ComplianceMay 02, 2025

How to build strong bank-fintech partnerships: Opportunities, risks, and compliance considerations

By: Zaida Aponte

(As published in ABA Risk & Compliance magazine, May/June 2025 issue)

To stay competitive and meet evolving customer expectations, traditional banks are investing in digital transformation and forging fintech partnerships to enhance their digital services. These collaborations help integrate financial solutions such as digital wallets, peer-to-peer payments and advanced lending solutions—blurring the distinction between financial institutions (FIs) and fintechs.

Banks that partner with fintechs benefit from innovation, agility, cost efficiency and customer-centric services.   In the area of customer service, fintechs excel in creating user-friendly solutions and superior digital experiences. With these partnerships, FIs can more quickly adapt to market changes, reduce operational costs, and avoid heavy investments required for in-house development.

While fintech partnerships offer many benefits, they also present challenges for FIs, including integration complexity, differing corporate cultures, and regulatory compliance risks. Banks must ensure that fintech partners uphold high security and compliance standards to maintain customer trust while also managing partner dependency and navigating an increasingly complex regulatory landscape—particularly when multiple fintech providers are involved.

The use of artificial intelligence (AI) continues to be a key interest  in the financial services industry, as banks are cautiously looking for innovative ways to enhance decision making and operational efficiency while also leveraging technology to comply with regulatory requirements.  For banks with multi-country operations, the use of AI facilitates handling complex, multi-jurisdiction reporting and different regulatory requirements.  (For more information, see "Keeping pace with AI: Third-party risk management" and "Insights on strategy, risk and regulation in bank-fintech partnerships"1 in the March–April 2025 issue.)

As banks deepen their engagement with fintechs, they must navigate various partnership models, regulatory expectations, and risk considerations. The following sections outline common fintech partnership structures, key compliance challenges, and best practices for building strong governance frameworks.

Bank-fintech partnership models

Common partnership structures include:

  • Banking-as-a-Service (BaaS).  BaaS is a model in which FIs provide access to their core banking functions through application programming interfaces (APIs) —technology that allows different software systems to communicate and exchange data seamlessly. This enables third parties to build their own financial products without needing to become banks themselves.
  • Embedded finance partnership model. Similar to the BaaS model, embedded finance is the integration of financial services technology into platforms outside of the financial sector. By leveraging APIs, these platforms —such as e-commerce sites or ride-sharing apps—can offer services such as payments, loans, or insurance, enhancing the customer experience.
  • Bank model partnership. Here, the bank acts as the lender or account issuer, integrating with fintech systems. The fintech acts as the servicer of the bank.
  • Referral partnership model. The fintech interacts directly with a bank’s customers for certain services, acting as lead generators, while the bank handles transactions.
  • Fintech as a vendor model. In this model, the fintech provides technology solutions that banks adopt and incorporate into their solution sets to expand or improve their services.
  • Private/white-label model. Here, banks sell fintech products under their own brand, managing customer relations and branding.
  • Hybrid model. This approach combines elements of other models, where the fintech offers technology solutions and refers customers to banks.

The evolution of these partnerships has been influenced by several factors, including mobile adoption, remote work, regulatory modernization and changing customer expectations.  Today, bank customer segments now include more and more digital natives, who expect to transact through smart devices.  Boomers and GenX are digital migrants, whereas Millennials, GenZ and beyond were born into an electronic and digitized world. 

In 2024, several partner banks reconsidered or exited their partnerships due to regulatory issues. The main reasons ranged from insufficient due diligence and ineffective management of their third-party relationships, to a lack of robust commercial agreements and ongoing oversight. Looking ahead in 2025, regulatory scrutiny of bank-fintech partnerships is expected to intensify.  Meanwhile, the fintech space continues to grow more competitive, with traditional banks investing heavily in digital transformation to differentiate their products and services offering.

