The Do’s and Don’ts when Preparing for a BaaS Regulatory Exam Part 1

All banks know that regulatory oversight is a necessary evil to keeping the doors open (their words, not mine - says the former regulator). What is often forgotten is that the regulators also what to keep the bank’s doors open. This isn’t an adversarial dichotomy, even though (at times) it may feel that way. So, as the regulators increase their oversight of bank-fintech partnerships, I’d like to take a moment to remind bankers (and fintech folks) of some of the do’s and don’ts when prepping for a regulatory examination. Before I dive into the more candid conversation in my next blog, let's remind everyone of the obvious:

• Review your organization’s policies, procedures, and documentation to ensure that you provide updated and accurate artifacts to the examiners. If there were material changes to any of these processes during the examination scope, ensure that those are highlighted to lessen questions or confusion once the exam is underway.

• Prioritize review of high-risk functions (e.g., BSA/AML, cybersecurity, lending practices). Perform risk assessments and internal audits to detect and address any deficiencies.

• Ensure that all previous examination findings were addressed and documented in the manner agreed upon. And, if not, have a reasonable and supported explanation as to why the response was different, delayed, or unfinished.

• Organize and prepare key stakeholders for examiner meetings. This includes conducting mock meetings and lists of the types of questions or topics that will be discussed. Representatives from compliance, risk management, IT, finance, and operations should be designated as the main point of contact. Their roles and responsibilities during the exam process should be clearly outlined prior to the exam.

• Ensure complete and comprehensive responses to the examination request letter. Provide all documentation and artifacts necessary to demonstrate the program.

• After the exam, review examiner feedback and findings. Develop and implement a remediation plan for any issues identified during the exam and assign responsibility and timelines to update controls and processes to address the findings.

The regulators would much prefer a win-win scenario where the bank continues to grow and profit, while meeting customers’ needs, and not to their detriment or financial harm. Transparency and communication on the responsibility of all stakeholders – banks, fintechs, and regulators – is essential in the healthy, continued growth of financial services and responsible innovation.

Tune in next time for Part 2 of the discussion where I dive into the details that will make the exam process and relationship with your regulators more cohesive. Because let’s face it, regulatory exams are not going away.

Kimberly Hebb is Co-Founder and Chief Risk Officer at BalancedTrust