Customers in the financial service sector now demand 24/7 access to digital services from their banks. Those demands have only increased as a consequence of the pandemic and its impact on consumer habits. To compete, banks need access to the latest digital
technologies quickly, and commonly find it more efficient and effective to procure technology from third parties than to develop it themselves.
Bank and fintech partnerships are now top of the agenda in bank boardrooms. However, modernising the most heavily regulated and scrutinised industry is no easy feat and given that businesses and consumers alike are dependent on banking infrastructure; the
stakes are high.
Burdensome procurement processes, cultural differences, and risk-averse attitudes are creating protracted onboarding processes and remain significant barriers to successful collaboration between banks and fintechs at a time when digitisation in financial
services is vital.
The problem of digital transformation in the financial services sector is certainly not a new one, but after two years of accelerated innovation brought on by the pandemic, solutions are emerging aimed at evaluating and endorsing fintechs. These solutions
may eventually overcome the challenges of collaboration between banks and fintechs.
However, as fintechs wait for new initiatives to mature, they must consider what they can do in practice to offer comfort to the banks they seek to work with in the face of an evolving regulated space.
Problems in reaching a deal
While collaboration may be desirable, the process of reaching a deal can be problematic for both sides.
Banks typically adopt a stringent approach to due diligence during the onboarding process and to their contracts with third parties. This is driven by the need for a cautious attitude to risk and entrenched procurement processes borne out of regulatory requirements
that govern outsourcings and other supplier arrangements.
Fintechs, unincumbered by regulation and used to risk-taking when innovating, are often surprised by the extent of banks’ requirements. Engaging with banks’ procurement processes can be time-consuming. Fintechs, while not always, are often small operations
that depend on a few senior decision makers – whose time can often be swallowed up over months responding to banks’ invitations to tender, preparing and delivering presentations, responding to enquiries from banks’ internal security and risk teams, and negotiating
Participation in banks’ procurement processes is also expensive. Often fintechs must invest heavily at the outset of a relationship with a bank in order to meet its demands, creating cash flow issues. To lessen these demands, some banks are agreeing to pay
out funds under a short-term agreement prior to engaging in the full on-boarding process and making an initial investment into the fintech to boost capital.
Traditionally, when dealing with a third party supplier, banks want assurance that if something goes wrong, they can recoup their losses; and so there is a focus on the third party supplier’s financial standing prior to contract. Yet, obtaining such assurances
in respect of fintechs can be challenging.
For example, fintechs often do not have sufficiently healthy balance sheets or enough trading history to complete banks’ financial due diligence. It has become more expensive and difficult for fintechs to obtain professional indemnity insurance and cyber
insurance cover in recent months, which can otherwise help provide comfort to banks in relation to the underlying risks insured against.
Banks may look to obtain parent company guarantees from other third parties they work with, but this option is often not available on the basis that the fintech does not have a parent or its parent is a private equity backer, who are less likely to give
Banks typically want full visibility of where customer data is located and who is holding such data. For banks, scoping out the end-to-end flow of customers’ data is key and will form a critical part of the bank’s due diligence exercise. This requirement
is borne out of a “gold standard” approach to regulations, along with understandable concerns in respect of the bank’s reputation if there was to be a data breach. Fintechs may not always have this awareness in respect of their data or have conducted thorough
data mapping exercises prior to engaging with the bank.
Another problematic area when agreeing a deal between fintechs and banks is the contractual measures that banks seek to impose as standard. Typically, bank contractual requirements are aimed at having a high degree of oversight of the supplier, which may
include requiring the fintech to seek the bank’s consent to use or change subcontractors or for the use of open-source software. Step-in rights may also be sought as an additional means of oversight and option for corrective action.
From our experience, these oversight measures are often a source of cultural tension with fintechs, who are used to being dynamic and lean and resist being encumbered by processes.
Banks are increasingly recognising the burdens fintechs face in completing their procurement and supplier assurance processes. Some have committed to the UK fintech pledge, which was developed by Tech Nation’s fintech delivery panel and has UK Treasury support.
