One of the most noticeable recent trends in financial services is the number of collaboration which are taking place between FinTechs and banks. As banks have been transforming to increasingly drive business through digital channels, they have sought to partner with FinTechs to accelerate the pace of change.
There is an interesting dynamic in play while many FinTechs have been set up specifically to sell their services to banks, in other cases these FinTechs are direct competitors to banks, often in discreet niches. However, such is the pressing need for change (in the case of the banks), and for market share and revenue (in the case of the FinTechs) that even in these circumstances more and more collaboration is taking place.
This article considers some of the key issues for a bank to consider around opportunities for collaboration with the FinTech community.
Dealing with Red Lines
One of the challenges for banks in dealing with FinTechs is that an engagement model which is geared up for dealing with major vendors does not easily map across to the more agile FinTech world. Banks have their policies and procedures, driven by both regulatory requirements (more on this below) and internal governance. These cannot simply be swept aside. Nonetheless, if a deal is to be achieved, some accommodation between the two sides is necessary.
Our key recommendation is that banks should carefully explain their “red lines” as early in the process as possible and ensure the FinTechs are able to meet them. This is because what is acceptable and what is not might not otherwise emerge until fairly late on in the process. No matter how innovative a bank wants (or claims) to be, there are no free passes for regulatory requirements. Showstopper gaps in compliance will prevent the deal from closing. These gaps become a particular issue when they require the FinTechs to do something which requires additional time and cannot simply be agreed by contract wording. For example if a FinTech is required to flow down terms to its sub contractor, or to amend aspects of its solution to meet IT security requirements. In practice therefore, it is important for banks to do three things:
- Firstly, to explain its ‘red lines’ at the outset. Otherwise, the “start up” culture that prevails in many FinTech deal teams will encourage the FinTechs to believe that a relatively informal approach will be sufficient. We have heard FinTechs describe the need to meet regulatory requirements as something which will be put on the “Product Backlog”, adopting a term from agile methodology to mean a piece of work which is in the queue and will be got to at some point. This is not likely to be appropriate for something which is a key regulatory requirement for the deal.
- Secondly, banks must get all their policy owners on board early and fully engaged with the deal team. It is necessary to push for those who make the decisions on policies and regulatory compliance to be up to speed on the deal and ideally available for the negotiations to explain the significance of these issues for the bank. Otherwise, it can be too easy for policy owner to insist on a particular interpretation of an internal or regulatory requirement if they do not need to explain it to a contracting party. If the point is important enough to potentially prevent a deal, it will land much more powerfully when explained by the policy owner themselves speaking to their counterpart within the FinTech. While the legal team may well feel they can translate appropriately, in our experience this can often lead to delays which can be avoided by getting subject matter experts from both sides in the room together.
- Lastly, banks should work closely with the FinTech to support them throughout this process, particularly in relation to prioritising activities. For example, FinTechs may be required to update a variety of policies covering areas such as pre employment screening, data protection, information security and anti bribery and corruption. It is important to help the FinTech focus on giving priority to those which require the most technical changes (such as data protection or information security) or those that require engagement with third parties, to ensure that the deal timetable is achieved.
Identifying, classifying and overcoming imperfections
As is common across the start up community, young businesses are faced with vastly more issues than can be dealt with during the steep early growth stages. In all cases, there will undoubtedly be issues that have not been perfected. The bank needs to understand these and, in the light of its own obligations, culture and governance triage them – to know which of these it can ignore, which can be addressed over the course of implementation of the project, and which are serious and give rise to legal or reputational risk. To put this in context we think it is helpful to look at some scenarios. For example, if the FinTech has trained its AI algorithm using a data set without obtaining the necessary permissions (under GDPR if based on personal data, or under copyright/database rights if based on third party intellectual property), then this may fundamentally taint the ability of the bank to use this service without the risk of business interruption or reputational damage further down the line. Similarly, if the software engine that powers the FinTech has been built using third party code or open source software with licences which are incompatible with use over the cloud, this may only be discovered when the product is launched more widely over the banks network. On the other hand, if a FinTech states (as is often the case) that the products have regulatory clearance, while this needs investigating to ensure it is correct, it can likely be resolved either by using the bank’s own regulatory permissions or obtaining these before the product is launched. Therefore it doesn’t necessarily need to hold up or stop the deal. The key point is that it is important for the early stages of due diligence to flush out these issues, put them into the appropriate category, and deal with them accordingly.
