Client Alert

Federal Banking Regulators Release Guide for Community Banks Conducting Due Diligence on Fintech Companies

07 Sep 2021

On August 27, 2021, the Federal Reserve Board, the FDIC and the OCC (the “Agencies”) jointly released a guide titled “Conducting Due Diligence on Financial Technology Companies—A Guide for Community Banks (the “Guide”), which is intended to help community banks assess risks when considering relationships with fintech companies. While the Guide is not binding in its own right, it draws upon existing regulatory requirements and supervisory guidance — and, according to the Agencies, is consistent with proposed interagency guidance[1]— and should be viewed by community banks both as a useful source of due diligence best practices and as a preview of potential areas of focus in future regulatory examinations. Fintech companies desiring to provide services to, or to partner with, community banks may find the Guide to be an important roadmap to the information and assurances community banks will expect to receive from fintech companies in discussions regarding future relationships.

While the Guide is specifically addressed to “community banks”— defined as banks with $10 billion or less in consolidated assets supervised by one of the Agencies — the Agencies note that the fundamental concepts of the Guide may be useful for banks of varying sizes and for other types of third-party relationships.

In recent years it has become widely recognized that banks can benefit meaningfully by outsourcing to, or partnering with, fintech companies in any number of operational areas and product types, including digital and mobile payments and deposits, customer interface and experience technology, provision of money management and wealth management tools to customers, expedited credit underwriting and loan origination processes, and data breach and identity protection tools, among many others. While banks of all sizes can benefit from fintech relationships, such relationships can particularly help community banks level the competitive playing field with larger regional and money-center banks, which have substantially greater in-house resources to devote to the rapidly evolving technological demands of the financial services industry. 

Fintech companies, in turn, can benefit greatly from the substantial pre-existing customer bases, market presence and reputation of banks of all sizes. However, the founders and managers of fintech companies often come from entrepreneurial and technical backgrounds and are not necessarily well versed in the pervasive and intensive risk management and supervisory environment in which banks have long operated. It is therefore critical to the long-term success of any bank-fintech relationship that thorough due diligence be conducted at the outset of the relationship to identify and resolve regulatory and risk management issues prior to entering into formal contractual arrangements.

In the Guide, the Agencies recognize the value to banks of fintech companies providing access to new or innovative technologies that can provide banks with enhanced products and services, increased efficiency, and reduced costs, while bolstering competitiveness. Not surprisingly, the Agencies also recognize that, as with all third-party relationships, bank relationships with fintech companies also introduce risks that should be assessed through the bank’s due diligence process.

The Guide covers six areas of due diligence that community banks can consider when exploring relationships with fintech companies:

  • Business experience and qualifications, including the fintech company’s business strategies and plans and the qualifications and experience of its company directors and principals.
  • Financial condition of the fintech company, including analysis of the fintech company’s financial reports, funding sources, and market position.
  • Legal and regulatory compliance of the fintech company.
  • Risk management and controls of the fintech company.
  • Information security, including the fintech company’s information security program and information systems.
  • Operational resilience, including the fintech company’s business continuity planning, incident response plan, and service level agreements.

For each of these six areas, the Guide provides a detailed statement of relevant considerations, a list of potential sources of information, and illustrative examples of how community banks may identify and mitigate risks in that area.

We commend the Guide to participants on both sides of business discussions between banks and fintech companies as a readable and practical roadmap to the issues the regulators will expect to be addressed in future relationships.

[1] On July 19, 2021, the Agencies jointly published for comment proposed interagency guidance for third-party relationships. See “Proposed Interagency Guidance on Third-Party Relationships: Risk Management,” 86 Fed. Reg. 38,182 (July 19, 2021).  The Agencies state that the Guide is also consistent with this proposed interagency guidance.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.