Join our mailing list to receive the latest updates and alerts Flag Subscribe

Anyone who has been paying attention knows about fintech partnerships in banking. The mold-breaking ideas of bright-eyed technology entrepreneurs have provided community banks with innovative ways to reach customers, make loans, gather deposits, provide payments solutions and expand their markets. Recently, regulators have issued new guidance related to both the safety and soundness and compliance implications of such relationships. Fintech partnerships can provide fantastic opportunities, but community banks need to follow the steps from the regulatory agencies related to before, during, and after embarking on such a partnership. And it’s not easy.

Due Diligence

Bankers are accustomed to doing business with vendors who are entrenched in the banking industry—vendors who have a due diligence package at the ready (complete with plenty of referrals from other long-standing bank customers) and compliance personnel familiar with the regulatory environment. Fintechs are experts at technology and innovation but are often young companies with limited hands-on banking experience. Therefore, the due diligence process will be different than what the bank may be accustomed to performing on its core processor or mortgage software provider.

Regulatory guidance continues to evolve via both publications and enforcement orders. The banking agencies issued updated Interagency guidance concerning third-party risk management in June 2023 and updated their publication, “Conducting Due Diligence on Financial Technology Companies – A Guide for Community Banks” in October 2023. A critical step for any community bank contemplating a fintech partnership will be to review these updated publications carefully and ensure due diligence includes all applicable items contemplated therein—and keep an eye out for any further changes to guidance or applicable law. And as indicated in the October 2023 publication, each bank should tailor its use of the guidance to its activities and associated risk.

While the list of boxes to check regarding financial health, legal good standing, and licensing matters is similar for fintechs as for other vendors, the compliance analysis can be much deeper. The bank must tailor compliance diligence to the products and/or services a fintech partner will be providing, what data they will access, how much direct interaction with customers they will have, and what laws and regulations are implicated. Next, consider what policies, procedures, and compliance checks the bank has in place for itself and its own personnel regarding these activities. Ask questions and verify answers. For example:

  • If the fintech will provide or facilitate consumer payments, do they have compliance expertise related to Regulation E and the NACHA Rules?
  • Inquire about their knowledge of FDIC insurance advertising regulations, funds availability disclosures, and overdraft protection requirements.
  • UDAP/UDAAP compliance looms over every consumer product and service—be sure to confirm the fintech partner’s understanding of fair and responsible banking.

How about fourth-party risk? Does the fintech utilize third parties or subcontractors, and do they have their own third-party due diligence and oversight mechanisms?

Fintech due diligence is a very dense topic, one we will address in more depth in a future article, but it boils down to a straightforward equation: If the fintech partner cannot or will not match the bank’s internal standards for its own compliance, then the bank cannot and should not be comfortable delegating those activities to the fintech. Said another way, if the fintech would fail a compliance audit or regulatory examination, then so will the bank.

Contract Negotiations

Hand in hand with the due diligence process goes the contract negotiation. Here again, while more traditional bank vendors generally already include bank-specific compliance provisions and obligations in their contracts, fintechs may not be familiar with the contract terms banks require. This includes contract provisions regarding service levels, regulatory compliance, indemnification, audit rights, data security and confidentiality, events of default, etc. The regulators have made clear through various guidance that they expect banks to be proactive and thorough in contract negotiations.

Ongoing Due Diligence and Oversight

Nothing about any vendor relationship can be treated as “set it and forget it” in banking. The bank should consider requiring regular reporting from the fintech partner, reviews by the bank of the fintech partner’s performance and compliance activities (including onsite audits, where appropriate), and response strategies in the event of issues requiring remediation or a pause on the fintech partner’s activities for risk mitigation purposes. Just as with due diligence, this will be different with a new fintech compared to other long standing bank vendors.

Pay Attention to the Climate

Regulators have been paying very close attention to “banking-as-a-service” relationships recently, and fintech relationships are now drawing heightened scrutiny. Any bank involved with a fintech partner now needs to pay close attention to signals from the regulators, especially updated guidance, public commentary, and enforcement actions. Banks should review enforcement actions involving fintech partnerships for common themes. Keep track of the regulatory feedback on others’ fintech partnerships and make sure those elements are used to update and enhance the bank’s overall approach.


The personnel, expertise, and financial resources needed to roll out a successful fintech partnership are important. Big banks have large teams of third-party risk management personnel dedicated to constantly monitoring these sorts of relationships. Smaller banks often do not have redundancy in expertise and depend on multi-hatted personnel, making employee turnover an even bigger threat.

Don’t bite off more than the bank can chew. Make sure bank personnel have sufficient experience with the type of products and services offered, and plan realistically for sufficient oversight. Utilize the services of outside counsel and compliance consultants where appropriate. And as you navigate these discussions, keep in mind one of the regulators’ favorite phrases: “commensurate with risk.”

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.