The pledge is designed “to set globally leading standards for the establishment of efficient and transparent commercial partnerships between banks and fintech firms.” A number of the top UK banks have signed the pledge, committing, among other things,
to providing “clear guidance to technology firms on how the onboarding process works” as well as to providing clear progress reports during the process.
Additionally, third party providers are seeking to commercialise the de-risking and fast-tracking of the adoption of technology in financial services. Some providers enable tech suppliers to measure their resilience and sustainability against criteria mapped
to recognised standards as, well as regulatory requirements and guidance, such as the European Banking Authority’s (EBA) guidelines on outsourcing and requirements around operational resilience set by the Prudential Regulation Authority (PRA) and Financial
Conduct Authority (FCA) in the UK.
Some providers offer services to support fintechs in preparing to engage with the procurement processes of large financial institutions. Some specialise in supporting fintechs in testing and bolstering their information and cybersecurity measures, while
others are exploring the potential of a fintech ‘passport’.
Such certification and ‘passporting’ initiatives offer promise to fintech companies seeking a streamlined way in which to demonstrate their standing based on the information available. Nevertheless, without the endorsement of banks, these initiatives may
be of limited benefit to participants.
In theory, the fintech passport would enable fintechs to demonstrate that they meet standardised measures around things like resilience, maturity and ESG requirements that banks would endorse, reducing the need for fintechs to complete the banks’ onerous
diligence and procurement processes. However, while banks have partially engaged in these conversations, they are yet to get behind such an initiative in a meaningful way. In order for a passporting initiative to be successful, it needs to be endorsed by banks,
who ideally should be involved at a grassroots level.
Actions for fintechs now
The fact that new solutions are emerging and that there is growing awareness and appreciation of the barriers fintechs face in completing banks’ onboarding processes is welcome, but fintechs should not wait for a silver bullet to arrive if they want to be
able to win contracts with banks now. There are practical steps fintechs can take to give banks comfort on the risks they are seeking to manage.
On security fintechs should be looking to the government-backed Cyber Essentials initiative and other certification schemes operated by the industry as a means by which to bolster their cybersecurity measures and demonstrate their compliance with recognised
standards. A robust approach to encryption and the adoption of multi-factor authentication system access controls are among the security measures banks will expect fintechs to have in place.
To be attractive to banks, fintechs should have robust business continuity and disaster recovery measures in place to minimise disruption, and ultimately losses, in the event of an outage or a stressed exit scenario. Fintechs should ensure that those plans
are developed and tested in accordance with the PRA/EBA outsourcing requirements.
On data, fintechs should ensure that they can demonstrate a good understanding of data locations and data flows. Working from home arrangements need to be taken into account.
Fintechs may rely on third parties of their own for handling or storing data, or for other functions of their operations. Banks will require fintechs to be able to show that their contractual arrangements with third parties provide banks with the desired
oversight of sub-contracting arrangements and that their dependence on third parties has been factored into fintechs’ business continuity and disaster recovery plans.
In respect of contractual oversight, given that the banks’ position is sustained by regulation, fintechs do need to accept that banks will have a higher degree of control over their activities and supply chain than the average customer. However, there are
compromises to be made in this space that are within the realms of regulation and banks should be prepared to make these if they want to avoid protracted negotiations.
Many of the expectations of banks are derived from regulation and guidance which they have to comply with when it comes to outsourcing and engaging other third parties, such as the EBA’s and PRA’s outsourcing guidelines or operational resilience requirements
set by the FCA. Fintechs are more likely to be able to provide comfort to banks in this space if the fintechs increase their knowledge of the regulatory landscape.
Our experience to date is that some fintechs are unaware of, or are only vaguely familiar with these regulatory frameworks. It is important therefore, given that they place an additional burden on contracting in the financial services sector, that fintechs
familiarise themselves with the relevant regulations. The forums and services provided by industry bodies provide one avenue to assist fintechs achieve this.