligence questionnaires and documentation to ensure vendors’ risk practices and controls?
  • Do those individuals have the necessary professional knowledge, skills, and professional certifications and credentials in their respective risk domains?

Require completion of due diligence before beginning any work with a vendor. With the need for speed as the driving factor, it may surprise you that some fintech firms work with vendors before signing a contract, let alone performing due diligence. Your credit union will be protected from unnecessary risks by requiring complete due diligence before contracts are signed and work commences.

  • Do they complete due diligence before beginning work with any vendor?

There is much to like about fintech and credit union partnerships. Still, there’s much to consider before entering one. The original goal of disrupting the financial system has shifted into being a strategic partner for financial institutions. Financial regulators have weighed in, and what was once the wild west is not quite as wild these days.

Still, technology alone will only get you so far without healthy risk management. To be successful in any partnership, credit unions should stay open to possibilities, explore options and understand the fintech firm’s risk management practices – especially third-party risk management.

Hilary Jewhurst

Hilary Jewhurst Head of Third-Party Risk Education & Advocacy Venminder Elizabethtown, Ky.