Conducting Due Diligence On Financial Technology Companies
Conducting Due Diligence onFinancial Technology CompaniesA Guide for Community BanksAUGUST 2021Board of Governors of theFederal Reserve SystemFederal Deposit InsuranceCorporationOffice of the Comptroller ofthe Currency
1IntroductionInnovation and evolving customer preferences are changing the financial services landscape,including the way financial products and services are delivered. Some banks are exploring waysin which third-party relationships may assist them in responding to the changing landscape. Theserelationships are particularly relevant in situations in which community banks may benefit fromadditional expertise. By providing access to new or innovative technologies, companies specializing in financial technologies (or “fintech”) can provide community banks with many benefits, suchas enhanced products and services, increased efficiency, and reduced costs, all bolstering competitiveness. Like other third-party relationships, arrangements with fintech companies can alsointroduce risks.1 Assessing the benefits and risks posed by these relationships is key to a communitybank’s due diligence process.This guide is intended to be a resource for community banks when performing due diligence onprospective relationships with fintech companies. Use of this guide is voluntary and it does not anti cipate all types of third-party relationships and risks. Therefore, a community bank can tailor howit uses relevant information in the guide, based on its specific circumstances, the risks posed byeach third-party relationship, and the related product, service, or activity (herein, activities) offeredby the fintech company. While the guide is written from a community bank perspective, the fundamental concepts may be useful for banks of varying size and for other types of third-party relationships. Banks should reference federal banking agencies’ relevant guidance.2Due diligence is an important component of an effective third-party risk management process, ashighlighted in the federal banking agencies’ respective guidance. During due diligence, a com munity bank collects and analyzes information to determine whether third-party relationshipswould support its strategic and financial goals and whether the relationship can be implementedin a safe and sound manner, consistent with applicable legal and regulatory requirements. The1Engaging a third party does not diminish a bank’s responsibility to operate in a safe and sound manner and to complywith applicable legal and regulatory requirements, including federal consumer protection laws and regulations, just as ifthe bank were to perform the service or activity itself.2For institutions supervised by the Office of the Comptroller of the Currency (OCC), see OCC Bulletin 2013-29, Third-PartyRelationships: Risk Management Guidance (October 30, 2013), bulletin-2013-29.html. For institutions supervised by the Federal Deposit Insurance Corporation (FDIC), see FDIC Financial Institution Letter-44-2008 (June 6, 2008), tters/2008/fil08044.html. For institutions supervised by the Board of Governors of the Federal Reserve System (Board), see SR letter13-19 “Guidance on Managing Outsourcing Risk” (December 5, 2013), tters/sr1319.htm.On July 19, 2021, the Board, FDIC, and OCC (federal banking agencies) published for comment proposed interagencyguidance for third-party relationships. See “Proposed Interagency Guidance on Third-Party Relationships: Risk Management,” 86 Fed. Reg. 38,182 (July 19, 2021). This guide draws from the federal banking agencies’ existing guidance andis consistent with the proposed interagency guidance.
2Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banksscope and depth of due diligence performed by a community bank will depend on the risk tothe bank from the nature and criticality of the prospective activity. Banks may also choose tosup plement or augment their due diligence efforts with other resources as appropriate, such asuse of industry utilities or consortiums that focus on third-party oversight.The guide focuses on six key due diligence topics, including relevant considerations, potentialsources of information and illustrative examples. There may be other topics, considerations,and sources of information to consider, depending on the unique relationship and the role of thefintech company.