Regulatory scrutiny and compliance challenges

A recent survey2 of compliance professionals in bank-fintech partnerships shows that 90 percent of sponsor banks struggle with compliance. Key issues include a lack of control and auditability over fintech partners' policies, difficulties applying consistent compliance across jurisdictions, misalignment between internal policies and fintech partners, and unclear regulatory expectations. Regulators have increased scrutiny of bank-fintech partnerships, prompting banks to oversee their fintech partners more effectively. As an example of regulatory focus over the past two years, agencies have issued joint statements on bank-fintech partnerships, including:

Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services3
On July 25, 2024, the FDIC, Federal Reserve, and OCC issued a joint statement to outline potential risks in the delivery of bank products and services. The joint statement discussed potential risks related to arrangements between banks and third parties  to deliver bank deposit products and services to end users. The statement also highlighted examples of risk management practices implemented by banks to manage such risks.

Request for Information (RFI) on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses4
On July 31, 2024, the same agencies released an RFI soliciting input on the nature of bank-fintech partnerships, effective risk management practices pertaining to these arrangements, and other implications of such partnerships.

Final Interagency Guidance on Third-Party Relationships.5
In June 2023, the federal banking agencies released guidance on managing risks in third-party relationships, including those with fintech companies.  The guidance discusses the importance of due diligence, ongoing monitoring, and clear contractual agreements.

A review of enforcement actions issued by regulatory agencies during 2024 reflect common areas of violations, including weaknesses in board and management oversight, failures in the third-party risk management program and the oversight of fintech partners, deficiencies in the BSA/AML compliance programs, and non-compliance with consumer protection regulations. (See adjacent chart, 2024 Enforcement Actions Main Areas.)

2024 enforcement actions main areas

Regulatory Agency Main Areas Highlighted
FDIC
  • Deficiencies in the BSA/AML compliance programs
  • Weaknesses related to third-party risk management programs and oversight of fintech partners
  • Weaknesses in board management oversight and monitoring
OCC
  • Deficiencies in the BSA/AML compliance programs
  • Weaknesses in board management oversight and monitoring
  • Non-compliance with consumer protection regulations
FED
  • Deficiencies in the AML, risk management and consumer compliance programs
  • Weaknesses in board management oversight and monitoring
  • Deficiencies in the management of third-party relationships in BaaS partnerships
CFPB
  • Failures in safeguarding the payment network from fraud
  • Violations of the Consumer Financial Protection Act of 2010
  • Non-compliance with the Electronic Fund Transfer Act

Moreover, the mention of inadequate staff expertise was a prominent theme in many of these agencies’ enforcement actions.

As regulatory scrutiny of bank-fintech partnerships increases, banks are expected to strengthen their governance frameworks, with a particular focus on oversight. Key areas of emphasis include enhancing board and management oversight, improving risk management frameworks, reinforcing due diligence controls, and strengthening third-party monitoring. Additionally, regulators are placing greater focus on consumer protection more broadly, including transparency in financial products and services, fair lending practices, and safeguards against deceptive or unfair practices.

In examining various sources and the supervision plans released by the federal banking agencies for 2025, there appears to be a shift in emerging regulatory oversight.  For example, on January 21, 2025, the FDIC Acting Chairman issued a public statement outlining the agency’s upcoming priorities amid recent changes in administration.  These priorities include adopting a more open approach to innovation and technology adoption, as well as more transparency regarding the FDIC’s expectations regarding the management of fintech partnerships.6 

Additionally, the OCC issued the Fiscal Year 2025 Bank Supervision Operating Plan, emphasizing bank-fintech partnerships.7 The plan highlights key supervisory priorities, including:

  • Consumer compliance: Examiners will assess how banks manage compliance risks associated with products and services offered through fintech partnerships.
  • Enterprise change management: The OCC will monitor banks' strategic plan adjustments and significant shifts in product and service delivery, including those between banks and fintechs that provide consumers and businesses with banking products and services.
  • Third-party risks:  Examiners will evaluate the effectiveness of banks' risk management practices across all stages of the third-party risk management lifecycle.
  • Payments: Examiners will focus on risks associated with payment systems and payment-related products provided through bank-fintech arrangements, including fraud risk management, third-party risk management, and new or novel products and services. 

