fintech-partner-controls

Fintech partner controls

A fintech-side controls evidence pack is the artifact a sponsor bank's third-party risk function expects to see in its file at annual review, after a material change, or when an examiner asks for evidence of the bank's principal-side oversight. The work is to inventory the controls the program operator owes upstream, attach evidence per control, name the sponsor-bank reporting cadence, evidence the customer-facing duties (Reg E error resolution, Reg DD, FDIC representation), summarise the prior-12-month incident history, and read each program-agreement clause against current operating reality. The shape is a control inventory plus a memo, not a narrative. The skill stops at draft; the head of payments compliance, the BSA officer, the CCO, or the program-management lead owns sign-off, and the sponsor-bank TPRM team consumes the output separately.

Ask first

Plain answers up front. Default and flag where the practitioner cannot answer.

• Program-operator role and sponsor-bank construct. Fintech program operator, BaaS platform, program manager, wallet operator, neobank, payments processor, money-transmitter-only, BNPL provider. Each sponsor bank named by role, not by brand, with charter type (national bank, state member, state non-member, state-chartered ILC), program-agreement effective date, and agreement type (BaaS, sponsor, processor). Multi-sponsor architecture is common; capture each.
• Rails, products, and customer base in scope. ACH, Same Day ACH, wire, card debit / credit, FedNow, RTP, P2P, check, cross-border correspondent, virtual-currency on-ramp. Products: deposit-like checking, savings, credit, prepaid, BNPL, instant payouts, payroll-on-demand. Geography: US states (each carries its own MTL / NMLS posture), corridor countries.
• Review trigger and audience. Annual sponsor-bank review, sponsor-bank-led audit, state-MTL exam through NMLS, sponsor-bank questionnaire (SIG, CAIQ, bespoke), processor-led control review, internal audit kickoff, post-incident sponsor-bank request, new-rail / new-product delta. The trigger sets depth; the audience sets tone.
• Source posture. Public-only (scoping); public-plus-firm-policy; public-plus-firm-policy-plus-system-of-record-evidence (the load-bearing posture for self-evidence work — ledger, processor portal, complaint system, dispute system, FBO reconciliation feed, sponsor-bank reporting feeds); connector-aware where the practitioner can pull live extracts. Aspirational posture is not a posture.

When scope (per risk-compliance-core/scoping) is supplied, consume it (institution.type, institution.primary_regulators, sector_overlay_set, cross_cutting_overlay_set, persona.role, source_posture). Otherwise ask the questions and default to public posture if the practitioner declines. Note in the artifact that scope was not formalised.

How the pack gets built

The pack has the same spine across program-operator types. Walk it in the order the program is structured; the control inventory and the memo settle into shape together.

Program summary — a one-page page facing the rest of the pack. Sponsor bank(s) named by role with charter type and program-agreement effective date; processors front-end / back-end / gateway; BIN sponsors per network; ledger provider; KYC / CIP vendor; fraud-decision vendor; sanctions-screening vendor; complaint-management vendor; geographic footprint by US state and corridor; customer-base size by segment; current-cycle volume and value by rail. Detail goes into the inventory rows.

Regulatory perimeter and licensing posture. Sponsor-bank charter type drives which prudential supervisor's expectations flow through the program agreement. Fintech-side licensing posture: state-by-state MTL through NMLS with status, expiration, last exam date, and Money Transmitter Modernization Act adoption status for each state in the footprint; FinCEN MSB registration where applicable under 31 CFR §1022.380; specialised licences (NYDFS BitLicense for VC activity; CA DFPI under CA Money Transmission Act and CCFPL; state-specific EWA frameworks). MSB-vs-not is configuration-specific against the FinCEN administrative-ruling library, not a categorical claim. CFPB direct-supervision posture under the December 2024 larger-participant rule for digital consumer payment applications goes here where applicable; verify the firm's designation status and the rule's current state on the analysis date.

Program-agreement control map. Each operative clause read against current operating reality. The clauses that carry weight: oversight and audit rights; change-control rights for new rail / new product / new vendor / new sponsor; termination and exit including transition-services-agreement scope; indemnification; regulatory cooperation including examiner-access and document-production duties; customer-data ownership and post-termination data-handling; sub-contractor and fourth-party flow-down; insurance; dispute / complaint routing between fintech and bank; FBO / customer-funds account architecture; deposit-insurance representation requirements; reporting cadence to the sponsor bank. Each clause: present / absent / partial; evidence of adherence; gap with severity, owner, target close date.

Reg E controls. The most-frequent examiner finding lane in this skill's territory. Allocation of §1005.6 unauthorised-transfer liability between fintech and bank under the program agreement, evidenced by the operative clause text and by the actual claims-handling chain. §1005.11 error-resolution procedures with the 10-business-day investigation window, the 45-day extended window, the 90-day window for new accounts and POS / foreign-initiated transactions, provisional-credit duties, and written notification timing — evidenced by dispute-management vendor extracts, by aging reports, by §1005.11 timing breach rate as a KRI to the sponsor bank. §1005.18 prepaid-account overlays where the product is prepaid. §1005.31 remittance-transfer-rule subpart B pre-payment / post-payment disclosure timing where the program operator is a remittance transfer provider. The dispute-intake reconciliation between fintech and bank (who receives the claim, who triages, who notifies the consumer, who issues provisional credit) is the operative test; the program agreement nearly always pushes operational ownership to the fintech.

