Solving the Fintech Vendor Due Diligence Conundrum

Banks are ultimately responsible for all of the services that they provide, even when they contract with third parties to help them deliver those services. More and smaller banks are partnering with outside providers, and there are more and smaller third parties being formed to meet more specific bank needs. While there’s even a section in the U.S. Federal Financial Institutions Examination Council’s (“FFIEC”) IT Examination HandBook detailing what sorts of due diligence a bank should conduct on its third party service provider, there’s still room for interpretation when deciding how more inexperienced banks should deal with those responsibilities.

The answer isn’t straightforward. All banks are challenged when contemplating a relationship with a small fintech because of the first three items on the FFIEC checklist: Existence and corporate history; Qualifications, backgrounds, and reputations of company principals…; and Other companies using similar services from the provider…. Small, new companies will find it more difficult than established firms to pass muster; many banks simply won’t want to take the risk of dealing with them. And many smaller banks simply won’t have the resources or expertise to properly vet these new entrants.

At the same time, many larger service providers to banks (including software vendors, outsourcing providers, and consulting shops) are searching for ways to bring innovation to their banking clients.

In recent conversations with clients I’ve been struck by an increasingly popular solution: a larger, more established firm bringing a fledgling company under its wing. The incumbent does the due diligence, offers advice, and, when satisfied, vouches for the FinTech. It may license the software, or engage the Fintech as a subcontractor; in any case, it’s assuming responsibility for the work of the smaller and newer firm.

Vendor Management Graphic

Executed properly, it’s a three way win: the bank accesses a new and innovative solution; the incumbent service provider is able to add new value to the relationship; and the fintech is able to begin a relationship from which it would otherwise have been shut out. All participants in the banking ecosystem should consider whether this solution can help their particular situation.

Mobile banking adoption growth is slower than you think

In March of this year the Federal Reserve released the newest iteration of its consumer survey report on mobile banking, Consumers and Mobile Financial Services 2016. One fact that sticks out is how slow mobile banking adoption has been over the last few years.  While 53% of smartphone users have used mobile banking in the last 12 months (nowhere near “active”), that number has only grown 3 points since 2012, a CAGR of just 1.9%! This is hardly the unrelentingly rapid pace of change espoused by many who thought evolving customer behavior would overwhelm traditional banks’ ability to adapt.


Obviously there’s a disconnect between the hype surrounding mobile banking and the reality of how consumers are actually interacting with financial institutions.  But why then have forecasted rates of adoption not been realized?  There are a few possibilities.

  1. Mobile banking is reaching peak adoption: In the consumer survey by the Fed, 86% of respondents who didn’t use mobile banking said that their banking needs were being met without it.  73% said they saw no reason to use it. While the idea that mobile banking adoption would peak at around 50% doesn’t intuitively make sense for those in the industry, it’s obvious that many consumers are perfectly fine interacting with their bank solely through online banking, ATMs, or branches; they may never become mobile users.
  2. Mobile banking apps need improvement: It’s likely that many mobile banking apps still aren’t mature enough to ease some of the UX friction and convince a large portion of consumers that they provide sufficient value. In the same Fed survey, 39% said the mobile screen is too small to bank, while 20% said apps were too difficult to use.  With three-fourths of non-using respondents (mentioned in the previous bullet) finding no reason to use mobile banking, apps may need to improve functionality and usability to attract end users.  The correlation between features offered and mobile consumer adoption is also well established. Mobile banking apps may have reached an adoption peak relative to their maturity, and institutions will likely see adoption grow as apps advance and as demographics increase usage.
  3. Channel use is a lot stickier than perceived: Consumers are still consistently using the branch.  The two figures below illustrate what’s happening. The first graph comes from the Federal Reserve report on mobile banking usage, while the second is taken from the Celent branch channel panel survey taken of more than 30 different midsize to large banks.  On average, 84% of consumers surveyed by the Fed report using a branch, while respondents of Celent’s survey see 83% of DDA/savings accounts and 79% of non-mortgage lending products originated from the branch channel.  Mobile only has a 2% share of total sales.  While many institutions find it difficult to attribute sales across multiple channels and have a well-known historical bias towards branch banking, these stats don’t support the notion that consumers are migrating away from the branch and towards mobile banking.  We’re aware these numbers don’t take into account transaction migration, and likely the sales mix will shift as more banks launch mobile origination solutions, but regardless, it’s obvious the branch is still the most used channel by far.


