Weekly Fintech Focus

  • Federal banking agencies issue a guide for community banks on conducting due diligence on fintech companies.
  • The CFPB issues its long-awaited proposed rule on small business credit data.

Federal Banking Agencies Issue Guide for Community Banks on Conducting Due Diligence on Fintech Companies

On August 27, 2021, the federal banking agencies (Federal Reserve, FDIC, and OCC) published “Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks” (the Guide). The Guide is intended to serve as a resource for bank management when performing due diligence on prospective relationships with fintech companies. Although the Guide discusses community banks, the content may be useful for banks of any size and for other types of third-party relationships.

The Guide draws from the federal banking agencies’ existing supervisory guidance on third-party risk management, and is consistent with agencies’ July 19 proposal to harmonize their existing agency-specific guidance into a single document applicable to all federally supervised banking organizations.

The Guide highlights six key due diligence topics for relationships with fintechs and discusses relevant considerations, potential sources of information, and illustrative examples. The six key due diligence topics are:

  1. Business experience and qualifications – A bank can consider the fintech’s business experience, such as its operational history, client references and complaints, and any legal or regulatory actions against the fintech company. A fintech’s strategic plans are also important to futureproof the service the fintech provides to the bank. Finally, the experience of the fintech’s officers and directors is relevant to understanding the fintech’s expertise in a given area.
  2. Financial condition – A fintech’s financial condition can be found in its financial statements, annual reports, and public market data. Information about the fintech’s competitive environment could also inform a bank about the fintech’s viability.
  3. Legal and regulatory compliance – A bank can review the fintech’s organizational documents and regulatory filings, as well as conduct a search for legal actions against the fintech company. A fintech’s policies and procedures may also provide insight into the company’s compliance posture.
  4. Risk management and controls – Information about a fintech’s risk management and controls may be found in places like its policies and procedures, its self-assessments, and audit reports. The parties could also outline risk and performance expectations in light of the criticality of the functions provided by the fintech to the bank.
  5. Information security – A bank can review the fintech’s incident management and response policies and assessments and have the fintech complete information security control assessments. Depending on the service provided, different information security processes and protections will need to be in place.
  6. Operational resilience – A bank can evaluate a fintech’s business continuity plans, incident response plans, disaster recovery plans, and related testing to evaluate the fintech company’s resiliency. Banks can also consider where the fintech’s data will reside, either domestically or internationally.

Although the Guide is tailored to fintechs, it does not establish any new fintech-specific expectations or requirements. On the contrary, the Guide reinforces that banks may approach relationships with fintech companies in a similar manner as they would any other third-party relationship.

CFPB Issues Long-Awaited Proposed Rule on Small Business Credit Data

On September 1, 2021, the Consumer Financial Protection Bureau (CFPB) issued a notice of proposed rulemaking (NPRM) designed to help small businesses gain access to credit by increasing transparency in the lending marketplace. Under the Dodd-Frank Act Section 1071, which amended the Equal Credit Opportunity Act, the proposed rule would require financial institutions to collect and report to the CFPB certain data regarding credit applications from women-owned, minority-owned, and small businesses. The CFPB is proposing to define a “small business” as a business with $5 million or less in gross annual revenue for its preceding fiscal year.

According to the press release issued by the CFPB, the goal of this rule is to get a better understanding of the challenges that small businesses experience when trying to access financing and ways in which lending practices can be improved. Based on the information provided in the NPRM summary, if the proposed rule is finalized, it would effectively create the first comprehensive and qualitative database of small business credit applications in the United States with the objective of bringing a greater focus to segments of the small business market that have traditionally faced significant obstacles with regard to securing financing.

The proposed rule would apply to the following “covered financial institutions” that engage in small business lending: (i) depository institutions, (ii) online lenders, (iii) platform lenders, (iv) community development financial institutions, (v) lenders involved in equipment and vehicle financing, (vi) commercial finance companies, (vii) governmental lending entities, and (viii) nonprofit non-depository lenders. Additionally, the CFPB is proposing to define “covered credit transactions” to include loans, lines of credit, credit cards, and merchant cash advances. However, trade credit, public utilities credit, securities credit, and incidental credit are outside the scope of the proposed definition under the proposed rule.

Covered financial institutions would be required to collect and report data from information provided by the small business credit applicant including, but not limited to, credit type (which includes information on the credit product, types of guarantees, and loan term); the credit purpose; the amount applied for; the applicant’s business location; the gross annual revenue for the applicant’s preceding full fiscal year; the number of employees; the length of time the applicant has been in business; and the number of principal owners. Covered financial institutions will also have to collect and report additional information such as whether the applicant is a minority-owned business and/or a women-owned business and the self-reported ethnicity, race, and sex of the applicant’s principal owners.

The CFPB has requested comments on questions covering a number of issues such as (i) how to define a small business for purposes of this data collection; (ii) how best to collect pricing information for transparency into the cost of small business credit; and (iii) how to balance the benefits of public disclosure with the risk to privacy interests. Additionally, the CFPB has launched a new portal designed to encourage small business entrepreneurs to share their stories about applying for credit to help further inform the CFPB’s understand of challenges small businesses face in this area.

It is important to note that the proposed rule does not provide for any size-based exemption for covered financial institutions, which has started to draw objection from community banks due to the regulatory burden that this would impose. This is of particular concern given the impact that the COVID-19 pandemic has had on small businesses and the increased need for small business lending. Smaller financial institutions will be interested in the burden this proposed rule could place on operations related to the rule’s data collection obligations and how that may affect its ability to lend to small businesses. Privacy and protection of personal data that is going to be made public in this database is another issue that the CFPB is aware of and will likely draw concerns from the public during the NPRM comment period. At the same time, many stakeholders are pleased that the CFPB is taking steps to implement this rule and view it as an important effort to help address systemic discrimination of certain small businesses and other unfair lending practices.

If the proposed rule is finalized in its current form, covered financial institutions will have 18 months following the issuance of the final rule to comply. The public comment period is 90 days from publication in the Federal Register, and the CFPB currently does not anticipate a deadline extension.