Over the past few years, the Risk Forum has coordinated with other areas of the Atlanta Fed, including the Supervision, Regulation, and Credit Division, to support one of the Bank's high-priority initiatives: promoting safer payments innovation. A major component of our work is reaching out to and working with community banks, financial technology firms, or fintechs, and industry stakeholders.
We continue to hear that community banks face challenges in finding the right service partners and knowing how to navigate the regulatory environment as they develop new financial innovations. At the same time, fintechs are ready for partnerships but not always certain how to work within the regulations nor how to work with multiple regulators, each with its own approach. That's why we were excited to hear about two publications recently released by regulators that will help support these partnerships between community banks and fintechs.
The first publication, Community Bank Access to Innovation through Partnerships
, provides some highlights of fintech partnerships, including the benefits and risks. It describes two conditions for banks to focus on: first, establish trust and alignment with fintech partners, and second, build a long-term culture committed to innovation.
The second guide, Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks 
, was cowritten by the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency. This guide, not required by the regulatory agencies, can be helpful for community banks looking to partner with a fintech company. (This is not to be confused with the proposed joint agency guidance on third-party risk management that Doug King wrote about in August.)
Since fintech companies vary significantly in operations and maturity, this guide stresses that banks should take a risk-based approach. The level of due diligence a bank does when considering working with a fintech company should be commensurate with the nature and criticality of the activities the fintech will perform for the bank. The areas for the banks to use in their evaluation are discussed in a consistent layout of "considerations, sources, and examples." The guide suggests some nontraditional data sources, which can be very helpful, within the six recommended areas of due diligence, which are as follows:
- Business experience and qualifications: Determine if the mission and strategic plan line up with the bank's values, review the board of directors, check on outstanding consumer complaints, and business failures.
- Financial conditions: If audited financial statements are not available, consider the fintech's access to funding, earnings, net cash flow, and client base.
- Legal and regulatory: Ensure compliance with all applicable laws and regulation, including consumer protection laws; review charter and license information: periodically review contracts for compliance with the agreed-upon terms; check pending lawsuits.
- Risk management and controls: Review processes and risk management policies, such as key risk and performance indicators. Employing an audit function may help with assessment. Consider onsite evaluations to observe the operations-and-controls environment.
- Information security: Review technology policies and assessments, review procedures for deploying and patching hardware or software. Consider risks and controls over consumer data.
- Operational resilience: Review business continuity plans and third parties the company relies on for recovery operations. Know where the major data centers reside. Check the availability of other service providers for contingency planning.
Both publications contain fundamental concepts for an institution of any size or even for those fintechs vying for a bank partnership.
By 
Lali Shaffer, a senior financial specialist in the Supervision, Regulation and Credit Division and
Jessica Washington, AAP, a payments risk expert in the Retail Payments Risk Forum, both of the Atlanta Fed