Capture2 Capture3

Mobile banking isn’t taking over the financial lives of consumers as much as institutions and many analysts predicted it would, and at least for now is settling into a position alongside other interaction points. Consumers are clearly opting to use channels interchangeably, and it’s not obvious that mobile will have any predominance in the next few years.   As a result, banks need to move away from arbitrary goals surrounding channel migration and instead let the consumer decide what works best for them.  This certainly doesn’t imply that institutions should stop developing mobile—there’s clearly lots of areas for improvement—but it’s important to not get swept up in the hype surrounding emerging channels.

Remember, more than 60% of FI customers aren’t enrolled in mobile banking, and it accounts for only 2% of sales. Focusing so intently on capturing such a larger share of mobile-first or mobile-only consumers risks misaligning bank resources towards projects that don’t offer the maximum value. Banks shouldn’t be rushing into things—they’ve got time to do this right and in an integrated way.

Financial institutions need a mobile strategy for younger consumers who will most certainly prefer mobile, but older consumers aren’t going anywhere anytime soon. Mobile, at least for now, isn’t the end-state. Mobile-only banks aren’t going to take over the world anytime soon and institutions should be considering the broader proposition of digital in the organization. ​​​​This means a solid digital strategy across all channels, and a focus on driving the experience, not pure adoption.

Brexit. Eventually. Possibly.

What did Britain say to its trade partners?

See EU later.

It’s been a funny week or two to say the least, so it seemed apposite to start with a joke (and we’re not talking about the England vs Iceland result! – the Icelandic commentator is worth a 30sec listen.)

The UK woke up to find that it was leaving Europe. Given the legendary British reserve, stiff upper lip, etc., it is quite incredible just how divided the country has become, and how everyone has an opinion. As a result, there has been a lot said before, during and after the campaign that needs to be sifted very carefully. This is a genuine attempt at a factual look at quite what this means as many of the facts are very definitely not facts.

What's actually going to happen? Frankly, the short answer is nobody actually knows. No country has ever left before. Greenland did but is both smaller and was leaving for other reasons. Nor did they invoke Article 50 (more of which in a second) which has never been used. Whilst there are some legal guidelines and processes, given that the European Union is an economic union governed by politicians, it’s fair to say that the process will be very political in nature. Particularly as Article 50 is not very precise.

The first step is for the UK to activate Article 50 which effectively formally starts the process. The UK has two years from informing the European Parliament that it intends to leave and actually signing article 50. Given other European elections, and despite some public calls from Europe to get on with it, some believe that it is likely to be later rather than sooner.

Until Article 50 is signed, the UK is still in Europe, and everything continues as they do today. What is less clear is when Article 50 is signed, what happens next, and how long the process will take. UK Government analyst suggests 5 years, yet others say at least a decade.

Nor is it yet clear what the UK will choose to negotiate on. For example, it may choose, voluntarily to adopt regulation such as PSD2. We (or, to be clear, Gareth) believe that the UK will push ahead with the PSD2, as many of the rules are either in place in the UK already, or reflect the way the Government is thinking e.g. the Open Data Initiative arguably is far wider reaching that the Access to Accounts element of the PSD2.

It’s not clear quite what is or isn’t the European Union necessarily. For example, passporting, the rule that allows financial services firms to be licenced in one country and operate in another, is actually (according to the Bank of England website at leastother reputable sites even disagree on this!), an European Economic Area (EEA) initiative, and even countries outside of the EEA, such as Switzerland, have negotiated deals. This is particularly key for card acquirers, many of whom use their UK licence to negate the need for local ones across Europe.

So, as they saying goes, the devil will be in the detail. And that’s going to take time to unravel, and to negotiate even on the things that need negotiating.

