Key takeaways:
- How Banks View Fintechs, Bank Onboarding of Fintechs and How Fintechs are different from direct customer relationships
- Third party regulatory and compliance issues: Common risk areas that banks & fintech partners have to focus on
- Building an Effective Third-Party Risk Management Framework
Juan Azel (00:10):
Financial services partner, a FinTech law partner, really providing FinTech law in a box services to both banks in the FinTech space and fintechs. And that includes regulatory compliance, structured finance, that kind of good stuff, all in a box. But I'm more than, it's a pleasure I should say, to be here on stage with two individuals who are really them and their companies need no introduction. And they're both colleagues, former colleagues and friends. In some instances, both friends, former colleagues. In some instances I want to have them introduce themselves, but to my right is Amy Pugh from Green Dot Corporation. And then to my right, right is Donna Do from Deputy General Counsel of Intuit Inc. So do you want to introduce yourselves.
Amy Pugh (01:03):
Sir? Thank you. It's a pleasure to be here. As Juan said, I'm Amy Pugh, I'm general counsel of green.bank. I've taken many paths to get to this position. I was originally in traditional banking and then moved over to program management side. I then went to an actual FinTech itself and then kind of came full circle with Green Dot, where we're a FinTech that has a bank. So we're a little neurotic sometimes because we wear two hats, but it seems to be working well and we partner with a lot of innovative people like Donna at Intuit. So it's a pleasure to be here and to be with this panel. And as Juan said, we are friends and luckily I don't think we're frenemies, but we're not in the relationship counseling phase quite yet. But I will let Donna introduce herself.
Donna Do (01:56):
Thank you. Pleasure to be here. My name is Donna Do. I'm Deputy General Council at Intuit, and I am just delighted to be here on stage. We are definitely not frenemies. We're definitely friends and we'll talk about our collaboration in this segment. But I formally was at PayPal leading our consumer product legal division. And then now I'm at Intuit and I lead the money organization, which includes payments, lending and banking. And I am pleased to be here with my colleagues.
Juan Azel (02:26):
Thank you to both. I like statistics. I don't know if anybody else likes statistics, so I'm going to read you some statistics, right? They say that 95% of statistics are made up. But anyway, in 2001, if you guys may remember a report by Plaid in terms of what the fintechs mass adoption in the US was, right? 88% of US customers in 2021 were using FinTech or some type of technology to manage their finances, right? Financial technology that's more than video streaming and social media, just under internet usage. That was a across all age groups, all affinities, right? Can anybody guess what the number one product or app was that they were using? Hints, payments form. Yeah, it's payments and that was number one. So clearly it is something that has captured the US now, that's in the past. What about in the future? What's going to happen? There was an Android market research report, you might guys, I might have seen it that came out last year. They predicted by 2030, over 700 billion in or the worldwide market share of FinTech will grow to that amount, the revenue boost to be driven by mobile wallets, digital currency, and obviously the adoption, continued adoption of smartphones and whatnot. Again, the payment sector was anticipated to dominate that market with, I guess in some cases, perhaps surprisingly so, insurance being one of the ones that would have the fastest growth or maybe not so. But one thing that's interesting there is that banks and their FinTech partnerships were expected to account for the large share of the market. So we're talking about that, the importance of that partnership today, right? Building an effective risk management framework for FinTech partnerships. I think that we've seen already the importance of risk management since last year in FinTech partnerships with Brew Rich Bank. We just saw it very recently with Cross River and we're going to continue to see it I think as we go along. So this is a very timely conference. And so without any further ado, I wanted to ask my panel the first question as to that partnership. What are the challenges and the benefits that you see in partnering between a FinTech and a bank? I'll start with Amy first.