Topics to Consider When Conducting Due DiligenceTopics to Consider When Conducting DueDiligence of a Fintech CompanyBusiness Experience and QualificationsEvaluating a fintech company’s business experience, strategic goals, and overall qualificationsallows a community bank to consider a fintech company’s experience in conducting the activity andits ability to meet the bank’s needs.Business ExperienceRelevant ConsiderationsPotential Sources of InformationOperational history provides insight into afintech company’s ability to meet a communitybank’s needs, including, for example, the abilityto adequately provide the activities being considered in a manner that enables a communitybank to comply with regulatory requirementsand meet customer needs. Company overviewClient references and complaints about a fintech company provide useful information whenconsidering, among other things, whether afintech company has adequate experience andexpertise to meet a community bank’s needsand resolve issues, including experience withother community banking clients.Legal or regulatory actions against a fintechcompany can be indicators of the company’strack record in providing activities. Organization charts List of client references using the activitiesbeing considered Volume and types of complaints, includingthose available from the fintech company,regulatory agencies, and other publicsources Public records of any legal or regulatoryactions and to establish corporate standing,if applicable Media reports mentioning the fintechcompany Summary of any past operational failures ofthe fintech company3
4Conducting Due Diligence on Financial Technology Companies: A Guide for Community BanksBusiness Strategies and PlansRelevant ConsiderationsPotential Sources of InformationDiscussing a fintech company’s strategicplans can provide insight on key decisions itis considering, such as plans to launch newproducts or pursue new arrangements (such asacquisitions, joint ventures, or joint marketinginitiatives). A community bank may subsequentlyconsider whether the fintech company’s strategies or any planned initiatives would affect theprospective activity. Mission statement, service philosophy, andInquiring about a fintech company’s strategiesand management style may help a communitybank assess whether a fintech company’s culture, values, and business style fit those of thecommunity bank.quality initiatives Geographic footprint information (such aslocations of offices and operations) Overview of strategic plans and/orexpansion strategies Patents and licenses Summary of key personnel andsubcontractors (if utilized) Employment policies, including backgroundcheck and hiring practices Fintech company website and social mediasitesQualifications and Backgrounds of Directors and Company PrincipalsRelevant ConsiderationsPotential Sources of InformationUnderstanding the background and expertiseof a fintech company’s directors and executiveleadership may provide a community bank usefulinformation on the fintech company’s board andmanagement knowledge and experience relatedto the activity sought by the community bank. Ownership informationA community bank may also consider whetherthe company has sufficient management andstaff with appropriate expertise to handle theprospective activity. Biographical and professional information onboard of directors’ and executive directors’backgrounds, often available on companywebsites and in public records Resource plans (including succession plans)
Topics to Consider When Conducting Due DiligenceIllustrative ExampleA fintech company, its directors, or its management may have varying levels of expertise conducting activities similar to what a community bank is seeking. A fintech company’s historicalexperience also may not include engaging in relationships with community banks. As part ofdue diligence, a community bank might therefore consider how a fintech company’s particular experiences could affect the success of the proposed activity and overall relationship.Understanding a fintech company’s qualifications and strategic direction will help a community bank assess the fintech company’s ability to meet the community bank’s expectationsand support a community bank’s objectives. When evaluating the potential relationship, acommunity bank may consider a fintech company’s willingness and ability to align the proposed activity with the community bank’s needs, its plans to adapt activities for the community bank’s regulatory environment, and whether there is a need to address any integrationchallenges with community bank systems and operations.5
6Conducting Due Diligence on Financial Technology Companies: A Guide for Community BanksFinancial ConditionEvaluating a fintech company’s financial condition helps a community bank to assess the company’sability to remain in business and fulfill any obligations created by the relationship.Financial Analysis and FundingRelevant ConsiderationsPotential Sources of InformationFinancial reports provide useful informationwhen evaluating a fintech company’s capacityto provide the activity under consideration,remain a going concern, and fulfill any of itsobligations, including its obligations to thecommunity bank. Financial statements and auditors’ opinionsUnderstanding funding sources provides usefulinformation in assessing a fintech company’sfinancial condition. A fintech company may beable to fund operations and growth throughcash flow and profitability or it may rely onother sources, such as loans, capital injections,venture capital, or planned public offerings.as available Annual reports U.S. Securities-related filings, oftenavailable from the Securities and ExchangeCommission Internal financial reports and projections List of funding sourcesMarket InformationRelevant ConsiderationsPotential Sources of InformationInformation about a fintech company’s competitive environment may provide additional insighton the company’s viability. Publicly available market information onInformation on a fintech company’s client baseprovides insight into any reliance a fintechcompany may have on a few significant clients.A few critical clients may provide key sourcesof operating cash flow and support growth butmay also demand much of a fintech company’s resources. Loss of a critical client maynegatively affect revenue and hinder a fintechcompany’s ability to fulfill its obligations with acommunity bank.A community bank may consider a fintechcompany’s susceptibility to external risks, suchas geopolitical events that may affect thecompany’s financial condition.competitors Information on client base