There are a number of sources of potential regulatory hurdles for banks looking at FinTech collaboration and outsourcing. We have already mentioned GDPR which will need to be considered from a number of angles. Additionally banks are subject to Senior Management Arrangements, Systems and Controls (SYSC) 8 (Outsourcing) provisions for critical or important operational outsourcings, including the requirement to take steps to avoid undue operational risk when undertaking these activities. This, by its nature, can create significant hurdles through its broad interpretation.
There are other general principles under the FCA regime which need to be borne in mind, including (this list is not comprehensive) Principles for Business (PRIN) 3 (Management and Control – taking reasonable care to control affairs responsibly and effectively with adequate risk management) and SYSC 3 (Systems and Controls – taking reasonable care to establish and maintain appropriate systems and controls). In addition, the specific guidance for outsourcing to the cloud issued by the EBA also applies to both material and non material transactions.
From 30 September 2019, the existing cloud guidelines will be replaced by the new EBA general outsourcing guidelines which deal more holistically with all outsourcings. The good news for collaborations with FinTechs is that the new EBA guidelines reduce the impact for any outsourcing which is seen as not being of a critical or important function, which will apply in many cases to FinTech deals. However, for banks looking to rely on FinTechs for more material functions or core parts of their offering, these guidelines pose challenges, since they are relatively inflexible in many key areas. In particular, the need to flow down all provisions to sub contractors and the need for comprehensive audit rights means that FinTechs who, for example, rely on major cloud vendors such as AWS, Google or Microsoft, are often faced with difficulties in securing the necessary changes to accommodate the needs of the banks.
In light of all of the requirements and potential reporting obligations, banks must also insist on comprehensive service levels, full FinTech cooperation with regulators and for audit and reporting purposes, and a set of business continuity arrangements which safeguard ongoing performance (in the case of critical or important operational outsourcings). All of these areas may be difficult for FinTechs who are smaller or are in rapid growth mode, so they can pose collaboration challenges where preferred partners from a technology and solution perspective may not be capable of rising to this compliance threshold.
Contracts in general
As regards paperwork, Banks need to carefully consider the form of contract they are planning to put in front of the FinTechs. Banks will want to start from their own paper, for reasons of convenience and risk management. However, we are seeing more and more banks realising that their “fullfat” contract suite is likely to be counterproductive if it results in either (a) lengthy negotiations which obviate some of the advantages of moving at pace to stay ahead of the digital transformation curve or (b) the FinTech simply accepting provisions without necessary understanding the implications or having the wherewithal to meet the obligations in question. For example, is it necessary to have six page Change Control schedule dealing with a wide variety of circumstances where an existing product will be modified using a dynamic agile methodology and hosted on public cloud? We would suggest that negotiations should instead be based on a slimmed down version of the contract which highlights and allows focus on the key commercial and legal positions based on a realistic assessment of the points that really matter.
One of the most difficult questions in negotiations with FinTechs is the extent to which this should be handled by an entirely new and separate team within the bank, or whether it can fall within the remit of the existing structure that deals with procurement, commercial, regulatory, legal and policy issues. Our experience is that either can work, but it is important to understand the implications. The separate team is likely to be able to adopt a culture which is more “in tune” with the FinTech and therefore offers benefits in respect of getting the deal done and working effectively in partnership. There is, however, an inherent danger in this set up of ‘confirmation bias’ in decision making and a lack of appreciation (or even concern for) some of the larger regulatory and reputational issues that affect the bank. On the other hand, if an existing team is given control, it may struggle to do this on top of current workload which may be more concerned with “keeping the lights on”. Therefore there is a risk to the speed of execution and it may result in things being handled in a way that doesn’t maximise the potential of the opportunity. In reality, a healthy mixture of the two is likely to bring about the best results.
For more information on collaborations in the financial services sector, please do get in touch with your usual DLA Piper contact or email John McKinlay at John.McKinlay@dlapiper.com
For more on FinTech and the legal and regulatory issues that touch upon it, come along to DLA Piper’s European Tech Summit in London on 15th October. More details here.