Over the coming months, banks will need to scenario plan on multiple dimensions. They will need to identify key regulations that impact their business, how that might be regulated, and how long it would take the bank to respond. Yet many, if not most banks, will have done some of this risk profiling before the vote took place.

Until there is clarity, the reality is that it’s the political fall-out is going to have the most impact in the short-term, itself creating a degree of additional economic turmoil.

Large FIs spent $25M rolling out failed risk management frameworks during the 2000’s. So why try again?

Large financial institutions spent in excess of $25 million on rolling out failed enterprise risk management frameworks during the 2000’s. So why try again? Well for many obvious reasons, the most notable of which has been the large scale failure of institutions to manage their risks and the well-editorialized consequences of those failures. The scale of fines for misconduct across financial services is staggering and damage to the banking industry’s reputation will be long-lasting. Major Control Failures in Financial Services blog Source: publicly available data Regulators and supervisors are determined to stop and reverse these risk failures, specifically, the poor behavior of many bankers. Regulators are demanding that the Board and executive management take full accountability for securing their institutions. And there is no room for failure. This is the only way that risks can be understood and, hence, managed across the enterprise. There is no denying that risk management frameworks are hard to implement but Celent believes the timing is right for the industry to not only secure their institutions and businesses but to innovate more safely and, slowly, win back the trust of their customers. My recently published report Governing Risk: A Top-Down Approach to Achieving Integrated Risk Management, offers a risk management taxonomy and governance framework that enables financial institution to address the myriad of risks it faces in a prioritized, structured and holistic way. It shows how strong governance by the Board is the foundation for a framework that delivers cohesive guidance, policies, procedures, and controls functions that align your firm’s risk appetite to returns and capital allocation decisions.

Proposed new cyber security regulations will be a huge undertaking for financial institutions

New York State Department of Financial Services (NYDSF) is one step closer to releasing cyber security regulations aided by the largest security hacking breach in history, against JP Morgan Chase. The attack on JPMorgan Chase is revealed to have generated hundreds of millions of dollars of illegal profit and compromised 83 million customer accounts. Yesterday (Tuesday, November 10), the authorities charged three men with what they call “pump and dump” manipulation of publicly traded stock, mining of nonpublic corporate information, money laundering, wire fraud, identity theft and securities fraud. The attack began in 2007 and crossed 17 different countries. On the same day as the arrests, the NYDSF sent a letter to other states and federal regulators proposing requirements around the prevention of cyber-attacks. The timing will undoubtedly put pressure on regulators to push through strong regulation. Under the proposed rules, banks will have to hire a Chief Information Security Officer with accountability for cyber security policies and controls. Mandated training of security will be required. Tuesday’s letter also proposed a requirement for annual audits of cyber defenses. Financial institutions will be required to show material improvement in the following areas:
  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and application development and quality assurance
  9. Physical security and environmental controls
  10. Customer data privacy
  11. Vendor and third-party service provider management
  12. Incident response, including by setting clearly defined roles and decision making authority
This will be a huge undertaking for financial institutions. Costs have yet to be evaluated but will be in the millions of dollars. It will be very difficult to police third party security because, under the proposal, vendors will be required to provide warranties to the institution that security is in pace. The requirements are in the review stage and financial institutions should join in the debate by responding to the NYDFS letter.

Increasing headwinds in corporate banking?

This week I’m in Singapore, which provides a beautiful backdrop for Sibos 2015, the annual conference that brings together thousands of business leaders, decision makers and topic experts from a range of financial institutions, market infrastructures, multinational corporations and technology partners.


This year’s conference theme is connect, debate and collaborate and takes place at a time of increasing headwinds from a slowing global economy, higher compliance costs, increasingly global corporates, and competition from both banks and nonbanks alike. I spent the past few months taking a deep dive into corporate banking performance over the past 10 years–a period of both tremendous growth and unprecedented upheaval. As expected, corporate banking operating income and customer deposit balances have experienced healthy growth rates over the past 10 years. But surprisingly, despite increases in customer deposits, corporate banking income was largely stagnant over the past few years.