Topics to Consider When Conducting Due DiligenceIllustrative ExampleSome fintech companies, such as those in an early or expansion stage, have yet to achieveprofitability or may not possess financial stability comparable to more established com panies. Some newer fintech companies may also be unable to provide several years of financial reporting, which may impact a community bank’s ability to apply its traditional financialanalysis processes.When audited financial statements are not available, a community bank might seek otherfinancial information to gain confidence that a fintech company can continue to operate,provide the activity satisfactorily, and fulfill its obligations. For example, a community bank mayconsider a fintech company’s access to funds, its funding sources, earnings, net cash flow,expected growth, projected borrowing capacity, and other factors that may affect a fintechcompany’s overall financial performance.7
8Conducting Due Diligence on Financial Technology Companies: A Guide for Community BanksLegal and Regulatory ComplianceEvaluating a fintech company’s legal standing, its knowledge about legal and regulatory requirements applicable to the proposed activity, and its experience working within the legal and regulatory framework enables a community bank to verify a fintech company’s ability to comply withapplicable laws and regulations.LegalRelevant ConsiderationsPotential Sources of InformationOrganizational documents and businesslicenses, charters, and registrations provideinformation on where a fintech company isdomiciled and authorized to operate (for example, domestically or internationally) and legallypermissible activities under governing laws andregulations. Charters, articles of incorporation,Reviewing the nature of the proposed relationship, including roles and responsibilities ofeach party involved, may also help a communitybank identify legal considerations.Assessing any outstanding legal or regulatoryissues may provide insight into a fintech company’s management, its operating environment,and its ability to provide certain activities.certificates of good standing, and licenses,such as those recorded with the relevantstate Other relevant public information, such asrecords related to patents and intellectualproperty Lawsuits, settlements, remediation,enforcement actions, fines, and consumercomplaints Form 10-K filing Form 10-Q filingRegulatory ComplianceRelevant ConsiderationsPotential Sources of InformationReviewing a fintech company’s risk and compliance processes helps a community bank toassess the fintech company’s ability to supportthe community bank’s legal and regulatoryrequirements, including privacy, consumer protection, fair lending, anti-money-laundering, andother matters. Policies, procedures, training, and internalcontrols pertaining to compliance with legaland regulatory requirementsA fintech company’s experience working withother community banks may provide insight Proposed contract terms that specifyperformance of legal and compliance duties Information regarding customer-facingdelivery channels or applications (forexample, mail, online, and telephone)
Topics to Consider When Conducting Due DiligenceRegulatory Compliance—continuedRelevant ConsiderationsPotential Sources of Informationinto the fintech company’s familiarity with thecommunity bank’s regulatory environment. Proposed marketing materials andregulatory disclosures with product detailssuch as fees, interest rates, or other termsReviewing information surrounding anyconsumer-facing applications, delivery channels, disclosures, and marketing materials forcommunity bank customers can assist a community bank to anticipate and address potentialconsumer compliance issues. Methods used to monitor, remediate, andrespond to customer complaints Customer complaint records involving thefintech companyConsidering industry ratings (for example,Better Business Bureau) and the nature of anycomplaints against a fintech company may provide insight into potential customer-serviceand compliance issues or other consumerprotection matters.Illustrative ExampleSome fintech companies may have limited experience working within the legal and regulatoryframework in which a community bank operates.To protect its interests, community banks may consider including contract terms requiring compliance with relevant legal and regulatory requirements, including federal consumerprotection laws and regulations, as applicable; authorization for a community bank and the bank’s primary supervisory agency to accessa fintech company’s records; or authorization for a community bank to monitor and periodically review or audit a fintechcompany for compliance with the agreed-upon terms.Other approaches might include instituting approval mechanisms (for example, community bank signs off on any changesto marketing materials related to the activity), or periodically reviewing customer complaints, if available, related to the activity.9