Amy Pugh (04:55):
Great. So I love the statistics and I'm a statistic person too, and I think the benefits, and I think we all know these, right, of those fintechs is the innovation. It's a speed to market. It's bringing things fast to your fingertips, it's convenience. You think about the revolution that's occurred with online banking since really it's not been long. I mean it's been 20, 25 years going from where you were brick and mortar every day to basically being able to have everything at your phone at your fingertips. So the FinTechs have fueled that thinking about prepaid as being the launch truly of moving to this next generation. And the sky's the limit. It's having that sort of innovation, it's having that ability to reach more and more people. It's that ability to have convenience. So I think those are the real benefits. I think the challenges is kind of what the last panel spoke about. It's really having that same understanding and that same vocabulary. When we say short, do you agree with what short means? Do you know with the timeframe? What are the requirements? So I think the challenges of FinTech partnership really get to the understanding and having that same vocabulary, that same sort of where we're going to get there. So I think it's very important for the banks that partner with FinTechs to be very clear, very transparent, very open upfront, and it's very important for the fintechs to be very clear and transparent with the bank. So it's making certain that you're on the same page. Understanding roles and responsibilities. I would say instead of couples counseling, get a good prenup, have your contract, lay out all those requirements, and then hopefully you don't have to go to that next phase. But it's really understanding. It's like dating date a bunch of them. Understand what they're requiring, figure it out, make certain that you're compatible, get a good prenup, get your contract in place, and then having that great relationship. So I think with Donna, we've known each other for a long time. We work really well together, but that's sort of what I see is the benefits and then challenges. And I've kind of told you already how I think you should fix 'em, but I'll stop talking and let Donna speak now.
Donna Do (07:25):
Well, I can agree with you more, Amy, and I'll just augment that a little bit. So from the FinTech perspective, I think it's really important when we're looking at our bank partners, not only to allow us to continue to innovate at speed, but really give our customers the comfort that we're working with a bank that has the protection of FDIC, right? Especially with the Silicon Valley Bank, SVB and signature as well as today with the FRB. I think it's super important that we give customers that kind of comfort. And so I think from a FinTech perspective, not being a bank ourselves, but having the reach that our bank partners can provide to us is really important. And then I think with regard to the challenges, I double down on everything that Amy said is really to chart out at the very start of the relationship and think about the customer journey. Because at the end of the day, it's our shared customer. It's not the fintech's customer, it's not just the bank's customer, it's our shared customer. And any bad experience that one customer experiences has negative reverberating effects on both the bank and the FinTech because that customer will never want to work with Green Dot or Intuit again if they have a bad experience. And so it's really paramount when you guys are looking at those partnerships to really understand that you are part of that customer journey and their success and their happiness throughout their experience with your products is of paramount importance.
Juan Azel (08:59):
So we're hearing a lot of few things there. I mean, we hear from Donna's side legitimacy, right? It's important. Banks provide FDIC insurance, that's that's a sense of legitimacy for customers. We are also seeing innovation from Amy's side, and I saw being on the same page. Which leads me to the next question for you guys. How important is it in choosing the right partner? What do you look for in a partnership? I mean, when we're talking about, I think it's clear that in everything in FinTech as well as in life, to your point earlier about prenup, it's important who you partner with, how important it is to you. I'll start with Donna this time. When you're looking at a bank and you're looking for that level of legitimacy, and as we talk about SVB and we talk about First Republic, how important is it for you in choosing who to partner with?
Donna Do (09:54):
It's extremely important because like I said, at the end of the day, if the customer has a negative experience, whether they're encountering it with our product, both it's our reputation in the line. So if our partner fails in their leg of the partnership, it reflects 100% as equally on Intuit as it does on the partner. And so choosing the right partner is critical. Making sure that we're speaking the same language and have the same goals in mind for that shared customer experience is super important. Just having regular meetings to review opex and review risks and talk about customer complaints as they come in and being able to partner with the bank and that has the agility to actually move and morph with the times, right? As FinTechs, we're constantly chasing what the trends are and trying to keep up with those trends to be able to deliver those relevant and contextual experiences for our customers that really meet the times. And in doing so, we need our bank partners to come along. And so really choosing a bank, and I think green.works well just because they're both a bank and a FinTech, and so they understand the need to move fast and with speed, but with conviction to make sure that we're doing it right. We don't sacrifice doing it right just for the sake of speed. So making sure that those are, I look for those things when I'm doing a proper RFP to look for the right bank partner.
Juan Azel (11:28):
Amy, on the flip side, you look for FinTech's?
