Out-Law Guide 14 min. read
04 Mar 2021, 2:35 pm
Banks need access to the latest digital technologies to avoid falling behind competitors, and commonly find it more efficient and effective to acquire technology from third parties than to develop it themselves; fintechs can reach a wider customer base and grow their business through partnerships with incumbent institutions.
Collaboration arises in a variety of forms, from minority stake investments by banks in fintech companies, to new service agreements and partnerships; however, the practical process of reaching a deal can be onerous.
Based on our experiences in the market, we have identified common issues that can arise as banks and fintechs seek to agree on the terms of collaboration between them. We focus on the areas of contractual approach, fintechs' financial sustainability, bank oversight, operational resilience, and data security. These are often the primary sources of tension once the parties engage in negotiations, so for the relationship to get off on the best footing, it is important for both parties to understand the other's drivers, pressures and challenges.
Many of these issues were recently acknowledged formally. In September 2020, the UK Fintech Pledge was launched, having been developed by the Fintech Delivery Panel and supported by HM Treasury. Its aim is "to set globally leading standards for the establishment of efficient and transparent commercial partnerships between banks and fintech firms", and a number of the top UK banks have volunteered. By signing, they commit to implementing the tenets of the Pledge by mid-March 2021, which include clear onboarding processes and communication channels.
The spirit of the Pledge needs to permeate down to a contractual level... Only by each party recognising and accommodating the priorities of the other can an effective collaboration agreement be realised
As the Fintech Pledge seeks to address, banks' standard procurement processes are often long and heavily involved, which make them time-consuming and expensive for fintechs just to engage with. The nature of the process often stifles the momentum and energy of fintechs, which the bank is looking for.
Fintech executives will commonly spend time compiling a written response to banks' invitations to tender, then, as they go through the various procurement stages, preparing and delivering presentations, responding to enquiries from banks' internal security and risk teams, and then in negotiating the terms of a contract with the bank over a period of months. They will need to manage this at the same time as dealing with investors and their day-to-day running of the business, often with relatively limited resources, competing priorities, and the procurement demands of other customers.
Banks view their processes as necessary to be able to satisfy regulatory requirements and any concerns they have over the fintechs' ability to meet its supply arrangements and liabilities. Diligence is critical. However, there is an acknowledgement that standard processes could be streamlined a little to make it less burdensome for fintechs and many banks have implemented or are looking at alternative approaches and shorter timescales. The Fintech Pledge formalises that work as the banks evolve and improve their processes and engagement with fintechs.
The banks' procurement processes often dictate that, as customer, the starting contractual position is based on the banks' own standard terms and, due to banks' perception of increased potential risk in dealing with fintechs, they are often bolstered to include extensive warranties in relation to litigation, liabilities, and protection against the hiving off of assets, for example. This means that the starting position taken in the contract is robust and thorough, but it does raise some issues as to what the fintech can reasonably sign up to and stand behind financially. The bank must always consider the context of the solution or services it is buying and the extent to which the terms of the contract can be meaningfully enforced in practice against the fintech.
Alongside the contract, banks and fintechs should seek to flesh out underlying issues in the open and, where it may be more effective, seek practical solutions to mitigate risks. Insurance, step-in rights, enhanced governance and reporting provisions, customer forums, and escrow are practical ways for banks to obtain technical and organisation comfort in order to mitigate risk, and these provisions and procedures can be built into the contract to avoid reliance solely on extensive contractual warranties and remedies. By their nature these measures will create increased practical obligations on fintechs, who therefore may be resistant, but they are important mitigations, so the banks should be prepared to discuss and articulate the risks which they are trying to protect against.
Often there is discord between banks and fintechs over what is paid for before products under development go live or even before the contractual phase is complete. Understandably, banks want assurances that the product is going to work before they make a substantial outlay. For fintechs, though, the time, effort and money they must invest to meet banks' requirements can create cash flow pressures. To alleviate these pressures, banks are agreeing to pay out some funds under a letter of intent or a short form agreement prior to engaging in the contractual process.