10Conducting Due Diligence on Financial Technology Companies: A Guide for Community BanksRisk Management and ControlsEvaluating the effectiveness of a fintech company’s risk management policies, processes, and controls helps a community bank to assess the company’s ability to conduct the activity in a safe andsound manner, consistent with the community bank’s risk appetite and in compliance with relevantlegal and regulatory requirements.Risk Management and Control ProcessesRelevant ConsiderationsPotential Sources of InformationReviewing a fintech company’s policies andprocedures governing the applicable activityprovides insight into how the fintech companyoutlines risk management responsibilities andreporting processes, and how the fintech company’s employees are responsible for complyingwith policies and procedures. A communitybank may also use this information to assesswhether a fintech company’s processes arein line with its own risk appetite, policies, andprocedures. Policies, procedures, and otherInformation about the nature, scope, andfrequency of control reviews, especially thoserelated to the prospective activity, provides acommunity bank with insight into the quality ofthe fintech company’s risk management andcontrol environment. A community bank mayalso want to consider the relative independence and qualifications of those involvedin testing.A fintech company may employ an audit function (either in-house or outsourced). In thesecases, evaluating the scope and results ofrelevant audit work may help a community bankdetermine how a fintech company ensuresthat its risk management and internal controlprocesses are effective.documentation related to the prospectiveactivity Policies and procedures related tothe fintech company’s internal controlenvironment and overall risk managementprocesses Information on risk and compliance staffing Recent results of control reviews and auditreports related to the prospective activity Issue management policies, procedures,and reports Schedule of planned control reviews andaudits Self-assessments Training materials and training schedule Inventory of key risk, performance, andcontrol indicators Sample key risk, performance, and controlindicator reports
Topics to Consider When Conducting Due DiligenceRisk Management and Control Processes—continuedRelevant ConsiderationsPotential Sources of InformationThe findings, conclusions, and any relatedaction plans from recent control reviews andaudits provide insight into the effectiveness ofa fintech company’s program and the appropriateness and timeliness of any related action plans. Project plans associated with anyplannedchanges to systems or reportingcapabilities Sample reports to the fintech company’sboard of directorsEvaluating a fintech company’s reporting helpsa community bank to consider how the fintechcompany monitors key risk, performance, andcontrol indicators; how those indicators relateto the community bank’s desired service-levelagreements; and how the fintech company’sreporting processes identify and escalate riskissues and control testing results. A communitybank may also consider how it would incorporate such reporting into the bank’s own issuemanagement processes.Information on a fintech company’s staffing andexpertise, including for risk and compliance,provide a means to assess the overall adequacyof the fintech company’s risk and control processes for the proposed activity.Information on a fintech company’s trainingprogram also assists in considering how thefintech company ensures that its staff remainsknowledgeable about regulatory requirements,risks, technology, and other factors that mayaffect the quality of the activities provided toa community bank.11
12Conducting Due Diligence on Financial Technology Companies: A Guide for Community BanksIllustrative ExampleA fintech company’s audit, risk, and compliance functions will vary with the maturity of thecompany and the nature and complexity of activities offered. As a result, a fintech companymay not have supporting information that responds in full to a community bank’s typical duediligence questionnaires. In other cases, a fintech company may be hesitant to provide certain information that is considered proprietary or a trade secret (for example, their development methodology or model components). In these situations, a community bank might takeother steps to identify and manage risks in the third-party relationship and gain confidencethat the fintech company can provide the activity satisfactorily.For example, a community bank might consider on-site visits to help evaluate a fintechcompany’s operations and control environment, or a community bank’s auditors (or anotherindependent party) may evaluate a fintech company’s operations as part of due diligence.Other approaches might include accepting due diligence limitations, with any necessary approvals and/or exceptionreporting, compared to the community bank’s normal processes, commensurate with thecriticality of the arrangement and in line with the bank’s risk appetite and applicable thirdparty risk management procedures; incorporating contract provisions that establish the right to audit, conduct on-site visits,monitor performance, and require remediation when issues are identified; establishing a community bank’s right to terminate a third-party relationship, based ona fintech company’s failure to meet specified technical and operational requirements orperformance standards. Contract provisions may also provide for a smooth transition toanother party (for example, ownership of records and data by the community bank andreasonable termination fees); or outlining risk and performance expectations and related metrics within the contract toaddress a community bank’s requirements.
