Internal audit considerations for fintech partnership risk

A targeted internal audit response can help mitigate risk in bank-fintech partnerships.

Bank-fintech partnerships appeal to financial services organizations that are looking for new ways to create value and increase relevance. However, the bank-fintech business model is complex and includes many risk-management related activities in the areas of strategy, operations, compliance, and finance. As a result, each side of the bank-fintech partnership requires significant monitoring and testing by internal audit.

Why bank-fintech partnerships need a solid internal audit response

Potential strategic considerations and benefits for bank-fintech partnerships include:

New sources of funds and revenue streams
Growing customer bases
New products and services
Interest income
Geographic expansion using digital channels
Investment and acquisition opportunities

Internal audit is responsible for the independent and objective testing of bank-fintech partnerships. Internal audit teams, therefore, must fully understand the risks, evaluate the control environment, and complete risk-based design and operating effectiveness testing to determine if bank-fintech partnerships are functioning in a safe and sound manner.

Let’s address your regulatory risks with a targeted response

When regulatory changes require an updated strategy, Crowe can help.

Explore our services

Risk management of bank-fintech partnerships is critical

The financial services industry has already witnessed an increase in regulatory commentary, guidance, and enforcement actions related to bank-fintech partnerships, including:

The Federal Reserve’s Novel Activities Supervision Program, which enhances the monitoring of technology-driven partnerships with nonbanks.
Interagency guidance on third-party relationships as it relates to risk management
Recent public consent orders
Additional nonpublic regulatory actions

The heightened regulatory scrutiny has touched on a range of risk areas, including:

Bank Secrecy Act compliance and anti-money laundering risk management
Data management, reporting, and governance
Information technology control and risk governance
Consumer protection, including fair lending
Lack of management oversight

Failures within these areas have led to safety and soundness concerns with the increased focus on long-term, sustainable, and profitable bank-fintech partnerships.

Based on these regulatory trends, financial services organizations and their internal audit teams can’t afford to take a wait-and-see approach to act. Moving now could help organizations avoid potentially serious consequences.

For bank-fintech partnerships, compliance is non-negotiable

So, how can organizations respond to the increased regulatory risk associated with fintech partnerships? Exploring the innovations and revenue streams offered by new fintech relationships is a popular option for many banks. Bank-fintech partnerships can be highly profitable, and banking customers are increasingly demanding the flexibility and wide range of services made possible by bank-fintech partnerships.

Some organizations might try to roll the new expectations of the guidance into their existing internal audit and risk management activities. However, the guidance and the resulting regulatory enforcement activity show that the agencies are casting a highly focused spotlight on fintech relationships – which means organizations might want to do so as well.

Targeted guidance requires a targeted internal audit response

Organizations that want to meet the new guidance head on and address compliance risks now should consider building a specific fintech-focused audit into their internal audit plans. The audit plan should include identifying the most significant threats, what could potentially go wrong, and how to mitigate those risks. The overall goal of this audit should be to foster an understanding of the organization’s fintech partners and how those partners address customer management and regulatory compliance.

Activities that internal audit teams can consider as part of a fintech-focused audit might include:

Sampling focused on and limited to fintech partners, transactions, customers, and controls
Evaluation of risk posed by fintech relationships, which might influence frequency and extent of the audits of each relationship
Development of a work program and workpapers specifically focused on fintech relationships and aligned closely to the interagency guidance
In-depth interactions with fintech partners and third parties, including on-site visits
Testing targeted at design and operational effectiveness of fintech companies’ controls
Fourth-party testing of fintechs’ clients and customers
Detailed, thorough testing of fintech partners’ compliance programs

Once the plan for a fintech-specific internal audit is in place, organizations should conduct a staffing assessment and determine whether they have the resources, budget, and subject-matter expertise to execute the plan. Many organizations, especially those with a large, diverse portfolio of fintech clients, might find they need to look outside the organization for help.

A focused internal audit response can help avert regulatory issues and open doors to new relationships

With the right internal audit programs in place, your organization can pursue high-value fintech partnerships knowing that the proper controls exist and the risks are managed. And those opportunities can help you offer new products, services, and benefits for your customers without having to constantly worry about if or when your fintech partnerships could invite not only regulatory consequences but financial harm, damaged brand reputation, and customer loss as well.

Crowe specialists understand and support the business model, jobs to be done, and roles and responsibilities that affect internal audit departments. Our teams have studied the interagency guidance in detail and developed targeted internal audit programs, which, with Crowe support, your organization can implement and customize.

Crowe internal audit and fintech specialists have decades of experience understanding regulatory expectations and creating audit programs that are specific to regulatory guidance. Our teams also have extensive experience working with banking organizations and fintech companies, so whatever your place is in the industry, we can help you meet compliance with confidence. And if you’re already experiencing heightened scrutiny from examiners, our regulatory response team is ready to step in.

Related insights