A New Era of Banking: 12th District Community Banks Are Driving Innovation Through Fintech Partnerships
by Lee J. Kapos, Assistant Vice President, Supervision + Credit, Federal Reserve Bank of San Francisco, and Carla Thomas, Examiner, Regional, Community and Foreign Supervision, Supervision + Credit, Federal Reserve Bank of San Francisco
A new era of banking is upon us. Since the start of the pandemic, innovations in technology combined with a shift in banking habits have motivated community banks1 to increasingly modernize operational capabilities and offer an expanded array of products and services. Since early 2020, many community banks nationwide have increased their online services by 50 percent or more, and many bankers plan to implement new technology such as digital underwriting or online loan applications and closings within the next year (see Figure).2 To keep pace with the ever-evolving financial services landscape, several community banks in the 12th District3 are partnering with nonbank financial technology (fintech) companies to stay competitive and meet the changing needs of their customers.
Figure: Community Banks’ Technological Intentions
Source: 2021 Conference of State Bank Supervisors National Survey of Community Banks, Figure 48, page 42, available at www.communitybanking.org/~/media/files/publication/cb21publication_2021.pdf
What’s Happening in the 12th District
Partnerships with fintech companies can support community banks by streamlining operational and compliance functions while improving risk management efficiencies. Some banks are working with fintechs to build scalable infrastructures to allow for the development of new customer offerings. Other banks focus on developing tools to better analyze data, enabling them to monitor banking activity while providing products and services tailored to their customers’ needs. Regardless of the type of fintech relationship, there’s no one-size-fits-all approach to engaging with a fintech firm. It is largely up to a bank’s board of directors and senior management to carefully develop its operational plans based on the bank’s risk appetite and desired strategic direction.
Many 12th District community banks are engaged with cloud service providers (CSPs) to outsource networking, hardware provisioning, and security functions. Unlike other fintech services, cloud technology is not a financial product that banks provide to customers. Cloud services involve storing data in an offsite location hosted by a third party (such as Amazon Web Services or Google Cloud). Banks use cloud services as a vehicle to deliver products and services to their customers. Community banks typically implement a software-as-a-service (SaaS) model, which provides the bank access to various software applications over the cloud while outsourcing the management and controls of the infrastructure and configuration settings. Community banks looking to expand digital banking services may employ CSP partnerships to provide a more flexible, easy-to-scale solution that allows for a relatively seamless roll-out of upgrades and new products. In certain cases, cloud technology promotes operational resilience and improves small banks’ abilities to respond quickly to outages resulting from operational failures or nefarious attacks, thus enhancing data security and business continuity processes. SaaS models often allow banks to leverage cloud technology across the entire organization, freeing bank resources that can be more effectively focused on core banking activities.
As the number of banks seeking to engage in crypto-asset activities continues to grow, the Federal Reserve Board and other regulatory agencies have indicated plans to provide greater clarity on the permissibility and regulatory expectations surrounding these assets.4 Considering the specialized expertise and technical knowledge necessary to manage and maintain digital assets, some banks are establishing relationships with fintechs to expand crypto-related offerings to customers. Banks are beginning to partner with fintechs to facilitate the trading, clearing, and settlement of cryptocurrency transactions or affiliate with firms that have well-established frameworks for the custody and management of crypto-assets.
Fintech partnerships also benefit banks by supporting risk management functions such as credit underwriting and vendor management functions such as onboarding support and contract management. Compliance risk management services or regulatory technology, better known as regtech, is similarly gaining traction within community banks. Banks are using regtech for Bank Secrecy Act/anti-money laundering transaction monitoring and customer onboarding and due diligence, as well as other compliance areas such as payment card industry compliance, consumer protection, and regulatory change management.
Perhaps the most popular type of fintech partnership trending among community banks in the 12th District (and beyond) is banking-as-a-service (BaaS). In fact, BaaS is predicted to become a $3.6 trillion global industry by 2030.5 BaaS allows community banks to link their licensed banking infrastructure with nonbank products and services offered by fintechs, branded as a regulated banking service. In this type of partnership, the fintech firm is the bank’s customer and can select a suite of skills and “off the shelf” products or services from the bank in a turnkey fashion. Banks provide back-office functions, such as operational and compliance risk management, while the fintech company is the face of the product or service. BaaS relationships enable fintech firms to offer a variety of products and services such as demand and mobile deposits, prepaid accounts and debit cards, digital wallets, funds transfer services, peer-to-peer payments, and lending to small and midsize businesses.
In the 12th District, our supervisory team has observed that fintech partnerships can benefit community banks by potentially growing business opportunities, expanding product offerings, and improving efficiencies. However, there are heightened risk exposures, as highlighted in the recent paper “Community Bank Access to Innovation Through Partnerships.”6 Particularly in community banks, the control environment may need strengthening to ensure risk associated with sophisticated fintech partnerships is appropriately managed. The banks with the most success in implementing sound fintech partnerships have established strong risk management frameworks to mitigate strategic, operational, and compliance risks.
