It’s an exciting time to be a fintech company. There is a lot of energy in the market, grand new ideas are quickly going from concepts to game-changers, and it seems like anything is possible. However, a changing landscape looms with the potential of stricter regulation either through direct laws imposed or through the purchase of or partnership with a financial institution. To make sure your company is ready to pursue its desired path forward, it is critical to get the following five control areas nailed down.
Bank Secrecy Act (BSA) / Anti Money Laundering (AML)
Given the products offered by fintech companies, the most pervasive regulation that you need to familiarize yourself with is BSA/AML. It continues to be a top priority for regulators, so getting it right is critical if you want to partner with financial institutions or pursue a charter. All fintechs will need to set-up a monitoring program to identify transactions that could be suspicious and compare senders and/or recipients against the Office of Foreign Asset Control (OFAC) List. The breadth and depth of that program will depend on your company’s operations. In addition to understanding the regulation, it is important that a risk assessment is performed to identify the requirements and level of risk associated with the types of transactions and activities your company is performing. This will be a foundational element to support the establishment and execution of the monitoring program including the associated policy, procedures, and training program.
Compliance Management Program
Although we’ve singled out BSA/AML, it is paramount for the success of your company that you have a clear understanding of the various regulations that directly impact you as well as your engaged third parties. This should encompass all regulations based on both current and planned operations. Having a strong handle on this process will prevent headaches, missed opportunities, and potential monetary penalties. Creating an inventory of those requirements and testing against them will ensure that controls are in place and working effectively. This is an ever-evolving landscape, so it is critical to establish a process to monitor regulatory change and make the necessary changes to operations. Read this Compliance Change Management Process article for a more in-depth discussion of how to establish an effective program.
Monitoring Consumer Complaints
Establishing an effective program to track, respond to, and resolve customer complaints has multiple benefits. Tracking this information helps to monitor customer satisfaction and facilitates trend analysis that can assist management in identifying weaknesses and points of improvement within their product offering, personnel, or third-party relationships. Maintaining this information also strengthens opportunities for relationships with financial institutions that have a regulatory requirement regarding this information.
Establishing Evidence of Financial Controls
No matter what stage your company is at, or its future plans, having clear documentation that financial controls are in place and functioning as intended is important. When you’re just starting out it’s easy to rely on trust and immediate oversight that team members are doing everything they should without a proper trail. As you grow, that will become increasingly difficult. Starting from day one, you should ensure that there is documentation to support that key controls such as sign-offs, review notes, and reperformance checks to substantiate the review process have all been performed. This will set up a foundation of success whether your company finds itself in a position where it needs to issue Statement of Control Reports or goes public and needs to comply with SOX 404 controls. If you think you will be going public soon, this article goes into more detail about key points to consider when implementing SOX 404.
Vendor Management has been an ever-present regulatory priority for the last two decades and its not going away any time soon. Vendor management programs vary in size depending on the number, maturity, reliance, and criticality of the third-party relationship, but at a minimum you should have the following:
- A risk-based process for requiring and obtaining due diligence material from your third parties prior to the beginning of and periodically throughout your relationship.
- Establish contract requirements that outline service obligations and protect your company. A contract review process should also be established to verify that contracts met those requirements.
- For critical vendors, this due diligence material should include support that the third-party is strong enough to maintain operations and protect data, and evidence that critical controls are in place and working as intended. The best way to get information about a company’s control is by obtaining and reviewing SOC reports. Read this article for more information on maximizing SOC reports for effective vendor management.
Setting up effective programs to address these critical areas will help you continue to be successful as a standalone company or pursue future strategic initiatives with ease. As your company grows and operations expand, it is important that enough resources are allocated to these functions to properly maintain them. Establishing appropriate frameworks and risk assessments from the beginning will help you to monitor these demands and analyze staffing/skill levels to ensure your team is equipped to handle these areas or obtain outside assistance if necessary.