IT Examiner School eBook May 2025

Resources to Examine FinTech Companies

InTRex Work Program Areas

Key Questions for Examiners to Ask • What risk assessments were performed during the FinTech's development or acquisition process? • How is third-party risk managed, especially for API integrations and cloud services? • What cybersecurity controls are in place to prevent data breaches and ransomware attacks? • Does the institution have monitoring mechanisms to track the FinTech's compliance with regulatory standards? • Are there contingency plans in place for vendor outages or cyber incidents?

Initial Vendor Management Reviews:

Ongoing Monitoring and Audit Requirements:

Development and Acquisition:

Review risk assessments conducted during the development or acquisition of FinTech solutions.

Leverage vendor management processes

Confirm regular performance reviews of FinTech service providers.

to understand the FinTech's security posture.

Ensure continuous monitoring of data security and system integrity. (API Monitoring)

Evaluate due diligence and vetting processes for third-party providers including contract

Examine Service Level Agreements (SLAs) and contractual obligations for data protection.

Verify that the institution's vendor management policy addresses third-party risks associated with FinTech providers.

Ensure that vendor risk assessments align with institutional risk appetite and regulatory expectations.

Validate independent audits for compliance and cybersecurity standards.

Conclusions on Examining FinTech • FinTech solutions drive innovation in financial services but also bring unique risks that require thorough regulatory oversight. • Examiners should focus on evaluating: • Development and Acquisition Assessments — Ensuring risk is assessed during implementation. • Vendor Management and Ongoing Monitoring — Validating third-party security and operational integrity. • Regulatory Compliance Checks — Confirming adherence to GLBA, NYDFS 23 NYCRR 500, and CFPB guidelines. • Fundamentally, organizations must approach FinTech with heightened risk awareness due to its unique technological landscape and extensive access to sensitive customer information. • By leveraging InTREx and third-party guidance on technology vendors, examiners can effectively monitor FinTech activities for emerging risks.