Topics to Consider When Conducting Due DiligenceInformation SecurityEvaluating a fintech company’s information security measures allows a community bank to assessthe adequacy and integrity of a fintech company’s processes for handling and protecting sensitiveinformation, including community bank customer information, depending on the third-party relationshipand activity proposed.Information Security ProgramRelevant ConsiderationsPotential Sources of InformationIt is important to understand any securityframework that a fintech company employs tomanage cybersecurity risk. Completed information security controlsA fintech company’s information security controlassessments (for example, penetration testing, vulnerability assessments, etc.) highlightsthe fintech company’s approach to identifying,mitigating, or correcting vulnerabilities in itssecurity posture. Incident reports with associated post-assessments Incident management and response policiesmortem and remediation activities Information security policies (for example,access management, data center security,backup management, change management,and anti-malware policies)A fintech company’s information securitypolicies can provide insight into the company’sability to perform the proposed activity in a safeand sound manner and how or whether thefintech company trains and tests employeesand subcontractors (for example, phishing orvishing exercises).Assessing a fintech company’s policies andpractices related to privacy and informationsecurity is important in understanding therelevant controls in place to support a community bank’s ongoing ability to comply withsafeguarding requirements and its privacy andinformation security requirements.Understanding a fintech company’s securityincident response and notification proceduresmay assist a community bank in determiningany challenges to comply with its own incidentresponse requirements. Information security and privacy awarenesstraining requirements for staff Policies addressing relevant safeguardingand privacy laws and regulations13
14Conducting Due Diligence on Financial Technology Companies: A Guide for Community BanksInformation SystemsRelevant ConsiderationsPotential Sources of InformationUnderstanding a fintech company’s operationsinfrastructure and the security measures formanaging operational risk may help a com munity bank evaluate whether those measuresare appropriate for the prospective activity. Information technology policies (for example,data protection including data classification,retention, and disposal) Overview of the fintech company’stechnology and processes supporting theA community bank may evaluate whether theproposed activity can be performed usingexisting systems, or if additional IT investmentwould be needed at the community bank or atthe fintech company to successfully performthe activity. For example, a community bankmay evaluate whether the fintech company’ssystems can support the bank’s business,customers, and transaction volumes (currentand projected).prospective activity Completed controls or standardsassessmentsA fintech company’s procedures for deployingnew hardware or software, and its policy towardpatching and using unsupported (end-of-life)hardware or software, will provide a communitybank with information on the prospective thirdparty’s potential security and business impactsto the community bank.Illustrative ExampleFintech companies’ information security processes may vary, particularly for fintechcompanies in an early or expansion stage. Community banks may evaluate whether a fintechcompany’s information security processes are appropriate and commensurate with the riskof the proposed activity. Depending on the activity provided, community banks may alsoseek to understand a fintech company’s oversight of its subcontractors, including data andinformation security risks and controls.For a fintech company that provides transaction processing or that accesses customer data,for example, community banks may request information about how the fintech companyrestricts access to its systems and data, identifies and corrects vulnerabilities, and updatesand replaces hardware or software. The bank may also consider risks and related controlspertaining to its customers’ data, in the event of the fintech company’s security failure.Also, contractual terms that authorize a community bank to access fintech company recordscan better enable the bank to validate compliance with the laws and regulations related toinformation security and customer privacy.