Corporate Banking Income and Deposits

Corporate banking plays a dominant role for the largest global banks. In 2014, corporate banking was responsible for 33% of overall operating income and 38% of customer deposits across the 20 banks included in this analysis.

As outlined in the new Celent report, Corporate Banking: Driving Growth in the Face of Increasing Headwinds, this critical banking sector is shaped by four external forces: economic conditions, the regulatory environment, business demographics, and financial technology. These same factors are slowing corporate banking growth and creating an environment in which banks are overhauling client offerings in the face of regulatory pressure, re-evaluating geographic footprints in response to shifting trade flows, and investing in technologies to ensure a consistent, integrated customer experience.

Much of the discussion at Sibos is on exploring transformation in the face of disruption. As they look to an unsettled future, corporate banks that are flexible, adaptable, and creative will be the ones that succeed. Changing time-tested ways of doing business is painful, but critical for future success.

The importance of customer experience in financial services

Service Design. Journey Maps. Customer Stories. Mood Boards. Experience Recovery. These are a handful of the topics discussed at this week’s Customer Experience for Financial Services (CXFS) Conference, organized by Worldwide Business Research in Charlotte, NC. As an analyst currently immersed in research on corporate banking financial performance, regulatory environment, economic conditions, business demographics, and financial technology, the CXFS event was a welcome change of scenery.
Journey Mapping

Journey Mapping

The CXFS conference was all about the “voice of the customer” (VoC) and how financial institutions (FIs) can improve their customer “listening” skills. One of the sessions mentioned that FIs are listening to anywhere from four to ten channels including web site, call center, e-mail, Internet, customer surveys and social media. But as one presenter stated, having more VoC channels doesn’t automatically result in a better customer experience. For example, in recent years many global banks fully integrated their major lines of business with product, operations and technology grouped organized under one segment leader. These integrated groups have created silos which create a highly verticalized client experience (CX), preventing consistency across a firm. Event attendees were encouraged to “climb over the silos and create a collective story to make things change”. Customer experience strategy and technology have gone a long way since I was involved in online banking user interface design in the early 2000s. Technology providers at the event are enabling banks to digitize and tag unstructured data such as call center recordings, agent notes, e-mails, and social media posts. This enables firms to mine and analyze the data to inform customer-centric innovation. Other firms specialized in market research including voice of the customer and voice of the employee surveys. Customer experience consultants are helping firms to understand how customers are thinking, feeling, seeing, saying doing and hearing so that people, processes, products and technology can be improved. The event featured discussions on how to build CX into people, processes and products by creating centralized information stores, centers of excellence, customer councils, and shared KPIs. Most of the FIs at CXFS were early in their customer experience journey and still working out a comprehensive solution. My favorite quote of the event was advice from Ingrid Lindberg, CXO of “Have the patience of a saint, the heart of a lion, and the tenacity of a street fighter because it is one giant game of Whack-a-Mole.”

On the cusp: regional integration in Asia

It’s 2015, the mid-point of the decade and a good time to start looking at major trends in Asian financial services over the next five to ten years. One of the major themes will be regional integration, which is another way of saying the development of cross-border markets. There are at least two important threads here: the ongoing internationalization of China’s currency, and the development of the ASEAN Economic Community (AEC) in Southeast Asia. RMB internalization is really about the loosening of China’s capital controls and its full-fledged integration into the world economy. And everyone seems to want a piece of this action, including near neighbors such as Singapore who are vying with Hong Kong to be the world’s financial gateway to China. The AEC is well on its way to becoming a reality in 2015, with far-reaching trade agreements designed to facilitate cross-border expansion of dozens of services industries, including financial sectors. While AEC is not grabbing global headlines the way China does, we see increasing interest in Southeast Asia among our FSI and technology vendor clients. From Celent’s point of view, both trends will open significant opportunities across financial services. In banking, common payments platforms and cross-border clearing. In capital markets, cross-border trading platforms for listed and even OTC products. In insurance, the continued development of regional markets. Financial institutions will be challenged to create new business models and technology strategies to extract the opportunities offered by regional integration. It’s the mid-point of the decade, and the beginning of something very big.

