Vendor Risk Management as Applied to Fintech Contracts

2 min read

As highlighted by Guy Potel and Hyder Jumabhoy in their earlier article, regulatory compliance is an area of fundamental concern. It is a concern, however, not only for strategic investors, but also for financial institutions procuring services from fintech providers.

Where a financial institution classifies a product or service being procured as an "outsourcing," its vendor risk management ("VRM") function will carefully scrutinise the proposed relationship. The VRM function will usually take the position that regulators will look at the service provider as an extension of the institution. Accordingly, the institution is required to impose contractual obligations on the provider so that the provider acts as the institution itself would act when it comes to compliance.

In the context of global transactions, this may lead to unbridgeable contractual obstacles to closing the deal. The service provider, for example, located in the US, may take the position that it only provides services in the US. A global financial institution rolling out access to the services across the globe, however, may take a completely different position because the services are being accessed from and used outside of the US, and may require that the service provider contractually covenant to take steps to comply with a number of regulatory requirements. In some jurisdictions around the globe, that may necessitate an in-country infrastructure build and other steps that the service provider (especially emerging fintech companies) may not have the inclination or resources to undertake.

So it is essential, before wasting time and money pursuing a specific transaction, for the parties to align on the contractual VRM requirements that will be sought by the financial institution, and whether the fintech provider can meet those prospective obligations.

But it is not just the fintech provider's burden to bear. For financial institutions looking to get in on innovative products offered by emerging fintech companies, the standard "one size fits all" VRM questionnaire/due diligence and associated standard form contracts may not be the proper starting point. Financial institutions may want to carefully evaluate how they designate a service procurement request, and the level of VRM review/contractual requirements truly appropriate for the prospective services.

For example, we were once involved in a transaction with a fintech provider based in a state where marijuana was legalised. When the financial institution's VRM due diligence function inquired about drug-testing and included its standard testing/screening requirement in the service agreement, the response from the fintech was: "If we drug tested our employees, we wouldn't have any!" Needless to say, the financial institution needed to seriously reconsider its standard contractual VRM requirements.



This content first appeared in Chambers Professional Advisers: FinTech.