Additionally, long payment periods and procedural, drawn out approaches to the treatment of disputed invoices can also cause cash-flow issues and pose a serious risk to the short-term viability of fintechs. Again, the banks are adopting alternative processes and accelerated dispute resolution procedures to meet this concern.
Where a fintech's creditworthiness is a concern, banks sometimes seek a guarantee from the fintech's parent company to stand behind the supply agreement and meet the supplier's potential liabilities. However, fintechs are often concerned about providing a parent company guarantee as it may make the fintech less attractive to potential acquirers and investors.
In addition, fintechs often don't have the financial trading history, the assets or wherewithal to offer the comfort the bank is looking for. In many cases, fintechs do not have a parent company from which they can seek a guarantee for the bank. Fintechs may be able to look to insurance to meet any gaps, though this can be costly. A potential solution, however, is available through a more nuanced approach.
Fintechs that are backed by equity investors will commonly receive their funding in stages. Banks might consider more pragmatic financial diligence and flexibility in relation to the liability position under the contract. For example, it may be agreed that the fintech's liability progressively increases to match its various stages of funding and the bank might seek an obligation on the fintech to put in place a parent company guarantee or alternative guarantee arrangements as the business expands and restructures over time rather than upfront. This would require the bank to accept a greater level of risk at the outset of the contract and take a longer term view, but such flexibility in contracting approach together with robust governance, may be more realistic; it may also be more palatable than the reputational issues that may arise if the traditional approach to risk results in its fintech partner running out of cash.
To a large degree, the extensive procurement process, importance of due diligence and approach to risk more generally can be traced to the regulatory requirements to which the banks are subject in general and when outsourcing.
The requirements are reflected in the contracts between banks and fintechs to ensure the banks can meet their obligations and report on their compliance to the regulators
When banks collaborate with third parties it often entails outsourcing core functions of their operations to those third parties. These arrangements are subject to regulation, including the FCA Handbook, Solvency II/ PRA Rulebook, and the European Banking Authority's (EBA's) guidelines on outsourcing. It is important for fintechs to recognise that in addition to these regulatory requirements, each bank will also factor in its own risk appetite and requirements for compliance, so each bank has a separate view of its regulatory compliance obligations, no one size fits all.
A theme that permeates the regulatory requirements is the need for banks to maintain oversight over outsourced functions. The requirements are reflected in the contracts between banks and fintechs to ensure the banks can meet their obligations and report on their compliance to the regulators.
For instance, banks will seek a right to consent to any sub-contracting and sub-outsourcing by the fintech in order to secure oversight and control over the supply chain and to comply with the EBA guidelines on outsourcing. The guidelines make it clear that at all times the bank remains responsible for the outsourced function and in meeting the requirements of the guidelines.
Banks usually therefore require an upfront list of the fintech's sub-contractors for initial approval. Going forward, the contract would usually set out a process for the fintech to obtain the bank's express approval or for the bank to have a right to object to changes and new sub-contracting arrangements. The bank will then need a right to terminate if that process is not followed. Whilst these requirements introduce an extra administrative and contractual layer into supply chain management, they operate to provide the banks with greater oversight and enable them to better manage risk in line with their regulatory responsibilities. Fintechs should be prepared to produce details of all sub-contractors upfront, remediate those contracts if required, and to have processes in place to manage and report on changes within the supply chain.
All banks will seek access and audit rights on behalf of themselves and their regulators over the fintech and its material subcontractors. Banks generally resist pooled audit rights, so fintechs should expect such audit provisions to be detailed and to cover access to information, personnel and premises as the banks seek to ensure compliance with the terms of the agreement and security obligations in particular. Regulators will require an unfettered rights of audit, so fintechs should be prepared to make exceptions around regulatory audits as these are non-negotiable points for the banks.
To avoid these points becoming contentious in negotiations, fintechs can anticipate how they might realistically meet banks' needs for oversight. This might include taking a more standardised approach to product development, making a commitment to update products in light of regulatory changes, and developing robust policies and procedures. Fintechs who are familiar with the regulatory requirements of their prospective customers and anticipate them, have the opportunity to demonstrate their awareness and understanding of the regulatory environment of their banking customers and also a willingness to accommodate those requirements.