Partnership risks and challenges

Evolving products and services, technological innovation, and an uncertain regulatory environment create risks for bank-fintech partnerships. Operationally, misalignment between a bank’s governance structure and that of its fintech partner increases the risk of non-compliance with applicable laws and regulations. Additional risks include:

  • Increased compliance costs, including the structural and system changes needed for banks to comply with evolving regulations. 
  • Operational and compliance challenges, including managing oversight of third-party deposit operations, ensuring compliance functions performed by fintech partners meet regulatory requirements, maintaining access to third-party records, strengthening risk management systems to fulfill consumer protection obligations, and expanding audit scope and coverage.
  • Misrepresentation of deposit insurance coverage by fintech partners, including misleading claims in marketing materials and other public-facing content, which can lead to regulatory violations and consumer confusion.

Building an effective third-party governance program

Regardless of whether compliance professionals operate within a traditional banking framework or a bank built entirely on a bank-fintech partnership model, their role is crucial in facilitating successful change. A bank entering into fintech partnerships must carefully consider the potential risks to its charter and reputation. This underscores the need for compliance officers' thorough attention and diligence.

What can compliance and risk professionals do to optimize bank/fintech collaborations?

Maintain an active role. Compliance and risk teams must actively participate in all phases of a fintech partner’s due diligence, onboarding, and monitoring processes. They should also engage in new business initiatives, changes to products and services, and the implementation of new  technology.

Understand products and services offered.  It is imperative to have a clear understanding of the product and services covered under the existing bank-partner agreements and the risks they pose. Gathering this knowledge starts at the early stages of the relationship, specifically during the due diligence and risk assessment processes. The due diligence process allows banks to gather information on products and services offered and how these products and services align with the bank’s business strategies and risk appetite.

Understand the strengths and weaknesses of a partner’s Compliance Management System (CMS). Compliance and risk professionals must have a clear understanding on where the responsibility begins and where it ends, including:

  • Alignment with the partner's CMS governance framework and policy governance structure; 
  • Review and analysis of risk assessment results, prior internal and external audits, regulatory reviews and actions, remediation efforts, complaint logs and litigations in progress.

Identify associated risks and controls. Compliance and risk teams must assess mechanisms to ensure full compliance with laws and regulations that apply to a prospective partner’s products and services. Additionally, banks should identify and understand the range of inherent risks associated with these products and services. It is also important to catalog risk-mitigating controls such as compliance policies and procedures, processes for issue management and change control, monitoring and testing, complaint handling, compliance training, and management reporting. The weaknesses and control gaps identified during the initial due diligence process form the basis for the bank/fintech relationship and subsequent action plans to address those risks as the relationship matures.  Knowing the risks going into a relationship empowers the bank to command an appropriate degree of control over a new partnership.

Establish of a robust compliance training program. Compliance should be sure to ask the following questions:

  • Does the partnership possess the training infrastructure to provide comprehensive coverage across various partners, products, origination, and servicing systems? 
  • Is the compliance training program sufficiently robust to ensure a thorough understanding and awareness of legal requirements across the entire enterprise, and among our fintech partners?

Evaluate monitor and oversight controls. It is critical to have a compliance governance structure in place that includes oversight committees, as well as strong third-party oversight and reporting. Recent examples of notable compliance failures that were subject to consent orders include bank weaknesses relative to monitoring and oversight controls of fintech partners. Fintech partners should be receptive to frequent reviews of their CMS framework and compliance program—and work closely with the bank’s compliance team in establishing the coverage of compliance reviews.

Evaluate the change management process. Evaluate the partner’s structure for the identification, implementation, testing and monitoring of regulatory changes applicable to the products and services offered on behalf of the bank. 

Improve issue identification, sharing and escalation. As banks expand fintech partnerships, they may need new reporting channels and dashboards to monitor risk. Regular reports to management and the board should provide a clear view of emerging compliance issues. Leveraging existing oversight forums to share and escalate identified issues representing potential risks will strengthen issue escalation and resolution.

