On August 27, the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) jointly published a Guide on the types of due diligence community banks should engage in when considering arrangements with financial technology companies (FinTechs).
The Guide provides six key due diligence topics community banks should take into account when conducting due diligence, namely:
Business experience and qualifications: Community banks should consider the
Business experience of the Fintech: Its operational history, client references and complaints, the legal and regulatory actions against the Fintech. The Guide indicates that documents such as the company overview, organizational charts, media reports can provide such information on the prospective Fintech.
Business strategies and plans: To help the community bank determine if the Fintech’s strategies, culture, values, and business style are aligned with its own. Information that can be found in documents such as the Fintech mission statement, geographic footprint information, licences and patents, company website and social media site etc.
Qualifications and backgrounds of directors and company principals: To help assess the fintech company’s board and management knowledge and experience related to the activity sought by the community bank. Source information includes ownership information and resources plans.
Financial Condition: information to consider by Community banks includes
Financial analysis and funding: To determine the Fintech’s ability to remain in business and fulfill any obligations. Sources such as financial statements, annual reports or lists of funding sources can provide such insight.
Market information: To understand the Fintech ’s competitive environment and gather additional insight on its viability. Information that can be found in publicly available market information on competitors and information on the client base.
Legal and Regulatory Compliance: Community banks should verify a fintech’s ability to comply with applicable laws and regulation to protect its interests.
Legal: Source of information to look into include charters, articles of incorporation, certificates of good standing, and licenses, lawsuits, settlements, remediation etc.
Regulatory compliance: Policies, procedures, training, and internal controls pertaining to compliance with legal and regulatory requirements, proposed contract terms that specify performance of legal and compliance duties, proposed marketing materials etc.
Risk Management and Controls: To assess the Fintech’s ability to conduct the activity in a safe and sound manner in accordance with the community bank’s risk appetite.
Risk management and control processes: To be found in the policies and procedures related to the fintech company’s internal control environment and overall risk management processes, other sources include training materials and training schedule inventory of key risk, performance, and control indicators.
Information Security: This will enable the Community bank to assess the adequacy and integrity of a Fintech’s processes for handling and protecting sensitive information.
Information security program: Sources include completed information security controls assessments, incident management and response policies, incident reports with associated post-mortem and remediation activities, information security policies.
Information systems: Information technology policies (e.g. data classification, retention, and disposal), overview of the fintech company’s technology and processes supporting the prospective activity.
Operational Resilience: To assess a fintech company’s ability to continue operations through a disruption.
Business continuity planning and incident response: Potential source of information include, the Fintech’s business continuity plans, disaster recovery plans, incident response plan, documented system backup processes, business continuity, disaster recovery, and incident response test results, cybersecurity reports and audits.
Service level agreements: Proposed service level agreements and evidence of status meeting existing service level agreements.
Reliance on subcontractors: The Fintech's policies on outsourcing and its use of subcontractors, independent reports or certifications regarding subcontractors and list of third parties used by the Fintech.
Apart from the relevant considerations and potential sources of information, the Guide also includes illustrative examples.
The Guide is not binding.