Banks have long outsourced certain audits, but banking-fintech relationships are new ground. Brandi Reynolds discusses a persistent problem in bank internal audit departments and offers a path forward.
Co-sourcing or outsourcing certain internal audits is nothing new to bank internal audit departments. In the 1980s, IT/MIS (management information systems) functions started growing in sophistication, and all but the largest banks outsourced their IT audits. In the early 2000s, Bank Secrecy Act functions also grew in sophistication and outgrew the capabilities of most bank internal audit departments, and annual independent testing started to be outsourced more and more. The reasoning is simple: It was difficult for most bank IA departments to find and retain the talent and expertise needed to conduct these audits at the level expected by examiners.
The early 2010s saw an explosion of fintech companies, and the growth trajectory has only increased from there. Now, banks of all sizes are banking fintech companies, and those relationships are everything but homogenous. So, we have a situation where not only are fintech relationships new to the bank, but no two relationships are alike. Piece of cake for internal audit, right?
Current Shortage of Expertise
It can be difficult for bank IA departments to find the expertise among existing staff to perform an audit of the bank’s fintech line of business at the level the examiners expect. Auditing bank/fintech relationships is so new it’s impossible for an auditor to get an answer to the age-old question “what is the bank auditor down the street doing?” The auditor can’t log onto a posting board and pull down an audit program for auditing a bank/fintech relationship. The auditor can’t go to a conference dedicated to auditing bank/fintech relationships. The bank/fintech partnership industry is so new that there aren’t a lot of people sitting around asking “so, how are we going to audit this?”
It’s All New
Everything – every step on the audit program – is likely new and being crafted by the auditor from scratch. The best way to do this is for the auditor to have a solid understanding of what bank and fintech operations are like, an appreciation of the risks that exist in the bank/fintech relationship and what controls are needed. This knowledge will likely come from individuals who have been in the fintech business for a while and have a solid understanding of how fintech accounts at banks are structured and how fintech funds flow. Finding these people who also have audit skills could be difficult. In other words, it’s a small pool right now.
Co-Source or Outsource
The best approach for banks that are banking fintechs could be to co-source or outsource the audit activities surrounding the fintech line of business. If outsourcing, ensure the vendor has references from other banks that are banking fintechs. Co-sourcing can take two different forms:
- The bank could hire a vendor. The report will be under the vendor’s name, but existing IA staff will assist on the audit.
- The second way is closer to staff augmentation, whereby a subject matter expert (or many) from outside the bank works with staff in the IA department to perform the audit and the report issued is a true internal audit report.
Once the audit approach is chosen, decide whether one comprehensive bank/fintech audit will be performed, including financial, operational and compliance risks or whether the financial/operational audit will be separate from the compliance audit. Because of the nuances of the compliance issues with bank/fintech relationships, the people who audit the compliance areas will likely be micro-specialists – different from the financial/operational auditors.
Focus on Bank/Fintech Compliance Audits
Most bank/fintech compliance audits will include the entire gamut of “compliance areas” including BSA/AML/OFAC, fraud, consumer regulatory compliance and privacy. The auditor should expect that each bank relationship with a fintech will likely be structured differently. During the planning and scoping phase, the auditor will have to gain an understanding of each bank/fintech relationship and, most importantly, the flow of funds for each. Then the auditor will have to gain an understanding of which party “owns” the compliance functions. This involves interviewing managers at the bank and at the fintech, reading agreements and reading procedures. Once this understanding is gained, the auditor can identify the pertinent regulations and continue scoping the audit. For sample selection, the auditor might select a sample of the bank/fintech relationships to audit if the bank has many fintech relationships, but this could result in gaps. Examiners might be expecting that each bank/fintech relationship is included in the audit. Even if the sample is chosen based upon risk, over time, this could result in certain fintech relationships never being audited. This could be dangerous, as low risk doesn’t mean no risk.
Auditing bank/fintech relationships is a new frontier – so new that there isn’t a body of knowledge developed yet for existing bank IA staff to draw upon. The framework for proceeding in this environment was laid decades ago when banks started outsourcing certain specialty audits, like IT and BSA. Banks should consider following this path for their fintech programs as well.