Looking forward

Successful fintech partnerships require banks to have strong compliance programs and actively manage risks. To achieve this, compliance professionals should focus on the following key actions:

  • Lead the oversight framework. Compliance and risk professionals should take a lead role in working with the board and management to implement the bank’s oversight and monitoring framework. 
  • Collaborate with business lines. Compliance and risk professionals should work closely with business lines to gain a comprehensive understanding of the products and services covered in the bank-fintech partnership agreements. This knowledge enhances the effectiveness of compliance efforts in developing and implementing risk mitigation strategies. 
  • Jointly implement a governance framework. Sponsor banks and fintech partners must jointly implement and align a compliance policy governance framework that clearly defines roles and responsibilities.
  • Own risk management. Compliance and Risk teams are responsible for identifying, assessing, monitoring and tracking the mitigation of risks associated with the products and services covered within the partnership.
  • Enhance compliance training. The bank’s compliance training program must cover all relevant laws and regulations applicable to the products and services included in the partnership agreement.  An effective compliance training program reflects appropriate regulatory coverage, the assignment of required training based on roles, and monitoring controls for training assignment and completion. Non-compliance with training completion should generate a compliance escalation to the appropriate oversight committee. 
  • Engage in change management. Compliance and Risk teams should work closely with business lines across all phases of the change management process, from implementation to validation, to ensure regulatory compliance. While traditionally, banks have approached change with caution, fintechs operate at high speed. For banks seeking partnership with fintechs, it is paramount to rethink change management and ensure that the talent and tracking is in place to keep up with fintechs.
  • Reassess third-party risk management (TPRM). For any FI engaging in partnerships with fintechs, the existing TPRM program may be insufficient to manage the inherent risks.  Compliance and Risk teams need to re-assess their current third-party oversight and monitoring processes and develop remediation plans, as necessary.  
  • Seek independent oversight. Compliance and Risk teams should consider engaging an independent advisory or audit firm to assess the state of the CMS supporting the bank-fintech relationship.  This external perspective can provide valuable insights, identify potential gaps, and ensure that your compliance framework meets regulatory standards and best practices. 
1 https://bankingjournal.aba.com/2025/03/insights-on-strategy-risk-and-regulation-in-bank-fintech-partnerships/
2 2024 State of Embedded Finance Report | Alloy
3 https://www.federalreserve.gov/supervisionreg/srletters/SR2405.htm
4 https://www.federalregister.gov/documents/2024/07/31/2024-16838/request-for-information-on-bank-fintech-arrangements-involving-banking-products-and-services
5 https://www.federalregister.gov/documents/2023/06/09/2023-12340/interagency-guidance-on-third-party-relationships-risk-management
6 https://www.fdic.gov/news/press-releases/2025/acting-chairman-travis-hill-expresses-support-enhancing-flexibility
7 https://www.occ.gov/news-issuances/news-releases/2024/nr-occ-2024-111a.pdf
Zaida Aponte
Zaida Aponte
Senior Regulatory Consultant, US Advisory Services
Zaida Aponte is an Associate Director responsible for overseeing the U.S. Advisory Compliance Management System practice with Wolters Kluwer. She is bilingual (English/Spanish) and brings over 30 years of experience in the financial services industry working for global financial institutions in the areas of internal audit, regulatory compliance, international retail product operations, banking operations, third-party risk management, credit cards, external sales, and portfolio risk management.

OneSumX for Compliance Program Management

A comprehensive set of solutions for managing your organization’s regulatory compliance requirements.
Learn More

Related Insights

  • Article
    Compliance
    May 02, 2025

    Preventing serious injuries and fatalities in the energy industry

    Download this infographic to learn how EHS professionals in the energy industry are adopting a risk-driven approach to prevent serious injuries and fatalities (SIFs).
    Learn More
  • Article
    Compliance
    April 30, 2025

    Delaware amends its law on registering a trade (DBA) name

    Delaware has amended its law on registering trade names (DBA), effective June 2, 2025. Major changes include state-level registration, optional filings for corporations and LLCs, and special licenses for non-resident entities.
    Learn More
  • Article
    Compliance
    April 30, 2025

    Maximizing internal audit effectiveness through external quality assessments

    One of the key processes that bolsters the trustworthiness and effectiveness of the internal audit function is the external quality assessment (EQA).
    Learn More
  • Article
    Compliance
    April 29, 2025

    7 reasons why lenders need compliant, efficient document generation ― and how automated solutions can help

    Automated document generation is crucial for lenders to meet compliance, streamline processes, and mitigate risks. It enhances efficiency, improves customer experience, supports scalability, and ensures audit readiness, making it a vital tool.
    Learn More
Back To Top