Financial technology, or fintech, companies deliver an innovative approach to lending, which is an opportunity investors can capitalize on. However, as demonstrated by recent operational breakdowns in the fintech industry, this is not without a level of credit and operational risk. Operational risk incidents in particular can result in significant losses to the company, the industry, and ultimately to investors.
Risk will always be a core component of financial services businesses, and the pace of innovation will introduce new business opportunities but also increase potential risks. This has not prevented, and should not prevent, smart companies from taking advantage of innovation by understanding and carefully managing the risk profile of the products they provide or invest in. As innovative products continue to expand in market share, financial institutions must consider carefully their investments and partnerships with fintech companies and products. Increasing up-front and ongoing operational due diligence, as well as establishing more requirements to enhance transparency to the control environment, may prove a small cost of doing business for the resulting innovation.
Further, as regulators heighten their focus on fintech companies, the focus on how those firms fund their operations or purchase their assets will also increase. As fintech companies control only a small portion of the financial services industry today, the trajectory points to an ongoing expansion that will continue to attract regulatory review.
Financial institutions must consider carefully their investments and partnerships with fintech companies and products.
Challenges and Opportunities
Market investors and regulators are expressing increasing concerns related to fintech companies’ business models and products. Such increased attention has caused overall investor demand for investment in fintech companies and for loans originated by fintech companies to decrease, which is impacting the financial performance of many fintech lenders. The concerns raised by institutional investors are understandable in the wake of a recent event, where one fintech lender was revealed to have been knowingly selling loans that did not meet specified investment criteria, putting the lender at risk of regulatory non-compliance. Investor concerns typically stem from insecurities caused by their lack of understanding of fintech companies’ control processes and their effectiveness, particularly in such rapidly growing centers of innovation.
Demonstrating effective due diligence and increasing levels of transparency with regard to fintech relationships will be of increasing importance.
In the years since the financial crisis of 2008, traditional financial institutions have significantly enhanced their risk and compliance programs by increasing resources, clarifying roles and responsibilities across the three lines of defense, upgrading their governance frameworks, as well as maintaining higher levels of capital. Operational risk disciplines have clearer coverage and are constantly challenged through ongoing testing. The risk disciplines that exist in the more established financial institutions today are generally less mature in fintech companies. This is driven in part by the nature of fintech operations as well as the less rigorous regulatory structure surrounding this new breed of lenders. As financial institutions choose to engage in relationships with fintech companies, it is increasingly pertinent for fintech firms to establish protocols to gain assurance that controls are in place to effectively mitigate credit and operational risk issues, which will emerge more and more as these companies expand and mature.
With increasing pressure coming from the national regulatory bodies, the importance of demonstrating effective due diligence and increasing levels of transparency with regard to fintech relationships will be of increasing importance.
Our Point of View
“Responsible” Innovation: The risks associated with fintech companies should not prevent financial institutions from partnering with or investing in innovative offerings. However, it is increasingly important to ensure an adequate understanding of the operational risks inherent in these companies as well as the control framework deployed to mitigate risks.
Due Diligence and Transparency: Increasing operational due diligence up front and reinforcing the transparency of process and the control environment throughout the company can help reassure investors of the adequacy of risk management at fintech companies. In turn, the benefits to the financial institution are unique, yet controlled, offerings and investments. Gaining comfort through initial and ongoing due diligence reviews is essential. These should encompass, but not be limited to, the following areas:
- Proper due diligence should be conducted before onboarding fintech vendors into operations and controls established for ongoing monitoring.
- Policies and procedures should be in place for all core and supporting processes.
- Process controls need to be well-documented and testing put in place and operating effectively throughout the credit lifecycle (e.g., loan origination, funding, servicing) and for supporting processes (e.g., fraud risk, change management, cash management).
- Technology platforms must be well-controlled and testing put in place to confirm operational effectiveness (e.g., physical and network security controls, data backup, segregation of duties, user access, disaster recovery).
- Risk management framework and governance processes, including escalation protocols, should be in place and operating effectively.
- Consumer and Bank Secrecy Act/Anti-Money Laundering regulations should be strictly adhered to, monitored and regularly reported on.
- Contractual eligibility requirements for asset sales should be adhered to.
- Data management protocols need to be in place to ensure data is securely and adequately stored, managed and utilized.
Regulatory Landscape: Fintech companies’ ability to manage the risks inherent in their business models is top of mind for regulators. Concurrently, regulators have increased their scrutiny on third-party risk management at financial institutions. As a result, financial institutions engaging in relationships with fintech companies must operate under heightened sensitivity to the ongoing evolution of the industry and changes in the regulatory environment.
How We Help Companies Succeed
Protiviti’s dedicated financial services practice helps financial institutions and fintech companies alike define and enhance their risk and control structures, demonstrating their commitment to strengthening risk management practices and allowing them to continue to innovate and evolve. In light of market reactions to recent financial technology events, the opportunity to demonstrate capabilities and transparency in risk management are critical to establish safety and soundness but not impede speed to market. Protiviti is well-positioned as a leader in risk, compliance, IT, data and internal audit to support fintech and financial services companies through their ongoing innovation.
Fintech companies’ ability to manage the risks inherent in their business models is top of mind for regulators.
Protiviti’s risk and compliance experts, working directly for fintech companies or on behalf of financial institution investors, help ensure process and operational controls, policies and procedures, and securitization processes are in place and operating effectively. Protiviti performs reviews of processes and technologies across the credit lifecycle as well as reviews of governance and oversight frameworks to help instill confidence in investors and allow innovation to prosper.
Protiviti’s regulatory risk practice deploys industry-leading experts in the areas of consumer compliance and anti-money laundering who have helped to build and review consumer compliance programs to comply with national and local regulatory requirements in place today and in consideration of impending changes to regulatory oversight and new regulations.
Protiviti’s IT consulting and data management teams help enhance customer experience by focusing on digital transformation strategy; customer journey, experience and product strategy; and risk management strategy. Protiviti supports companies with business process improvement, advanced data analytics, legacy system modernization, fintech integration, and change management. Additionally, Protiviti is a leader in IT risk management, focusing on system controls, including physical and network security, data security and back-up, segregation of duties, access controls, and disaster recovery as well as end-to-end data management structure and capabilities.