AFP 2014

I just arrived home from Washington, D.C., where the Association For Financial Professionals – a leading society for treasury and finance professionals in the US – held its annual conference.  It was interesting that the AFP decided to hold its conference in Washington – the first time it has been held in AFP’s hometown – during the run-up to the 2014 mid-term elections, and it was clear that the town was abuzz in activity as Election Day came near. I’ve been to many AFP conferences during my days at Metavante, but had taken a few years off, and so I was interested how AFP was doing as the economy continues its 5-year crawl out of recession.  Was I surprised!  I was amazed and encouraged how strongly the conference has bounced back since the dark days of the late 2000s, and the vibe reminded me of the recent SIBOS 2014 in Boston, where bankers and tech vendors competed for the attention of … well, bankers. Perhaps reflecting the post-recession environment in which US corporates operate, I noticed little talk of traditional cash management topics like optimized sweeps or new investment vehicles.  Rather, most of the buzz seemed to be around risk management, Big Data, and treasury dashboards.  It was clear that treasurers are moving to embrace technology to automate routine operational tasks, provide analytics-driven insights that are hard to capture using Excel spreadsheets, and help treasurers see through the fog of data to prioritize their work. Should Excel spreadsheets be getting nervous?  It’s too early to tell, as they are still the dominant tool in use in treasury departments.  However as treasury technology vendors continue to migrate their offerings from high-priced licensed solutions to flexibly-deployed SaaS offerings, many companies will find it harder and harder to justify holding off on treasury automation. We’ll continue to study the situation and will hope to bring back some interesting examples and use cases of companies making the leap into full-scale treasury automation.

When $250 Million Can’t Buy Cyber-Peace

Last week’s newspapers brought the unsettling news that JP MorganChase’s internal CRM systems were penetrated by unknown attackers, compromising the personal information of 76 million households and 7 million small businesses. The Bank had released a statement to its clients on Thursday noting that “there is no evidence” that account numbers, ATM PINs, or social security numbers were accessed during the cyber attack. Today, news reports indicate that four other large financial services companies including Citibank and E*Trade were targeted by the same group, thought to be based in Eastern Europe or the Middle East.  In the case of JP Morgan Chase, the investigation has been focused on the personal computer of a single employee whose system may have been compromised by malware. The incident continues to be investigated by the FBI, Secret Service, and JP Morgan’s own private vendors, so there’s no need to speculate on who is responsible or what other information may have been compromised in the attack.  Still I hesitate to note that the Bank’s soft “no evidence” qualifier gives it plenty of wiggle room should the investigation uncover additional data leakages. The point here is that like the two other large data breaches of 2014 — Target and Home Depot — the JP Morgan Chase breach occurred in its private data center, the kind that is built at significant cost to resist these sorts of attacks – or at least detect and repel them when they do. JP Morgan’s annual report shares that the bank spends more than $250 million annually on cybersecurity, and will have 1,000 employees focused on the task by the end of this year.  Most banks do not have the size or management scale to match JP Morgan Chase’s annual investment, but if even $250 million can’t buy cyber-peace, what chance do average sized banks have of protecting themselves from the next malware du Jour? I contrast this situation with the growing use of cloud services in the financial services industry.  While other industries have been quick to embrace the cost, capability, and flexibility of cloud services, the banking industry lags behind — largely based on valid concerns about information security and control. JP Morgan Chase’s announcement serves as a wake-up call to banks of every size, informing them that when sensitive client data is concerned, private data centers and public cloud providers are partners in the ongoing fight for data security.  The next bubble to burst will be the long-held presumption that maintaining customer data in a private data center is inherently safer than storing it in a public cloud. To a cyber-attacker, an IP address is an IP address.  Whether sensitive customer data is located on a physical server on the bank’s premises or a virtual server located on a public cloud is mostly irrelevant.  What really matters is how well a bank (or its service provider) monitors network traffic, detects unusual or malicious activity, and shuts down suspect traffic.  The other lesson here is that as always, a little encryption can go a long way in ensuring that customer data is safe from the prying eyes of clever and determined hackers.