IT Examiner School - Oct 2025

Resources to Examine FinTech Companies Key Questions for Examiners to Ask • What risk assessments were performed during the FinTech's development or acquisition process? • How is third-party risk managed, especially for API integrations and cloud services? • What cybersecurity controls are in place to prevent data breaches and ransomware attacks? • Does the institution have monitoring mechanisms to track the FinTech's compliance with regulatory standards? • Are there contingency plans in place for vendor outages or cyber incidents? Development and Acquisition: Review risk assessments conducted during the development or acquisition of FinTech solutions. Evaluate due diligence and vetting processes for third-party providers including contract Ensure that vendor risk assessments align with institutional risk appetite and regulatory expectations. Initial Vendor Management Reviews: Leverage vendor management processes to understand the FinTech's security posture. Examine Service Level Agreements (SLAs) and contractual obligations for data protection. Verify that the institution's vendor management policy addresses third-party risks associated with FinTech providers. Ongoing Monitoring and Audit Requirements: Confirm regular performance reviews of FinTech service providers. Ensure continuous monitoring of data security and system integrity. (API Monitoring) Validate independent audits for compliance and cybersecurity standards. InTRex Work Program Areas

Conclusions on Examining FinTech • FinTech solutions drive innovation in financial services but also bring unique risks that require thorough regulatory oversight. • Examiners should focus on evaluating: • Development and Acquisition Assessments — Ensuring risk is assessed during implementation. • Vendor Management and Ongoing Monitoring — Validating third-party security and operational integrity. • Regulatory Compliance Checks — Confirming adherence to GLBA, NYDFS 23 NYCRR 500, and CFPB guidelines. • Fundamentally, organizations must approach FinTech with heightened risk awareness due to its unique technological landscape and extensive access to sensitive customer information. • By leveraging InTREx and third-party guidance on technology vendors, examiners can effectively monitor FinTech activities for emerging risks.