Conversely banks must recognise the level of investment that fintechs have made to the point of contracting with institutions and the investment which may be required to meet specific oversight requirements.
For fintechs who are not as familiar with the regulatory requirements, additional investment to meet those requirements may be significant and technical solutions will take time to implement: for instance, fintechs may need to overhaul existing systems and processes and update contracts with sub-contractors to enable the banks to comply with requirements regarding audit rights and sub-outsourcing. To justify the necessary investment, fintechs may seek commitments from banks in terms of a minimum volume of business they will provide. This is something banks have been traditionally reluctant to provide as generally they seek to avoid being locked in to using a single small supplier.
Operational resilience and business continuity is vital to not only banks' own reputation but to the provision of everyday banking and payment services on which businesses and the public rely. This is reflected in the regulatory requirements, the EBA guidelines and in banks' attitude towards the risks in outsourcing to fintechs.
Many large cloud providers have given thought to those issues and come up with terms to be able to meet the bank's requirements
Banks' duties on operational resilience and business continuity extend to ensure that the EBA requirements flow down through the fintech's supply chain. In practice, this can sometimes entail a significant contract remediation exercise which is both daunting and unattractive for fintechs to perform. Fintechs may find it difficult to change the terms of contracts previously agreed. However, many large cloud providers have given thought to those issues and come up with terms to be able to meet the bank's requirements through standard clauses in their own terms or specific financial services and EBA compliant addenda. There is therefore an opportunity for fintechs to think ahead so that they have terms to bring to the negotiating table that are acceptable to banks and which they can deliver on.
In managing operational risk, the banks have leveraged step-in rights as a practical short term means of getting services back on track where there are performance concerns. With the complexity of specialised solutions and cloud outsourcing, such 'traditional' step-in rights are not always practical or realistic – the bank may not have sufficient in-house expertise or resource capacity to exercise those rights in practice. Further, where the fintech is operating in a multi-client environment, it would not be feasible for one client to manage their own services in isolation, nor would it be appropriate for one client to step-in wholesale. Therefore, the step-in provisions should provide for a tiered step-in approach which includes different step-in rights for different aspects of the services and to accommodate single and multi-client environments, with appropriate controls.
It is always unpopular to discuss exit plans at the outset of collaboration agreements, but the EBA's guidelines place detailed requirements on banks in relation to how they exit from outsourcing arrangements, in particular with a view to recovering data. The extent of banks' expectations on the development of exit plans and the assistance the banks require around exit is sometimes a surprise to fintechs, so there is scope for fintechs to familiarise themselves with banks' requirements around exit and to anticipate discussion on the point in contract negotiations.
In relation to business continuity, a pragmatic approach to escrow may be required as the bank considers how it may transition services or a solution in-house or to a replacement supplier, particularly in the event of the fintech's insolvency.
The legacy approach of customers towards escrow was to seek deposit of source code in escrow by the supplier at regular intervals over the lifetime of the contract. If the fintech's source code is continually evolving and involves open source though, then maintaining an escrow deposit and obtaining a copy of the code at a fixed period of time may not be possible or meaningful.
Banks need to become familiar and comfortable with more recent offerings such as 'Escrow as a Service' or platforms such as GitHub in pursuit of alternative solutions which are more appropriate to the cloud solutions the banks are now purchasing. As well as technical solutions, with the value of fintechs often being in their founders and key product developers, banks should pay particular attention to key personnel provisions and its access rights on insolvency or contract termination as part of exit planning.
Another area of contention in negotiations is the level of protections banks seek to secure in respect of processing of personal data by fintechs and their sub-contractors.
Under the General Data Protection Regulation (GDPR) there is scope for controllers to give processors a general consent to sub-processing operations. However, banks are typically reluctant to do that – instead seeking control and transparency over where in the world data may be processed and by which organisations.
