Banking Fintech Security

3 focus areas for banks conducting diligence on fintech firms

3 focus areas for banks conducting diligence on fintech firms. Photo by igorstevanovic,
Written by John Popeo

John Popeo highlights three regulatory focus areas for banks as part of the diligence process in a fintech partnership or acquisition.

2016 marked the beginning of a détente between banks and financial technology (fintech) firms. After years of adversarial jockeying, banks and fintechs have determined they are better allies than rivals.

Banks that once feared fintech would replace them have come to appreciate fintechs as valued partners capable of fast innovation. Fintechs are likewise realising they can leverage banks’ established infrastructures to scale and reduce customer acquisition costs. These complementary strengths have prompted banks to partner with, and acquire, fintech firms.

This article highlights three regulatory focus areas for banks as part of the diligence process in a fintech partnership or acquisition.

Anti money laundering

Banks considering a fintech partnership or acquisition should evaluate the firm’s compliance with anti money laundering (AML) laws and regulations. As a minimum, diligence must assess the adequacy of a fintech’s AML compliance programme, including its internal controls to mitigate money laundering and related financial crimes.

Diligence should target trouble areas based on the breadth and complexity of the fintech’s operations. For example, an online lender originating small business loans faces different AML considerations than a money services business, which is directly subject to AML regulation. In targeting blind spots, banks should proactively identify risks associated with foreseeable misuse of a fintech’s products and services.

The diligence process is also an opportunity for banks to define AML expectations, requirements and responsibilities for fintech firms in a partnership or acquisition. For example, a bank may require a fintech to hire specialised AML personnel, undergo audits and allow regular monitoring by the bank or an independent AML specialist.

Banks and fintechs should use the diligence period to work together to remediate compliance gaps and prevent AML violations. Fintechs can also leverage feedback from the diligence process to calibrate their AML programmes to satisfy regulatory scrutiny and related third party risk management standards.


Banks should view cybersecurity as a separate and more involved area of the diligence process.

Unlike other firms, user data and intangible assets comprise a significant portion of a fintech’s enterprise value. Zero-day attacks and cyber breaches may lead to private lawsuits and regulatory enforcement actions. These incidents erode a fintech’s value and damage the reputation of a partner or acquirer. Therefore, banks should conduct extensive cybersecurity diligence to identify vulnerabilities and comprehensively assess a fintech’s internal policies and vendor management systems.

As a baseline, fintechs should maintain a robust cybersecurity infrastructure that requires systems testing, monitoring and incident response plans. These plans must provide for external reporting to authorities, customers and affected third parties. Banks may also consider restricting a fintech’s access to specified parts of its technology network.

During diligence, banks may consider retaining independent cybersecurity experts to better understand a fintech’s threat exposure, data management and security practices. Banks should ensure any partnership or acquisition agreement contains appropriate indemnification provisions, and tailored representations and warranties addressing cybersecurity.

Consumer protection laws and regulations

Banks partnering with or acquiring fintechs must diligently assess the fintech’s compliance with consumer protection laws and regulations.

Depending on the scope and type of product or service offered, banks may evaluate an array of consumer protection laws and regulations. These laws are enforced by state attorneys general and the Consumer Financial Protection Bureau (CFPB), and range from fair lending laws to the prohibition of unfair, deceptive and abusive acts or practices (UDAAPs). The CFPB has defined UDAAPs through enforcement activity, and federal banking statutes provide little guidance as to what constitutes an “abusive” act or practice. Therefore, banks should be prepared to make certain adjustments to the value of a partnership or acquisition based on a firm’s compliance with UDAAPs.

A well-designed diligence process focused on consumer compliance can uncover regulatory issues, mitigate risk and assist banks and fintechs in appropriately valuing partnerships and acquisitions. Fintechs should be prepared to discuss the details of its internal consumer compliance policies, regulatory issues encountered and the resolution of such issues with prospective partners or acquirers.

Strategic diligence is a key component of a successful fintech partnership or acquisition. Fintechs maintaining robust AML, cybersecurity and consumer protection practices will have superior bargaining power in negotiations, and be well-positioned for a partnership or exit. When conducting diligence, banks should retain internal and external advisory teams familiar with the regulatory landscape and focus areas above.

READ NEXT: Cybersecurity – are banks doing enough?

Photo by igorstevanovic,

About the author

John Popeo

John Popeo is a principal at The Gallatin Group, a consulting firm that advises banks, investment firms, insurance companies, fintech firms and regtech companies on a range of complex transactional and regulatory matters. John spent nearly a decade in various roles at the Federal Reserve Bank of Boston and the Federal Deposit Insurance Corporation, where he played a role in responding to the 2008 global financial crisis, and developing regulations to implement the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.

Leave a Comment