Amy Pugh (11:32):
I couldn't agree more. I do think that you have to know your banks. I kind of chuckle because I think back when I started in banking and we didn't really have third party risk management and we didn't have large compliance departments. We maybe had a few officer and a privacy officer and we did a contract, we put it in the drawer and probably never looked at it again. But as it developed, it was like then we started doing due diligence on our partners in creating a third party risk management program. And then I remember the first time as a bank, we had a partner due diligence on us and we were like, you don't do due diligence. We do due diligence on you. I mean, that doesn't fly anymore. You're, you're going to spend a lot of time in making your partners comfortable and they do want to know your credit risk, your liquidity risk, your safety and soundness that you understand what you're doing. And I think the expectation is even more important with FinTechs as a banking partner because you're subject to that regulatory scrutiny and this area is still considered risky. Whether it is or not, it's probably up for lots of debates that we could have after this one. We all have cocktails, but it's like you've got to understand exactly what the product is. You have to understand exactly how the product functions. You have to understand what pieces you're doing, what pieces they're doing, and making certain that it all works together. And that takes a lot of time and energy. I think the due diligence that you need to do now is going to get even greater and there's going to be tighter regulations. Third party risk management has taken a new level because if you think about it, fintechs are stepping in the shoes of a bank. So they have to be able to really understand the rules around them. So you can just no longer look at, oh, do they have financials? Let's give it a try. You've really got to understand their business experience, their legal and regulatory background, their risk management protocols, their info security is huge. All this is online. Cyber risk are huge, and you got to look at operational risk. You've really got to understand each other completely. So I think it's due diligence on both sides.
Juan Azel (13:43):
No, I think that's absolutely right. And when you're talk, well, I mean think it's a good time to, good segue to talk about risk. Now, I think the first risk mid again is choosing who you partner with. I mean, you see how Amy and two huge, very well respected corporations, representatives in the US, that interaction, that day-to-day work, that translates into a panel. It's important again, who you choose when you partner, and that's part of risk assessments and onboarding due diligence. But when we talk about risks, let's take a little step back and see the risks that we're typically focused on. We know that there's guidance out there. We know that there's proposed guidance out there that's still proposed even after almost two years. But we know the risks are strategic risk, they're operational risk, they're transactional risk. There's credit risk, and there's the all scary regulatory compliance risk. What Amy's talking about at the end of the day and what both Amy and Donna are talking about are effective risk management from Amy's perspective, third party risk management. But Donna can't say, well, I'm not, that's you, Amy, that's the bank. No, because we know that we're all in this together. A bank that partners with or a FinTech that partners with a bank is likely considered an institution affiliated party or in some cases a bank service company. So that means that the regulators can go after the FinTech company with enforcement orders. Very scary, but it can happen. So it's a shared risk. So how do we mitigate that from that perspective? We want to have, as Amy was, was thinking in my mind that she's rattling off the tenants of third party risk management, risk assessments, due diligence, both onboarding and periodic contract restructuring, ongoing monitoring and testing in all areas, not just regulatory compliance. This is the future, this is the past and the future, and it's now. And you could see from the enforcement orders that have already come out that this is what the regulators expect us to do in the areas of consumer compliance. Obviously your CMS is incredibly important. Board and management oversight and your compliance program, policies and procedures, complaints, response, right? Auditing and monitoring and training, those components are key. But the good news is it's a menu. You follow this and you ensure that this is built within your organization. You can partner and mitigate the risks on both the FinTech side and the bank side. But Amy, to a question to you where we are seeing enhanced scrutiny, I think that that is clear. Do you see any de-risking in the industry given this focus on third party risk management?
Amy Pugh (16:44):
Yes. I think there has been a large movement, and it seems like there's always a regulatory pendulum. It gets a little more relaxed, people get more comfortable, they maybe take a little more risk. It gets a little tightened. People are retracting from risk and you've seen more increase in enforcement actions, things of that nature. And maybe for a good reason. There's been some things that have occurred that people are now, we're all going to have to basically now respond to that, right? With the things in crypto, and I know a lot of banks were dabbling in crypto and looking to that as a future, and I do think it could be a great way to move money, but then a lot of banks now are de-risking and moving away from it because it's just inviting more and more scrutiny and they've got a lot of scrutiny to deal with. So I think you're going to see more and more banks step away and de-risk as more and more enforcement actions come out and they're going to basically what they do, as soon as one comes out, they get it, they read it, they look at their programs, and they assess it against that and they say, Hey, should we do something differently? So I think you'll see and more of that, and I love the fact that you used a menu, and I want to say that the components of a compliance program are a true set menu that you can't deviate from. It's not all a carte. So unless you're up for fixed, it's fixed prefixed. And then if you add something risky, you're adding a couple more layers. It's like heightened due diligence. So if you want to be in that space, you got to make certain that you're always getting that full menu with those extra pieces and then expect that your regulator's going to be looking at that very, very closely.