A nuanced approach on consent is possible in order to allow banks to exercise the individualised control they are looking for in most circumstances
Indeed, the EBA guidelines require that banks are aware of and pre-approve the locations in which their data is processed. Banks are therefore keen to ensure data flow assessments are conducted in diligence and for contracts to provide individual consent rights in relation to sub-processors and the locations of processing. Often, however, these consent rights are viewed by fintechs as 'gold-plating' requirements under the GDPR on the basis a general consent right could be used, and fintechs can be reluctant to provide such level of oversight to banks.
A nuanced approach on consent is possible in order to allow banks to exercise the individualised control they are looking for in most circumstances, alongside giving limited general consent to fintechs in relation to specified low risk sub-processing activities and in relation to locations of processing within parameters.
This approach is useful in the context of disaster recovery, which is a core strand of operational resilience and business continuity for banks and regulators. Banks will require detailed business continuity and disaster recovery processes and procedures to be in place and documented. Among other things, the banks will need to know that if one server for hosting data experiences an outage in one location, then the fintech will automatically 'fail over' to another location and continue to provide its services.
The scenario of a distributed denial-of-service (DDoS) attack often is contentious in such negotiations. Fintechs and their sub-processors may want the flexibility to determine that the best response to an attack is to fight it at its source, wherever that may be. This potentially entails the processing of data in jurisdictions that banks would not typically consent to but the fintech considers justifiable as the best method to avoid the attack. On that basis, fintechs will seek a general consent to changing data locations as appropriate to fight DDoS attacks, in the interests of business continuity and enabling effective disaster recovery.
Fintechs themselves may not always know the detail of the flow of data and fail over mechanisms in their own supply chain, because they themselves may have given a general consent to their own suppliers. However, under the GDPR and regulatory requirements, banks must be transparent with their customers about how their data is processed, including the locations of processing, and will require fintechs to provide information on these points.
The task of pinpointing the locations at which data is processed is made further challenging by remote working arrangements, particularly in light of Covid-19. Therefore for their part, fintechs can do more to anticipate banks' requirements in relation to data by making enquiries with their own suppliers, requiring transparency in their own contracts, conducting data mapping exercises and keeping such records up to date so they are prepared to meet their customers' diligence queries.
The standard bank provisions around data and information security are all aimed at protecting bank data, ensuring the confidentiality, integrity, and traceability of bank data, and making sure it can be retrieved effectively at all times. These aims are completely justifiable given the potential public reputational risk the banks face; however a degree of compromise may be needed by banks and fintechs on managing cyber risk.
Sometimes the most effective strategy to protect against an attack is for the fintech to take services offline, but this must be balanced against the regulatory obligation on banks to maintain continuity of its services. From the bank's perspective, gaining internal approval from stakeholders to enable suppliers to suspend services in any circumstance is often an arduous process, so banks commonly require a contractual right to approve planned switch-offs and to conduct diligence on previous attacks and responses. From a fintech perspective, however, it may not be possible to turn services off for one customer but not another.
Contracts should be drafted to ensure the circumstances in which services are restricted or suspended, if permitted at all, are only very limited and are accompanied by suitable notifications, controls and transparency. Involving the banks in cyber and security oversight through governance channels and reporting also provides the banks with comfort around the processes being adopted by fintechs, the ability to provide input, and early warning of any potential issues.
Much has been written about collaborations between financial institutions and fintechs over the past decade or so, and how to bridge the perceived gaps. Some of the 'barriers' are cultural, some are procedural, some are practical. Whilst the Fintech Pledge is reassuring and encouraging insofar as the banks have recognised the need to streamline, the proof will be in the implementation of the Pledge this year.
The spirit of the Pledge needs to permeate down to a contractual level where, on the one hand, the banks take a bolder, more innovative and nuanced approach to contracting and, on the other hand, the fintechs address upfront the key regulatory and contractual concerns of their banking customers.
Only by each party recognising and accommodating the priorities of the other can an effective collaboration agreement be realised.
Co-written by Madeleine Barratt of Pinsent Masons.