Traditionally, many fintechs have been founded with the goal of selling their product directly to consumers. Over time, however, this focus has shifted to partnering or even merging with financial institutions instead of trying to compete.
Both parties recognize the value of working together, but I’ve found that bankers and fintech executives alike are still expressing frustration throughout seemingly every step of the acquisition process. The answer may lie in a recent study by the Fintech Innovation Lab of New York which found that 60% of polled bankers cite regulatory, compliance or security issues as “major stumbling blocks” in purchasing technology. Fintech executives on the other hand, identified budgeting issues, competition with internal products and perceived risk of displacing internal teams or negating past expenditures as their top concerns.
It’s my belief that the friction stems from the fact that fintechs do not fully understand what risk management looks like from a bank’s perspective. Often established by a small team of IT professionals, former executives and investors, fintechs focus the majority of their time on creating a viable product, rather than on creating a due-diligence package that outlines the fintech’s stable business structure, continuity and/or security of their product. The absence of these features is a major red flag for bankers.
At the same time, banks are relatively new to navigating the world of risk management, much less vendor risk management involving highly complex technologies. Fintechs, for example, may consider mobile banking an “old-school” offering, but for many financial institutions, they are still trying to wrap their heads around what data is being transferred, how it’s being stored and what security parameters are in place. This concept becomes even more complex when applied to technologies utilizing blockchain or cloud-based application programming interfaces.
Then there’s the issue of reporting. Now more than ever, federal and state regulators are scrutinizing banks. Regulators require that banks have risk-appetite statements in place and conduct periodic IT audits — these standards, in turn, trickle down to fintechs through financial institutions.
Regulators, for instance, generally require banks to have contingency plans in place to get services back online within 72 hours of an outage. This means that a bank will look to the fintech to complete their portion of the puzzle — essentially outlining all the steps it would take to ensure services are available to customers, regardless of how an outage occurred. Additionally, a fintech will be required to provide relevant Service Organization Control reports, security controls and their own internal and external IT audits to validate their controls. All of this should be part of a pre-defined, due-diligence package, but it too often isn’t.
Fintechs can also find themselves subject to direct regulatory scrutiny, depending on the services they provide. Unfortunately, these exams often uncover lax standards on the part of the fintech which are communicated to the fintech’s bank customers and can deter bankers from working with them in the future. In situations such as this, the best way for fintechs to address regulatory issues is to ensure that they meet the applicable requirements under the Federal Financial Institutions Examination Council’s guidelines for supervising technology service providers before examiners arrive. If issues are noted by the regulators, the fintech then needs to create a response plan for aggressively addressing these deficiencies in a timely manner to reassure their bank customers.
Coupled with federal and state scrutiny, bank customers have become more critical in their analysis of their financial institutions. The ever-present risk of reputational damage is an even more significant factor for banks today and, as the industry continues to consolidate, there is little room for error. For fintechs, this means taking the extra steps necessary to demonstrate their commitment to not only helping the financial institution improve operations, but also to ensure the integrity of any data shared between their respective organizations.
With all of this being said, however, bankers should set expectations early in discussions with fintechs, before delving too deep into the sales and demo process. Costs matter for startups, and time spent with one institution is time not spent with another — meaning, if a bank has only cursory interest in a product, then there are likely other, more established vendors for them to seek out.
Exploring these differing perspectives and finding ways to bridge them is crucial for banks and fintechs. The better these two groups understand each other, the better they’ll be able to collaborate.