Donna Do (18:21):
And it changes, right? Absolutely. The regulatory landscape is changing, one because of the economy, two, because of our administration change, and three, with the recent fallouts of the banks. I mean, things are just changing. And as a result, the regulatory landscape also changes. And so even though you have a menu of risk compliance that you're operating against, you also have to be able to morph with the times. And that's so important because things shift and don't what and have codified maybe a year ago is going to likely change. We're seeing that now kind of unfold in real life. And so I think it's really important to, continues to be agile and really have on both sides very strong compliance sort of checks in terms of what's coming in the pipe and then assessing how that interacts with your own company and your own products and all.
Juan Azel (19:21):
Change management right? Product and service and regulatory change management. One of the components of your contracts as you're looking or lo for the lawyers in the room as you're looking in your program agreements, that is key to what? To Donna's point there. And I think tied to that is when you see a regulatory change coming or your business is changing, your product is changing, the risk is going up, the menu needs to be added, you need to enhance that menu. I think part of the problem I think we see with a lot of banks is that the business side, the innovation which is inherent in this industry rises, and yet the risk mitigants rise at the same pace. So resourcing not enough resources, too much onboarding, not enough onboarding, due diligence reviews, not enough significant due diligence reviews, right? Monitoring and testing lags, all of that is a recipe for ultimately a regulatory problem. And I don't know about you, we have an in, Winston has an incredible regulatory defense team, but I'm a compliance focused lawyer. At the end of the day, I'd rather not get into the problem and implement some risk management, some strong and sound risk management into Amy's point. This isn't, it's not obscure what the tenants are. The regulators tell us what the tenants are. Now we got to make sure we focus on those tenants and improve them. To your point, Donna, you mentioning all of these great components, when you look at a partner, and we talked a little bit about how important it's to choose a partner. Do you look at their compliance framework and then their compliance management systems for example? I guess we talked a little bit about reverse due diligence, right? Is it important for a FinTech to say, this particular bank, I want to make sure that they have a strong risk management framework. Is that something that you guys look?
Donna Do (21:28):
One hundred percent Yes, I mean, it is in fact reverse due diligence. We have a series of questions. We have our own internal compliance team that track against the different regulatory landscapes because at the end of the day, even though we partner with a bank, we're also subject to the bank's regulatory obligations. And we are not immune to regulatory oversight and enforcement actions ourselves. And so we have a very robust internal compliance team that from an email perspective, a sanctions perspective, customer complaints perspective, risk monitoring, identification, our own systems. And so those teams track against what our requirements are from our customer's perspective and our company perspective. And we check to see that our partners have at least a robust, if not more stringent program than ours. And it's a detailed review and it's an ongoing review. It's an ongoing review that doesn't just happen at the due diligence and contracting stage, but constantly as the relationship evolves and as new products and offerings are introduced, it as you innovate and push the envelope through crypto or through other initiatives, additional regulatory frameworks that were not evident at the time in which you contracted become now very relevant. And so like I said, it's an ongoing diligence and it's 100% something we look at.
