Wipfli logo

Bank on Wipfli - Blog and Podcast


Managing the Risk of FinTech Adoption

Dec 09, 2019
By: Mike Morris
Managing the Risk of FinTech Adoption

Financial institutions tend to be in a good position for assessing and managing the standards of their overall risk. Whether overseeing compliance associated with industry regulations like Anti-Money Laundering and the Bank Secrecy Act or monitoring their own internal controls, most institutions understand the need to be diligent and make informed decisions. However, when it comes to early adoption of new, innovative financial technologies, those same conservative views that serve them well elsewhere can cause hesitation and, ultimately, stagnation. The fear of being “first” is a big concern for many executives and can come with real consequences, both internally and externally. If staff are unfamiliar with how a new technology operates, they may also be unaware of its potential risks, and even the most thorough data flows and explanations cannot guarantee each step or control is being followed to the letter. 

If a financial institution does not have a complete understanding of a new technology’s risks and how it operates, it is very likely the institution will find it difficult to explain those same risks to regulators, and that can be a serious problem. As this technology continues to rapidly evolve, regulators are now relying more and more on the institutions themselves to explain not only how these technologies work but also their potential risks and what can be done to mitigate them. Financial institutions that have trouble doing so could see their FinTech projects delayed or halted by the regulators, regardless of whether they are implemented internally or contracted through a third-party vendor. To better address this, today’s institutions need to be aware of their knowledge gaps and work diligently to close them.  

Leveraging professionals with the knowledge and experience associated with these technologies is vital to ensuring a more robust understanding and identifying any potential risks. For some institutions, this means hiring the right subject matter expert or working with an outside firm. Many institutions are even creating their own internal committees to help guide innovation internally. These groups are dedicated to evaluating proposed new technologies and steering the course of their adoption. Often composed of both stakeholders and established industry and technology professionals, these committees help ensure an institution’s board of directors has the best available information to make informed decisions regarding any project. 

What’s more, as tech providers continue to outsource elements of their platforms, vendor risk management is becoming increasingly important. This outsourcing has now created an interconnected risk ecosystem for these institutions. It is no longer enough to monitor and evaluate a direct provider itself; institutions must now also look to the companies those vendors work with as well. Ensuring these tech providers are properly managing this third-party risk is the only way to be certain the financial institution’s own data is secure. 

While the majority of reputable tech providers have the necessary systems and measures in place to ensure the security of their technology, this is not always true. Because each implementation tends to be unique, the results, claims and experiences from other implementations — while helpful — should not be taken as sacrosanct. Perhaps the technology will be working with very different internal systems, or the other institution may not be managing its own risk. Regardless, each should be conducting their own thorough evaluations and due diligence to ensure that any risks specific to them are found and managed properly. 

With the constant, rapid changes in today’s technology, all financial institutions should be wary of long-term vendor contracts. Signing a 5- or 10-year agreement could mean having technologies that are seriously outdated well before the contract ends, saddling these institutions with ineffective solutions and often a major competitive disadvantage. Institutions should have a clear vision of their needs and should make those needs known to the vendor up front, leveraging the power of the pen if necessary, to ensure they get the solution they need — with plenty of room and time for revisions well before the technology’s implementation. Regardless of the other details, it is critical these contracts include what is known as a “right to audit” clause, which ensures that an institution or its audit firm has the right to examine and review a vendor’s own internal controls and systems for potential risks. What’s more, these types of audits should also be conducted prior to any implementation to provide better protection and risk assessment for all parties. 

In today’s world, technology continues to play an increasing role for all financial institutions. In turn, it is also increasingly important that institutions make smart, informed decisions when it comes to their technology adoption, and ensuring all the associated risks of these projects and services are properly assessed and managed is a vital step in this process. By creating effective FinTech contracts and leveraging the right teams of dedicated professionals who can better evaluate potential risks and establish controls, financial institutions can better ensure their success.


Mike Morris, CISA
View Profile
Bank on Wipfli blog
Subscribe to Bank on Wipfli - Blog and Podcast

Video: Benefits of Co-Sourcing Your Internal Audit Plan
You don’t have to stress about making sure your internal audit plan is completed on time. Together, we work with you to identify risks, update processes and finalize your plan. Reinforce your team with the support you need to complete your annual internal audit plan with confidence.