Bank partnerships are a critical component of the U.S. fintech ecosystem and infrastructure.
The agreements that govern bank-fintech partnerships are nevertheless frequently overlooked simply as a legal formality—a necessary document to address the bank's control rights and the fintech's compliance responsibilities without regard for how the parties intend to manage their relationship, products, and services on a daily basis.
Too often, this approach results in agreements that are unfit for their purpose or, worse, unwitting sources of risk.
A bank partnership agreement can, and should, be viewed as more than a checklist item for getting to market. When done well, bank-fintech partnership agreements transform into product and relationship charters that establish the parties' core, day-to-day operational, financial, and compliance responsibilities across both the product and relationship lifecycles and set a clear framework for managing changes and disputes throughout the relationship.
Approaching partnership agreements in this way will ensure the parties are creating a long and fulfilling partnership arrangement.
From our experience negotiating these agreements, we have identified what we believe are some key success factors for bank-fintech partnerships.
The advent of "banking-as-a-service," or BaaS, models have further democratized the industry by allowing more fintechs to access the authority of a bank charter through an intermediating technology company without contracting with the bank.
BaaS models coexist along with the more traditional bank partnership model in which the fintech contracts directly with the bank, but the greater distance between the bank and ultimate product delivery in this model can present challenges to these success factors.
Respecting the Regulatory Perimeter
From the outset, bank-fintech partnerships require a clear understanding of "who does what and why."
Banks need fintechs for technology, marketing acumen and customer acquisition, while fintechs need banks to leverage their charters to offer certain products, i.e., deposit taking, or the fastest path to multistate authority, i.e., payments and lending.
It is critical to have the necessary stylistic and technical writing expertise to describe the actual sponsored offering without blurring the so-called regulatory perimeter that delineates where the bank must retain control.
Templates too often obscure the regulatory perimeter. While agreements require bank control and oversight language, they do not have to look like a traditional bank vendorform.
Similarly, agreements will need product and service particulars but should not look like software-as-a-service forms. Control is not a fixed concept and need only be commensurate with the risk and complexity of the relationship.
Managing the regulatory perimeter is not so simple in practice. While fintechs engage banks for services, fintechs are generally regulated as service providers to banks and will need to assign a sufficient amount of control to bank partners to align with bank regulators' expectations.
The rationale for bank control will vary by product, such as "true lender" for credit, money transmitter license risk for payments and the bank's exclusive deposit powers. These activities must be vested in the bank and cannot be outsourced.
The bank is liable for compliance for everything within the regulatory perimeter.
Balancing this fact with the reality that the fintech is often the entity that executes and interacts with customers requires precisely describing the scope of the fintech's legal commitments, creating compliance policies and guidelines, and verifying performance and compliance through audits and reports.
Choosing Your Partner
Choosing the right bank and fintech partner is one of the most important decisions when coming to market.
Banks need to evaluate fintech sponsorship as a portfolio and not view each prospect in isolation; fintechs need to consider not only the commercial and compliance expectations of the bank, but also whether its approach and culture are compatible.
Banks will never move fast enough, from the fintech perspective; fintechs will never move deliberately or transparently enough, if you ask the bank.
Other key factors to consider include the bank's balance sheet capacity, technology platforms and experience with fintech portfolios. Relationship considerations include investing in the right people and resources, determining the appropriateness of those resources, and the ability to foster a cooperative dynamic between the parties.
Bringing together two entities always presents challenges, regardless of the nature of the transaction.
When it comes to bank-fintech partnerships, there are special considerations to address that can improve the chances for a mutually beneficial relationship.
Typically, banks are institutions that have been around for longer with long-standing business processes, often being seen as set in their ways.
Fintechs, on the other hand, are newer organizations with new and flexible processes that allow them to be quick and nimble—one of their key advantages. But the difference here can create operational difficulties when working together and requires patience from both sides.
Banks, as more established institutions, may have more stable but less up-to-date technology that complicates the work of a fintech seeking to integrate with the bank's systems.
Banking regulation favors robustness and stability over innovation, whereas software-as-a-service business models enable the launch of many faster, more nimble technology platforms that leverage application programming interfaces, cloud computing, mobile technology, and quicker processing, ultimately facilitating more attractive approaches to product distribution, customer acquisition, and service.
Additionally, mobile application marketplaces democratize the offering of technology solutions directly to both commercial and consumer customers, bypassing traditional bank sales channels.
Banks and fintechs operate in widely different regulatory environments. Banks are pervasively regulated. Meanwhile, what technology company would accept an entity called a "supervisor" standing over its proverbial shoulder?
Supervision demands the banks expend considerable time and leadership attention on compliance.
A bank's organizational structure is built to assess and manage risk in order to meet the paramount regulatory requirement to operate in a safe and sound manner. The demands of risk management and compliance encourage a vertical, bureaucratic, and disciplined organization.
Fintechs—liberated from such constraints—are organized in a more horizontal and flexible manner. Fintechs tend to have fewer controls on decision making and so are faster at getting products into production.