Juan Azel (22:59):
This is what Donna's mentioning is something that we do for a lot of clients that we absolutely recommend, and we call it a legal and obligation register. Identify and list the laws and regulations that are applicable to your bank or your FinTech company by virtue of your products. Because as your products change, I always use this example, there's probably a lot of people here who offer work in digital wallets or prepaid cards. The minute you add an overdraft component to that, guess what? Tela Ecola, right? Comes in. Maybe Military's Lending Act and a CRA if you're doing overdraft lines of credit. So make sure you have something that when you do that, the business is going to run and you're going to say, well, what a great feature. It's going to make us money. You got to go back and you got to say, okay, how does that implicate? Do we now make a previous law and regulation that was in inapplicable now applicable, and now we have policies and procedures that we have to put in place, we have to put in place controls? That's how you avoid getting in trouble getting into the enforcement issue. But a question for you, Amy, one of the things I would love, and this is one of the things I'm very proud to be here with Donna and Amy, is the communication that they have. The collaboration. How important is that, Amy? And I think it's a apparent here that communication between a bank and a FinTech in mitigating all of the risks we're talking about here today.
Amy Pugh (24:23):
Yeah, I think that that's of most important. Again, you do want to have a good contract. You want to have the basics in there. You've got to have change management. You've got to have the ability to figure out escalation pass and things of that nature, roles and responsibilities, because you don't want to be fighting about that later. It needs to be clearly laid out who's responsible for what, but you can never think of everything. And if you don't have good partner relationships, then you wound up in a situation where you've got a partner, it's like, well, it's not in the contract. And then you're scratching your head trying to figure out how you're going to get it in there, and they're like, we're not going to help you here. So you don't want to be in that spot. But I think that having in those relationships where you can reach out to people and sometimes they're heated, I mean, we've had heated exchanges, but I think at the end of the day, there's respect there and there's a mutual understanding that we're both trying to get it right, as you were saying at the beginning and making certain that we are doing the best thing for customers and doing it in a way that makes sense in today's landscape, which is constantly changing. So I think it's most important.
Donna Do (25:30):
And I will say I liberally use that, and I think Amy and I do that often. I mean, it's just end with the business development leads that for each company, it really gets down to having a good relationship with the compliance and legal teams at both companies. So if there's an issue, either Amy or I will pick up the phone or text each other and say, Hey, I heard this issue come down. You do have, you have a couple minutes to connect. And we connect at our level, and then we align on what the best path forward is. We cut through all the chase, all the thousands of meetings that people need to schedule, and we just pick up the phone and say, okay, here's the issue. This is what's happening. How do we get from point A to point B? And then we just implement, and it's so much faster than all of the millions of emails and slacks and updates and trying to just organize within your own organization and then coordinate with the other organization. So if you can establish a good and tight relationship with your partners, it's so much easier to just operate and still and be that being agile and nimble and being able to react fast is everything right? Because from a customer perspective, if their money is at issue, a minute is too long, especially for our company. We serve small businesses, so access to money at 3:00 PM today is far more important than 3:00 AM tomorrow. So all of the stuff that we work on is to try to help unblock and be able to serve our customers.
Juan Azel (27:15):
So even the largest companies in the world comes down to people, right? Relations and relationship between people on the ground. Okay, one last question because we're kind of running out of time. If you could give one piece of advice, we've talked here a bit about basics. We've talked about strong strength and collaboration. I think those are the important points, but one thing you can give both the banks and the fintechs in the audience in terms of building an effective risk management program, what would you say Amy?
Amy Pugh (27:45):
I would say that you've got to really know your products, right? You've got to know exactly how it works. If you miss a beat, you could miss something that's very important. You miss a regulation, you, you've really got to understand exactly how everything is working and just having that deep knowledge of what the product is, how it functions and the requirements related to it. You've just got to have that knowledge. I will say if I get two pieces of advice, know your partner, because that makes a lot of difference too, because if they're not upfront with you, you might not get the full picture either. So then you're piecing things together later, and that's always difficult. So it's just knowledge.
Juan Azel (28:24):
Choose the right partner and know your product and service, right?
Donna Do (28:29):
Double down on all of that. And I would add that from my perspective, an enormous amount of time has been spent at other companies trying to figure out how to manage an unhappy path, is what we call it. If a customer go goes down an unhappy path, meaning they have a negative experience with our joint product, is there a proper escalation path? You've heard us talk about it, but it's not just an escalation path. It's really like who are the contacts? How so how do we identify an issue once an issue is identified, what are the steps we take to actually fix it? Could be, it's usually much more than just a phone call between me and Amy, but it's really on the ground as the teams are unpacking anything that's happening within their products and managing those customer complaints and really identifying who the points of contacts are and who and when decisions get need to be made and how to implement. It's so important because you will spend an enormous amount of time trying to unpack those things because you're going to get customer complaints and you're going to have to deal with those. And if you don't have a good escalation path, despite what the contract may say, it's really in the weeds, in the weeds of the everyday business. If you don't have that well ironed out with your bank partner, I think it's a disservice to everyone involved, including the companies and most importantly, our customers.
