Pub. 12 2022-2023 Issue 1


Third-Party Relationships: Due Diligence Guidance for Community Financial Institutions Engaging Fintechs

Fintech relationships are often (although not always) customer-facing partnerships. They enable community financial institutions to provide a new product or service, access a new customer base, or enhance efficiencies.

New federal guidance has clarified steps community financial institutions should take when contracting with a financial technology service provider. Banks that rely on fintechs, and those considering new relationships, should take time to understand the expectations.

Today’s community financial institutions see more opportunities than ever to enter into relationships with a new generation of financial technology (fintech) companies, including those offering robotic process automation solutions. Community financial institutions are no strangers to engaging technology companies that assist with various business needs – such as core systems and IT infrastructure – but these next-generation fintech partnership opportunities present new risks because the products and services they offer are new to the marketplace.

Until recently, the regulatory guidance governing third-party risk management expectations for financial institutions has been spread across several different federal agencies. The expectations could vary depending on whether the
institution was regulated by the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB),
or the Federal Deposit Insurance Corporation (FDIC). This year, the agencies released proposed interagency guidance on risk management for financial institutions entering into third-party relationships, followed shortly afterward by a guide for community banks that need to conduct due diligence on fintechs. Community financial institutions need to understand this recent guidance and take action to ensure that their third-party risk management programs properly address the relevant risks in fintech relationships.

A new type of third-party relationship

Partnering with a fintech can be a different risk management experience than partnering with other IT Continued on page 8 providers. Many community financial institutions have developed third-party risk management processes for
their relationships with traditional technology partners. These traditional technology partners have typically provided “standard” IT solutions focused on basic day-to-day “back-office” functions like processing transactions. They usually offer these fundamental services to institutions for less than it would cost each bank to keep the process in-house.

Fintech relationships are often (although not always) customer-facing partnerships. They enable community financial institutions to provide a new product or service, access a new customer base, or enhance efficiencies. Financial institutions can’t necessarily depend on their technology partners to educate them on the process of partnering with a fintech. These companies are nimble organizations that can change dramatically in short spans of time. As fintechs race to get their products to market ahead of their competition or launch a new version with the latest enhancements, compliance with federal banking regulations probably won’t be their top priority. Their culture and business processes may vary greatly from the community financial institutions they partner with and from the traditional technology companies that community financial institutions are used to working with.

New guidance for managing these new relationships

In response to the rise of this new type of relationship between community financial institutions and fintech companies, the federal regulatory agencies that oversee America’s financial institutions issued proposed interagency guidance on managing risk in thirdparty relationships. Shortly thereafter, that regulatory language was followed by a guide focused specifically on helping community financial institutions understand how to conduct due diligence on fintechs under the new guidance. The guide offers relevant considerations, potential sources of information, and helpful examples on the following six key due diligence topics:

  • Business experience & qualifications
  • Financial condition
  • Legal & regulatory compliance
  • Risk management & controls
  • Information security
  • Operational resilience

This action by regulators should streamline the third-party due diligence expectations for all financial institutions. The guide should help community financial institutions understand how their processes may need to be modified to perform due diligence on their relationships with fintech companies.

Two types of community financial institutions

At this point, there are two types of community financial institutions in the United States: those that have relationships with third-party fintech companies and those that are going to have relationships with third-party fintech companies.

For those with existing contracts, this guidance serves as a wake-up call that the third-party risk management used in the past for relationships with traditional technology partners needs to be reviewed to make sure that they are properly vetting fintech providers. For those that don’t yet have relationships with fintech companies, the guide highlights six key due diligence areas in which their thirdparty risk management process should be reviewed and possibly enhanced before entering into agreements with these service providers.

For many community financial institutions waiting for this guidance in order to start considering relationships with
fintechs, the availability of these new expectations could be just the push needed to get them into the market. Still, many community financial institutions aren’t well versed in this relatively new guidance and the potential impact it could have on their third-party risk management programs.

Community financial institutions need to read and understand this new joint regulatory guidance. Many will need to update their third-party risk management programs to specifically address fintechs and their risks. Those with fintech relationships in place need to determine how this guidance affects their existing relationships and take additional steps to address any gaps.


As an accounting and consulting firm known for our breadth and depth of technical knowledge and industry expertise, Plante Moran can help your institution with this process, either by performing thirdparty compliance reviews of potential fintech companies or reviewing a financial institution’s third-party risk management processes for compliance with the new expectations. If you have any questions about this guidance, please contact Plante Moran.