Brandi B. Reynolds, CAMS-Audit, CCI
All banks will soon be fintechs (and there are risks with that).
The very title of this article implies that eventually all banks will morph into being fintechs and that it’s an evolution not defined by “whether” but by “when.” While some banks were launched to be fintechs from the beginning, other banks are evolving in that direction. If you are already in the fintech space, your LinkedIn feed should be sporting a few articles a day about some small community bank that has stepped away from traditional banking to align itself with the new world of fintechs. It may have shed its skin to start banking fintechs; partnered with a fintech to offer customers a nifty product or service; or even spun off an entire fintech division. What’s interesting is that the pace at which small community banks are doing this dwarfs the pace of larger regional banks.
And the pace overall is picking up.
Pundits seem to differ on their predictions about when the traditional bank will go away, and the fintech will rule the day, but the timeframes discussed range from 3 years to perhaps 10. Many writers do not envision today’s traditional bank lasting beyond 10 years. This evolution might be great for the consumers and businesses who’ll benefit from fintechs, but what does this mean to risk managers in the financial services industry? What does it mean to supervision?
Let’s review some risks.
The Risks Lurking in a Fintech Conversion
First, the level of overall risk is increased – all risks change. Change itself brings risk. Change requires new processes and new controls, and the concept of implementing solid controls in this innovative area might not be welcomed. After all, some in management may view controls as innovation-killers. Poorly installed controls can have that effect. Over time, banks-turned-fintechs will realize that those “control things” are the very things that ensure repeatable success. Until that happens, though, risk will be increased.
Second, legal risk is increased. Banks have always had contractual relationships with core providers and other service providers, but the contracts were relatively homogenous. One traditional bank’s core contract wasn’t terribly different from another bank’s, and the core contract from one core provider wasn’t terribly different from another core provider’s contract. The world of fintech is completely different. Not only are the fintech relationships new, but each deal brings different twists, with three, four, even five different entities involved in each deal or product. Banks-turned-fintechs might see their legal staff of one turned into a legal staff of dozens, with several contract review specialists. (They are worth their weight in gold; do not skimp on a good contract attorney.)
Third, cyber risk is increased. Where is the tech in fintech if systems are down due to a cyber event? Not only is the bank-turned-fintech a lightning rod for a cyber event, but it inherits the cyber risks of all of its partners. Banks should have solid cyber staff to begin with, but the number of staff could triple… or more on converting to fintech.
Fourth, speaking of staff…as with any emerging field, risk managers with experience in the fintech area are in short supply. While staffing risk doesn’t show up as a named risk in regulatory literature, It’s easy to envision banks-turned-fintechs getting one or more “Matters Requiring Action” in a report for “management” or “staffing.” Regulators have cited both of these either for the quantity of staff or for the quality of staff. While existing staff can learn the ropes, some experienced staff who have led other institutions through the fintech evolution might be needed for strategy, guidance, and just general operational blocking, and tackling. And it’s hard to find them. Although consultants in this area are valuable, especially in the short run, the bank-turned-fintech has to also watch out for an regulatory citation for “overreliance on consultants.” The bank-turned-fintech needs to have adequate knowledgeable staff for the consultants to work with.
Fifth, and last, regulatory risk increases. Regulatory risk is similar to cyber risk in that banks have faced regulatory risk forever. But it changes in many ways when the bank turns into a fintech. Regulators will expect the risk management system to be in place before the bank ventures into the fintech space, not after.
Breaking Down Risks Within Regulatory Risk
It’s difficult to rank each risk because it differs depending on the type of fintech but it’s not difficult to identify the major component of regulatory risk each new fintech may face. If the fintech is a consumer lending type of fintech, then Consumer Regulatory Compliance – the alphabet soup of lending regulations – is likely to be the highest risk along with Credit risk. For most other payments-related fintechs, the highest risk is likely Anti-Money Laundering and Sanctions risk. But Liquidity risk and Capital risk are still high on the list. Most importantly, however, is that the bank-turned-fintech faces increased Reputation risk from the trickle-down effect discussed above in cyber. To the general public, each of the things done by the fintech partners is a reflection on the bank-turned-fintech.
The Special Case of Supervisory Risk
As promised, let’s review supervisory risk (which differs from regulatory risk for purposes of this article). Just as there is a shortage of talent in the banking industry for professions well-versed in fintech, there is likely to be a shortage of examiners who understand the fintech world. Someone who understands fintech is likely to look for employment first with a fintech and only second with a regulator. Despite that, however, examiners understand risk in general; that understanding is in their DNA. Expect examiners to get back to the basics in reviewing a bank-turned-fintech. Despite how a service is provided, AML, Consumer Regulatory Compliance, and Credit risk remain constants. And examiners surely understand Reputation risk. Although the examiner coming through the door might never have worked for a fintech, that doesn’t mean he or she doesn’t have the ability to examine the bank-turned-fintech. The examiner will figure it out, it just may take a little longer than with a traditional bank. The basics don’t change.
Enjoy the Innovation but Watch the Risks
To summarize, change is going to happen as sure as the sun will rise, and banks will all become fintechs at some point. It’s up to risk managers to stay ahead of the curve, enjoy the innovation, and stick with the basics.
For more information on how CorCom can assist with your compliance needs, please contact firstname.lastname@example.org.