Juan Azel (29:53):
Key component of what we talked about, right? Third party risk management is contract restructuring and review. So I think we're out of time. I don't know if we have time since we were like five minutes late. Are there any questions or maybe one or two questions from the audience? Anyone mean you've got Intuit and Green Dot here. I mean, I would ask, but is there any questions that you guys have for Frame?
Audience Member 1 (30:45):
Hi. So I work for FinTech and we work with sponsor banks, and as a FinTech, we obviously want to be compliant, but our goal is to move as fast as possible. Now, the experience that we've had working with sponsor banks is that we learn all their compliance needs in a drip feed kind of mechanism, and that actually prolongs the process tremendously. So is there a way for us to get, I mean, it'll be extremely helpful to get all that knowledge upfront if Payments forum could do something to make that knowledge institutionalized such that it just makes the whole process of fintechs working with sponsor banks far more efficient than it is today.
Juan Azel (31:36):
I'll act and then very send me very quick and then let 'em know, because we do it with a lot of clients. This is a question comes up all the time, remember from, for the fintechs out there that the sponsor banks are being pushed by guidance, right? There's regulatory guidance out there that tells them, for example, if your FinTech uses a subcontractor and it's a critical activity, you need to review it and make sure that, and have the ability to say, no, you can't use that person. So a lot of what gets imposed on the FinTech to the bank's, for the bank's perspective, they have to do it right now. There's room for negotiation there. I think that where the issues come in is that the bank doesn't, sometimes the sponsor banks don't do a good job of communicating what is required of the FinTech from a third party risk management framework. What are your duties and responsibilities? Ultimately remember one thing for all the fintechs out there, the way the regulators examine banks are as if that activity that you're doing was performed by the bank itself directly. So think of yourself as a branch of the bank, because that's how the regulators are going to view you from the perspective of the bank. So that's why the bank gets very, you have to make sure that you have this and the complaint's response and level one and level two complaints and all of that. But they can definitely do a better job of translating that.
Donna Do (32:52):
I would say that for the FinTech, it's really important to understand the product that you want to partner with the bank to launch. And it is from that product that will dictate the regulatory compliance that you as a FinTech need to comply with. And it is from that product understanding is at the upfront contract negotiations where you actually flush that out and have those conversations early on so you're not just getting it in the drip feed type of manner, right? It's really having that conversation early on. And to Amy's point, really understanding your product, because that will dictate what the compliance obligations are and being having regular forms to check as your product iterates and morphs or you add to it, additional compliance requirements may come into play. And that's the same form when you're talking about it. So, hey, I'm looking at launching this version of the product that's going to have X, Y, and Z features that are different than the prior product. And then talking with the bank, what does that mean for you? What regulatory obligations does that trigger? Having that form of communication, being proactive about that will help you move with speed in the backend to enable your product teams to move faster. And you would just need to have someone that's assigned to do that compliance work and having those conversations early up front.
Amy Pugh (34:18):
Yeah, I'll just add, definitely do your homework and your due diligence. Meet with your compliance partners, meet with the legal people, meet with the risk partners, ask a lot of questions. Ask for a checklist. Okay, what are you guys going to judge me on? Find that out. That's right. That way, once you have that understanding and then meet with them because what you think is short and what I think is short in time might be very different. So go over that checklist and understand what those requirements.
Juan Azel (34:43):
The bank should be able to give you very detailed list. This is your duties and responsibilities under the program management agreement, ABC. This is what you need to do. And if they can't do that, then maybe you need to look for a different sponsor bank really, because the sponsor banks, the true ones in the industry know exactly what you need to do and what's your response going to be. And I don't want to take any more time from everybody else, but thank you so much. I appreciate it. I think it was great. I hope you all felt the same.