Financial institutions that engage in relationships with fintech partner programs, such as partner banks, Banking-as-a-Service platforms, or other similar financial service providers, should exercise appropriate financial crime compliance oversight of their fintech partners and implement effective measures for third-party risk management to meet regulatory requirements and expectations. This requires institutions to understand both the financial crime risk posed by each fintech partner and also how that relationship impacts the institution’s own risk profile.

Cable provides a suite of tools enabling institutions to achieve this understanding and effectively manage fintech partner risk, including Cable’s Direct Customer Risk Assessment (DCRA), which builds on and supplements the capabilities offered by Cable’s Risk Assessment.

This document details the methodologies used in Cable’s DCRA. The DCRA is based on regulatory guidance, industry experience, and user feedback. It enables an institution to automatically take into account the risk ratings of its fintech partners and produces an aggregate assessment of risks faced by an institution on its own and across its fintech partner portfolio.

As with all of Cable’s products, the DCRA is highly configurable to each institution’s own risk appetite. Users are always able to manually adjust any automatically calculated risk ratings as needed to reflect their own assessment of risk.

Cable’s Risk Assessment

Cable’s Risk Assessment is a financial crime risk assessment tool that can be used by institutions to understand the risk posed by each of their fintech partners.

Each fintech partner that completes Cable’s Risk Assessment will produce inherent and residual risk ratings across a wide range of risk categories within 10 high-level financial crime risk areas, as well as an overall business-wide inherent and residual risk rating.

The 10 high-level risk areas are as follows: Regulatory Risk, Operational Risk, Geographic Risk, Size and Nature of Business Risk, Processes and Systems Risk, Product/Services Risk, Delivery Channel Risk, Customer Risk, Transaction Risk, and Typology Risk.

Cable’s Direct Customer Risk Assessment

Cable’s DCRA then enables institutions to understand how each of their fintech partner relationships affects their own risk profile by leveraging the outputs of Cable’s Risk Assessment. After an institution and its fintech partners have gone through Cable’s Risk Assessment, the institution can use Cable’s DCRA to integrate the relevant risk ratings from its fintech partners into the institution’s own risk ratings.

The DCRA provides a comprehensive approach for institutions to account for risks across their fintech partner portfolio by assessing risk at an underlying customer and transaction level as well as at the fintech partner level.

Fintech Diligence and Onboarding Administration

Institutions also need to be able to easily demonstrate effective oversight and risk management of their fintech partners.

Cable’s DCRA helps institutions achieve this by providing easy workflows to collect and record company profile information and key documentation from each fintech partner. Additionally, it gives institutions access to essential fintech partner portfolio risk information and streamlined processes to obtain senior management or other stakeholder approval of their risk assessment.

Risk Rating Aggregation Methodologies

The DCRA methodology is composed of two parts, which together account for risks to an institution that are posed by its fintech partners’ underlying customers and transactions, as well as risks posed by a fintech partner itself.

Part 1

Institutions should take into account the risks associated with its fintech partners’ underlying customers and transactions for financial crime compliance purposes.

To achieve this, the risk ratings for select risk areas related to fintech partners’ underlying customers and their transactions should be integrated into the institution’s own risk ratings. For institutions, this means that, among the 10 high-level risk areas in Cable’s Risk Assessment, the DCRA produces an aggregate risk rating for the risk categories within the following five risk areas:

• Geographic Risk
• Customer Risk
• Product/Services Risk
• Transaction Risk
• Typology Risk

The following steps set out how an institution and its fintech partners’ risk ratings for each risk category in these areas are consolidated into a final aggregate risk rating through a weighted average approach (with one exception described further below):

• First, each fintech partner is weighted according to the total customer number for each fintech partner.
• Second, the institution’s own pool of customers that it serves directly (i.e., not through a fintech partner) is also weighted based on total customer numbers.
• Third, using the weights determined above, for each risk category in the relevant risk areas, a weighted average of the inherent risk ratings from each fintech partner and the institution is calculated.
• Fourth, for each risk category, the weighted average inherent risk rating calculated above is compared to the inherent risk rating generated in the institution’s own risk assessment, and the greater value is determined to be the final inherent risk rating for that risk category.

This methodology reflects an approach such that if an institution’s own risk assessment has the greater risk rating for a particular risk category, greater priority is placed on this determination than the aggregate rating determined above, as the institution may have more complete information informing a more holistic assessment of the risks it faces.

An exception to the above methodology is implemented for the high-level risk area of Geographic Risk as follows:

• For each risk category in this risk area, the maximum inherent risk rating from among each fintech partner and the institution is determined to be the final inherent risk rating for that risk category. Taking these steps together, Cable’s DCRA enables an institution to automatically integrate risks from its fintech partners’ underlying customers and transactions in the institution’s own risk assessment.

Part 2

Beyond accounting for risks from fintech partners’ underlying customers and transactions, institutions should also consider any risks posed to the institution by a fintech partner itself (e.g., historic compliance issues or high risk processes and systems at the fintech partner that are not addressed through appropriate controls).

To achieve this, Cable’s DCRA enables an institution to account for fintech partners’ overall business-wide risk ratings – which reflect all 10 high-level risk areas – in its own risk assessment as follows:

• The Customer Risk area includes an additional risk category for “Fintech Programs” that encompasses the institution’s fintech partners, with an inherent risk rating determined to be the greatest overall business-wide residual risk rating across all fintech partners.

As a result, Cable’s DCRA also lets an institution automatically update its own risk assessment to reflect risks that may come from a fintech partner itself, whether due to the presence of high-risk factors across the 10 risk areas or insufficient controls at the fintech partner to effectively mitigate risks.