Is vendor oversight *really* required, and why?
As they say, it takes a village. And so with running a company, you can’t do it all on your own.
So, you do the most logical thing: You spent your hard earned investor and revenue dollars to pay other companies to do the work for you.
Or to put it nicely, you hire “vendors” to help run your business efficiently (your KYC tooling, your credit reporting agency, your servers). Not an earth shattering concept. We know all businesses have a supply chain somewhere behind that fancy logo.
So what makes vendors so special in the world of fintech?
Recall in our past post “In a fintech-bank partnership, who is in charge?”, regulators see the fintech as an extension of the bank (and not the other way around).
To put it a bit more crudely for the fintech founders who might take exception to the description, the fintech is sort of like a vendor of the bank (providing marketing and customer acquisition services).
And so when the fintech goes out and outsources some of its functions, the vendor is the vendor to the vendor of the bank.
The chain is something like this:
Regulators → oversee the bank sponsor
Bank sponsor → oversees the fintech
Fintech → oversees its vendors
The way the regulators see it: Your vendor’s mistakes are your mistakes are the bank’s mistakes. And so, when working with a bank sponsor, you’ll get a lot of questions about your vendor oversight program.
Are all vendors created equal though? Of course not.
There are two types:
(1) Critical vendors; and
(2) Non-critical vendors
Generally, a critical vendor is one that either:
(1) has access to sensitive or confidential information of the company, including customer PII (personally identifiable information); or
(2) is so critical to the functioning of the company that, if it were to go under, the company would have a major disruption in services.
So your snack services company is likely not a critical vendor. But the credit reporting agency or outsourced ledgering service that has all your customer’s personal information on it servers probably is.
If your vendor is “critical”, you need to assess how risky they are to your business and build in some protections in your contract.
What does vendor oversight entail? It’s a combination of diligence, doing a legal review of your vendor agreement, and doing at least a once a year check in with the vendor (hey, vendor, you still kicking it? no data breaches last year, right?).
How does this work in practice?
Nowadays, you would probably send all your critical vendors a questionnaire that they would then fill out, and then resend it a year later, and so on.
The questionnaire would ask questions like how long they’ve been in business, do they have basic controls like a SOC 2 certification, do they have an information security policy, do they have insurance, etc.
If you are a solutions provider, you’re all too familiar with these questionnaires. And all these requirements have spawned an entire cottage industry of certification providers like SOC 2 providers (Vanta, Thoropass).
Now, you might be wondering: Isn’t Amazon Web Services technically a “critical” vendor since, if their servers were to go down, your business would definitely be impacted.
In theory, yes:
But in practice? Good luck getting AWS to respond to your very important questionnaire.
So, vendor oversight ends up being one of those murky areas of fintech that everyone says you should do but you really only do once you’re at a large enough scale.
Until then, you just hope your vendors don’t have a data breach that is spilled over the news.
As with all our posts, we like to include some practical tips for all you operators out there:
If you’re an early stage fintech, you’re probably not going to do any vendor oversight, and that’s probably ok. Your bank sponsor will ask for it, and you’ll keep saying you’re going to do it but everyone knows you won’t
If your fintech is at a critical size (usually, post PMF or Series A), you’re will have a formal vendor questionnaire that you’d send to all your critical (i.e., large) vendors
If you scaling up up your fintech (Series C), you are likely hiring a dedicated role whose job is to deal with procurement and vendor oversight.
If you’re the vendor that routinely gets flagged by your customers as “critical”, it is probably best to get in the habit of developing template answers for all those questionnaires you’ll be filling out, over and over and over again.
********************
While we hope you found this post helpful, please note that the information in this post is not intended to be legal or regulatory advice.
Fintech Law and Compliance 101 is affiliated with https://www.itsaffinity.com/ a compliance learning management platform built specifically for fintechs.