Third-Party Risk Management
While various risk management functions and processes can be outsourced, a bank’s directors and senior management are ultimately responsible for the quality and effectiveness of the bank’s risk management. This means that robust due diligence,7 project management, partner onboarding, and business continuity policies and procedures are essential areas to consider when forming fintech relationships.
Information Security and Cybersecurity
Community banks should maintain effective information security programs commensurate with their operational complexities.8 As a bank shifts toward a digital platform and develops more of a reliance on complex systems and technologies, the risk of error and vulnerability to cyberattacks increases. It is critical for banks to continually assess the risk associated with new and existing products and relationships, especially related to processes for handling and protecting bank customers’ sensitive personal information. Information security services provided by third parties, such as password storage, authentication services, and virtual private network services, are growing in popularity and can mitigate risk associated with remote access and digital banking products. Furthermore, it is important for bank management to provide appropriate oversight of business continuity processes,9 both internally and within partnerships, to manage any disruption to operations.
Model Risk Management
Banks often engage fintech firms to leverage the latest technologies in the development of models used for stress testing, financial forecasting, and advanced data analytic services. Innovations used in models such as artificial intelligence and natural language processing will likely expand the scope of banks’ model risk management programs. Given the dynamic nature of modeling, banks should ensure models used by fintech partners are periodically tested and validated. As part of effective oversight and management practices, banks should maintain a comprehensive inventory of fintechs’ models and understand how partnering fintechs implement their models.
Compliance Risk Management
Of course, examination teams continue to verify whether a bank’s new activities (outsourced or conducted in house) comply with applicable laws and regulations and are consistent with safe and sound banking principles.10 The activities of many fintechs are not covered by statutes and regulations. Nevertheless, banks need to take added vigilance related to consumer protection, data privacy, information security, anti-money laundering, and financial crime when reviewing a fintech partner’s compliance function.
Bridging the Risk Management Gap
Innovative technologies often come with new risks. It is important that banks maintain the level of knowledge and expertise required to effectively oversee and control new risk exposures. Management information systems related to the selection of risk indicators are especially central to ensuring that a bank accurately measures and monitors risks. Perhaps most important, bank management should foster a culture of compliance starting with a tone at the top of the organization. This culture of compliance should continue to emphasize the importance of prudent risk management practices throughout the bank and with fintech partners. Recognizing that there are fundamental cultural and operational contrasts between most fintechs and community banks, a bank should consider how a fintech firm’s business strategy complements its own.
As we move into this new era of banking, risk management remains ever important. If risks are adequately managed and controlled, partnerships between fintechs and community banks can ultimately benefit customers, and the banking system as a whole.
- 1 Community banks are banks with less than $10 billion in total assets.
- 2 See the results of the Conference of State Bank Supervisors 2021 National Survey of Community Banks, presented at the Community Banking in the 21st Century research and policy conference, available at www.communitybanking.org/~/media/files/publication/cb21publication_2021.pdf.
- 3 The states in the 12th District are Alaska, Arizona, California, Hawaii, Idaho, Nevada, Oregon, Utah, and Washington.
- 4 Crypto-asset generally refers “to any digital asset implemented using cryptographic techniques.” See “Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps,” November 23, 2021, available at www.federalreserve.gov/newsevents/pressreleases/files/bcreg20211123a1.pdf.
- 5 See “Banking-as-a-Service. Why It Makes Sense for Banks,” FinExtra blog, April 8, 2021, available at www.finextra.com/blogposting/20132/banking-as-a-service-why-it-makes-sense-for-banks.
- 6 The September 2021 paper is available at www.federalreserve.gov/publications/files/community-bank-access-to-innovation-through-partnerships-202109.pdf.
- 7 See “Conducting Due Diligence on Financial Technology Companies — A Guide for Community Banks,” August 2021, available at www.federalreserve.gov/publications/files/conducting-due-diligence-on-financial-technology-firms-202108.pdf.
- 8 Refer to FFIEC Information Technology Examination Handbook, Information Security, September 2016, available at https://ithandbook.ffiec.gov/media/274793/ffiec_itbooklet_informationsecurity.pdf.
- 9 See FFIEC Information Technology Examination Handbook, Business Continuity Management, November 2019, available at https://ithandbook.ffiec.gov/media/296178/ffiec_itbooklet_businesscontinuitymanagement_v3.pdf.
- 10 Refer to 12 CFR Part 208, Appendix D-1, available at www.ecfr.gov/current/title-12/chapter-II/subchapter-A/part-208/appendix-Appendix%20D-1%20to%20Part%20208.