The Intersection of Financial Institutions and Technology Leaders

How to Beef Up a Fintech’s Compliance Department

By Bryan Yurcan

Financial technology companies that have created what they believe is the next innovative product to disrupt the financial services industry are often eager to partner with banks; it means access to a ready-made customer base and the ability to bring their idea in front of a large group of new users.

Fintechs often excel at creating innovative products and services or slick user interfaces. But one aspect that often gets overlooked is compliance. Fintechs that have robust compliance competencies will be much more appealing partners to banks than those that don’t.

“Any fintech that wants to partner with banks — or any regulated entity — needs to understand it is a completely different environment than what they are used to as first movers,” says Adam Chernichaw, a partner in the technology transactions practice at the law firm Allen & Overy. “Banks are not in the business of breaking things; they want to operate in a safe and sound manner,” he adds.

When advising on potential bank-fintech deals, Chernichaw says he advises fintechs to at least have someone in their organization that can be the liaison to the bank when it comes to all things compliance-related. It can be an in-house person or a third-party consultant they retain for this purpose. “You need to have somebody [who] can engage with the bank [who] isn’t just a salesperson,” he adds. “You need someone who can speak the [compliance] language and engage with different stakeholders at the bank.”

Fintechs may not be expected to have robust compliance departments right out of the gate, but they should be able to identify where any compliance gaps may exist and present to the bank how they will meet them, or even why they should have exceptions to certain policies, says Chernichaw.

“The fintech needs to be the one doing the gap analysis,” Chernichaw says. “Fintechs should look at their own policies and procedures and compare that to the bank’s policies and procedures. Lately, we have started to see fintechs implement some of their own policies and procedures that mirror what they have been asked by banks.”

Indeed, having the proper compliance infrastructure in place can play a big role in determining a fintech’s success, says Andrew Harrison, head of U.S. digital partnerships for the $177 billion BMO Harris Bank, where he is focused on facilitating strategic partnerships for the bank in the U.S. “Be very clear regarding the purpose of your business and goals,” says Harrison. “For example, by defining a specific value-add for your partner, you’re helping teams focus on potential risks and only mitigate what is needed.”

An In-House Champion
While regulators don’t regulate fintechs the way they do banks and credit unions, they should have some policies and guidelines in place that they can follow.

An ideal way to start this process is to hire someone who previously worked in bank compliance to serve as the in-house champion for building out a compliance structure, says Stephanie Karfias, general counsel for Mission Lane, a fintech that provides credit and debit products.

“You need someone responsible for understanding the role of compliance relative to the products and services you are offering and who is responsible for implementing some form of compliance management program,” Karfias says. “Finding someone who has been in the banking industry is not a bad place to start.”

Doing this will help potential bank partners better identify exactly what they will need in terms of compliance from the fintech, notes BMO’s Harrison. “Once you’re specific about the scope, it’s much easier for any potential partner to define what they’ll require in terms of compliance,” he adds.

Mission Lane’s Karfias adds that fintechs shouldn’t do everything at once when it comes to compliance, but start small and build from there. “There needs to be a process to monitor,” she notes. “It’s doesn’t have to be pie-in-the-sky; you just need to have some form of monitoring and set guidelines on the culture of compliance.”

Just starting small and having some policies in place will give fintechs a leg up, agrees Sheetal Parikh, vice president of compliance for Treasury Prime, an embedded banking software platform that connects fintechs and banks. “You don’t need a document that is 80 pages long, just something that reflects what your compliance practices are,” she adds. “Banks want to see that you have risk management policies in place; that there is a plan for disaster recovery, business continuity, what to do in the event of a cyberattack.”

Of course, fintechs need to have a compliance structure in place that reflects their specific product or service. Consumer-facing fintechs will have to comply with different regulations than those providing back-office functionality, Parikh says.

Those that handle consumer data will have to comply with data privacy laws, she notes, and those that directly onboard new customers will have to have the proper Know Your Customer and fraud monitoring tools in place.

“Even if you don’t have a staff of five people focused on compliance, which is OK,” says Parikh, “fintechs should at least designate somebody on their team to be the liaison between the bank and the fintech, someone to be the face of the company that the bank deals with. The bank wants to know that if there is an urgent request or some emergency, there is a specific person they can call.”

Compliance in a World of Embedded Finance
Compliance becomes even more complicated in the world of embedded finance, where nonbank companies such as retailers, tech firms or even social media platforms are offering financial services.

“Now we are starting to see fintechs enter into partnerships with these nonfinancial services companies, but there is also a financial intuition in the mix somewhere if money is exchanging hands,” says Chernichaw, of Allen & Overy. “Often in these cases the bank may not even be involved as contracts are being drawn up, but there are still bank regulations that come into play.” In such partnerships, Chernichaw advises all parties, including the bank powering money movement on the back end “to look at the contract and understand everyone’s responsibilities.”

Ultimately, there is no one-size-fits-all approach for fintechs, says BMO’s Harrison. However, there are some best practices from a technology perspective they can take. Fintechs can provide to their banks a report known as system and organization controls, or SOC, which is generated by audit firms. They can describe where their data resides and who has access to it, as well as how they maintain control and security over the data.

“From a technology viewpoint, it is also important to ensure you understand any artificial intelligence and machine learning models, as well as how those models can be validated by your banking partners, and potentially, various regulatory bodies,” Harrison adds.

Ultimately, fintechs that have robust compliance in place will be better run businesses, regardless of if they partner with banks or not, says Parikh. “Having a good compliance structure in place corresponds to having better business practices as well,” she says. “There’s a synergy between growing the bottom line and compliance.”