Topics to Consider When Conducting Due DiligenceOperational ResilienceA community bank may evaluate a fintech company’s ability to continue operations through adisruption.3 Depending on the activity, a community bank may look to the fintech company’s pro cesses to identify, respond to, and protect itself and customers from threats and potential failures, as well as recover and learn from disruptive events. It is important that third-party continuityand resilience planning be commensurate with the nature and criticality of activities performed forthe bank.Business Continuity Planning and Incident ResponseRelevant ConsiderationsPotential Sources of InformationEvaluating a fintech company’s business continuity plan, incident response plan, disasterrecovery plan and related testing can help acommunity bank determine the fintech company’sability to continue operations in the event of adisruption. Business continuity plans Disaster recovery plans Incident response plan Documented system backup processes Business continuity, disaster recovery, andEvaluating a fintech company’s recovery objectives, such as any established recovery timeobjectives and recovery point objectives, helpsto ascertain whether the company’s tolerancesfor downtime and data loss align with a community bank’s expectations.incident response test results Cybersecurity reports and audits Insurance documentsHow a fintech company considers changingoperational resilience processes to accountfor changing conditions, threats, or incidents,as well as how the company handles threatdetection (both in-house and outsourced) mayprovide a community bank with additional information on incident preparation.Discussions with a fintech company, as well asonline research, could provide insights into howthe company responded to any actual cyberevents or operational outages and any impactthey had on other clients or customers.3Disruptive events could include technology-based failures, human error, cyber incidents, pandemic outbreaks, and natural disasters.15
16Conducting Due Diligence on Financial Technology Companies: A Guide for Community BanksBusiness Continuity Planning and Incident Response—continuedRelevant ConsiderationsUnderstanding where a fintech company’s datacenters are or will reside, domestically or internationally, helps a community bank to considerwhich laws or regulations would apply to thecommunity bank’s business and customer data.A community bank may consider whether afintech company has appropriate insurancepolicies (for example, hazard insurance or cyberinsurance) and whether the fintech companyhas the financial ability to make the communitybank whole in the event of loss.Service Level AgreementsRelevant ConsiderationsPotential Sources of InformationService level agreements between a communitybank and a fintech company set forth the rightsand responsibilities of each party with regard toexpected activities and functions. A communitybank may consider the reasonableness of theproposed service level agreement and incorporate performance standards to ensure keyobligations are met, including activity uptime. Proposed service level agreementsA community bank may also consider whetherto define default triggers and recourse in theevent that a fintech company fails to meet performance standards. Evidence of status meeting existing servicelevel agreements
Topics to Consider When
4 Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks Relevant Considerations Discussing a fintech company's strategic plans can provide insight on key decisions it is considering, such as plans to launch new products or pursue new arrangements (such as acquisitions, joint ventures, or joint marketing
RGF Due Diligence Engagement Template Terms . 1 Introduction The [Applicant] is required to submit to BIS a Due Diligence report prepared by the Due Diligence Service Provider which covers the scope of the Due Diligence work set out in Appendix 7 of the Conditional Grant Offer Letter (the "Due Diligence report"). These termsof engagement set
Section 01 - Legal Due Diligence 04 1.1 Purpose of Legal Due Diligence 05 1.2 Conclusion 1 4 Section 02 - Finance Due Diligence 1 5 2.1 Purpose of Finance Due Diligence 1 6 2.2 Conclusion 2 8 Annexure 2 9 Annexure 01 - Statement of Comprehensive Income 30 Annexure 02 - Statement of Financial Position 31
Phase 1 is concerned with the basics of due diligence with a focus on tools and techniques of due diligence analysis. Day One: The basics of due diligence in the oil and gas business The changing dynamics of the global oil and gas business The strategic relevance of due diligence in market analysis
finalizes the due diligence report - The due diligence report must seek to prov ide the most pertinent information at a gi i i i i h il b bd f ibliven point in time in the most easily absorbed form possible - It is particularly critical to relate the due diligence report to the strategic objectives of the due diligence process.
§ 1.03[1] DUE DILIGENCE 1-8 § 1.03 Benefits of the Due Diligence Investigation If not carefully conceived and managed, due diligence investiga-tions can become expensive boondoggles that never end and never lead anywhere. It should be kept in mind that process without results is useless. The due diligence investigation is all about producing .
5. Anti-bribery due diligence starts sufficiently early in the due diligence process to allow adequate due diligence to be carried out and for the findings to influence the outcome of the negotiations or stimulate further review if necessary. 6. The partners or board provide commitment and oversight to the due diligence reviews.
in a safe and sound manner, consistent with applicable legal and regulatory requirements. The . 2 Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks scope and depth of due diligence performed by a community bank will depend on the risk to
Due Diligence Credit unions must demonstrate an understanding of the vendor in order to effectively identify and mitigate risks. Key due diligence elements include Organization, Business Model, Financial Health and Program Risks It is important to contemplate what degree of due diligence rigor is required. Not all vendors are created equal.