The planning, due diligence, and contract negotiation process for the partnership agreement are an excellent test of the compatibility of the bank and fintech along this dimension.
Negotiating bank partnership agreements requires strong governance for technical integration. The cultural differences in approaching technology development between banks and fintechs are among the most acute of all the gaps to be bridged in coming to agreement.
Technology companies, while they may employ the most rigorous technical standards to their development, are less concerned with specific technical paths and more willing to allow multiple pivots in building a platform.
Banks are far more constrained, largely because—while different approaches to solving a technical challenge can be fine from a regulatory perspective—the bank is obliged to apply controls that are appropriate to the design chosen.
Milestones are often overlooked in contracts, but they are critical so that the parties understand what's going to happen, the actual target dates when it's going to happen, and the consequences of missed milestones. Including integration items in the contract or an associated statement of work helps the parties adhere to the desired commercial launch schedule.
Incorporating acceptance criteria—or what it means to achieve a milestone—allows for an objective determination of success. Consequences for failing to achieve technical milestones, up to and including termination, should also be considered.
An excellent and often overlooked element in establishing a strong foundation for the bank-fintech relationship is to define how the relationship is going to look and operate on a periodic basis. Including items such as how frequently to meet and decision-making authority can help keep the relationship on course.
A frequent complaint from both perspectives is the failure of the other party to be responsive as the need for coordination arises, leading to issues not being addressed at initial stages when they might be most amenable to efficient and effective solutions.
How rigid and detailed to be regarding the cadence and content of meetings will depend on the size and complexity of the program.
Product and Servicing Lifecycle
Third-Party Relationship Management
The foundational regulatory guidance for bank-fintech partnerships is of course the guidance governing third-party relationship management. Federal banking agencies are coalescing around a common set of standards regarding their expectations for the banks they supervise.
Such guidance also serves as a useful framework for fintechs when vetting banks—fintechs should consider thinking in the same categories enumerated in the guidance as they evaluate the competence, suitability, and stability of their bank partners.
The ability of each side to apply the guidance flexibly and with a view to the specific facts and risk profile of the proposed partnership is a key indicator of compatibility. Adherence to a strong third-party relationship management program is vital, particularly considering the regulatory scrutiny being applied to BaaS and bank-fintech partnerships.
It is also useful to acknowledge that the third-party relationship management guidance was developed in an environment in which banks had much greater leverage over their service providers.
The latest proposed interagency guidance recognizes that banks may not have the ability to obtain as much diligence or contractual control over their technology partners. Fintechs, particularly larger fintechs, can sometimes view the bank as an unavoidable evil rather than a true partner.
Partnership agreements are also imbued with the tension of distinguishing the service provider from the customer—the law considers the fintech a service provider to the bank, while in reality, the fintech considers that it is engaging the bank for services.
This distinction is less meaningful to regulators, which will extend their supervisory and enforcement authority to all parties involved, especially when they perceive risk to consumers or are evaluating new products and services.
As a result, actually both banks and fintech partners must actively manage regulatory risk at all stages of the partnership.
Key components for third-party risk management include:
- Risk Assessment: Clearly defining the risk of an activity, measuring it against the existing and potential controls to determine residual risk, and deciding whether it meets the organization's risk tolerance for any given partnership are crucial. This step, often overlooked, helps prioritize issues and enable agreement on the scope of control.
- Due Diligence: Banks and other regulated partners may request extensive information to meet significant compliance obligations. These obligations can extend to all parties involved in the partnership.
- Ongoing Oversight and Risk Management: The parties should consider the willingness and capability of their counterpart to cooperate with testing, auditing, and reporting required to operate within their risk tolerance. Defining escalation and incident response processes is also vital.
- Record-Keeping: Partners must agree on who will maintain the system of record and ensure that it is updated in real time with accurate information.
Product Change Management
The degree of involvement a fintech should expect from its bank partner in product changes depends on several factors.
For bank-provided products, the bank will expect to have control over changes to product fundamentals and will need notice and objection rights over feature changes.
For fintech-provided products, banks may need control rights over end-customer interfaces but may be more open to fintech control of product fundamentals and features.
Finding the right balance between compliance and flexibility is crucial.
Banks should have rights concerning compliance with laws and regulations but not necessarily for other reasons. Fintechs need certainty that the bank's change rights do not present material continuity risk to the business.
Bank partnership agreements form the foundation of U.S. fintech offerings. Navigating the complexities of bank-fintech partnership agreements requires a thorough understanding of the partnership and product lifecycles, along with the various regulatory risks associated with creating such a partnership.
Banks and fintechs must work collaboratively to address these issues to ensure the success of their partnership.
Entering into a bank-fintech partnership agreement is an exercise of bridging cultural divides. The parties must enter the relationship with a willingness and openness to work together and learn the ways of each organization.
Being transparent throughout the negotiation process—and as much as possible—will prove vital.
While undertaking a bank partnership agreement may seem onerous, the reward for banks, fintechs and end users alike is the fastest and most durable path to market in the United States.