NACHA controls. ODFI / RDFI obligations under the program operator's role beneath the bank's ODFI status (the operator typically operates as a Third-Party Sender or as an Originator under the bank as ODFI); Third-Party Sender registration current; Originator agreements on file; return-rate monitoring at the Originator level against current administrative, overall, and unauthorised-return-rate thresholds (paywalled — current edition; specific sections to be confirmed against the firm's licensed copy of NACHA Operating Rules); WEB Debit account-validation rule effective March 19, 2021; Same Day ACH per-transaction dollar-limit and window-cutover controls; NOC handling; settlement reconciliation evidence. Evidence is the rule-by-rule monitoring report and the breach-trigger workflow.

Card-network controls. Chargeback intake and timing windows (Visa / Mastercard, paywalled — current edition; specific sections to be confirmed against the firm's licensed copy); fraud-rate program escalation under the network monitoring program (Visa Fraud Monitoring Program / Visa Dispute Monitoring Program; Mastercard Excessive Fraud / Excessive Chargeback compliance programs — verify current program names and thresholds); BIN-sponsor coordination for issuer-level controls; Reg II §235.7 routing posture for debit cards above the small-issuer threshold; EMV liability-shift posture.

Faster-payments controls. FedNow Service Operating Procedures and RTP Operating Rules: settlement-finality irrevocability (a credit is final on receipt; recovery is request-for-return-of-funds, not chargeback); fraud-hold posture and parameter ownership; ISO 20022 message-field handling; operating-hours coverage; intraday liquidity posture. Customer-dispute pathway is the area to evidence carefully: Reg E §1005.11 applies to consumer EFTs but the rail's irrevocability shifts the operational mechanics, and a dispute pathway that defaults the customer to the ACH path on a real-time pull flow is a finding.

FBO / customer-funds account mechanics. Subledger reconciliation cadence — daily is the practitioner floor that has emerged from post-2023 sponsor-bank consent orders and from the July 2024 Joint Statement on Banks' Arrangements with Third Parties to Deliver Bank Deposit Products and Services; intraday is common in the BaaS-deposit space (cite the Joint Statement as supervisory guidance, with the underlying regulation — 12 CFR Part 330 recordkeeping and Part 328 Subpart B representation — as the binding text). Break-resolution SLA and aging. Escheatment posture by state. Deposit-insurance pass-through recordkeeping per Part 330 §330.5. Customer-facing FDIC representation review against the FDIC misrepresentation rule at 12 CFR Part 328 Subpart B (any "FDIC-insured" framing on fintech surfaces re-papered to the pass-through caveats). Post-2024 examiner findings concentrate here; this section is non-negotiable.

BSA / AML / sanctions controls. CIP under 31 CFR §1022.220 where the program operator owes the obligation; ongoing monitoring scenario library; SAR-filing chain (whether the fintech files directly under 31 CFR §1022.320 as an MSB, files through the sponsor bank, or both — capture as fact, not as legal conclusion); sanctions-screening cadence and OFAC posture under 31 CFR Part 501; Travel Rule under 31 CFR §1010.410(f) at the current threshold; reliance on sponsor bank vs. fintech-direct posture. Evidence is the program documentation, the monitoring-vendor coverage map, the SAR aging report, and the screening false-positive resolution report.

Customer-protection controls. Reg DD periodic-statement disclosure, fee-schedule disclosure, APY disclosure where the fintech surface presents a deposit-like product; account-closure and account-hold procedures with notice-timing and customer-recourse channel (the most-frequent fintech UDAAP theme per CFPB Supervisory Highlights); complaint intake and routing to the sponsor bank within program-agreement timing; complaint-data triangulation against CFPB Consumer Complaint Database; fee-disclosure-vs-actual reconciliation; FDIC misrepresentation review.

Cyber and resilience controls. Sponsor-bank cyber-notification chain and the operator's contractual notification clock (often tighter than 24 hours, timed against the sponsor bank's 36-hour prudential clock under the Computer-Security Incident Notification Rule effective May 1, 2022); BCP / DR coverage and tabletop cadence; third-party / fourth-party register; vendor-stack SOC 2 currency. NYDFS Part 500 §500.17(a) 72-hour clock where the operator is a Covered Entity. Detail in references/cross-cutting/cyber.md.

Subcontractor and fourth-party register. Each material vendor — processor, KYC vendor, fraud-decision vendor, sanctions-screening vendor, ledger provider, dispute-management vendor — with function, criticality, evidence-of-oversight artifact (most-recent SOC 2 with audit period, last-tested control gaps, contract clause coverage). The Interagency Guidance on Third-Party Relationships (June 6, 2023) treats these as fourth parties to the sponsor bank's relationship with the fintech; the bank's TPRM expects to see them.

Sponsor-bank reporting cadence. Each load-bearing report named with definition, source system, threshold, owner role, cadence, recipient (sponsor-bank operating committee, sponsor-bank TPRM, sponsor-bank BSA officer, sponsor-bank consumer-compliance officer), and evidence of last delivery. Reg E §1005.11 timing data is the load-bearing report; NACHA return-rate monitoring is next; FBO subledger reconciliation report sits beside both.

12-month incident-history summary. Each material incident with detection date, root cause, customer impact (population, dollar), sponsor-bank notification time against the contractual clock, regulatory-notification posture (state breach laws, NYDFS, FFIEC, CFPB exam-bridge if applicable), remediation status, and read-across (which control families need attention). Cross-link to payment-operations-incident-review for the per-incident workflow.

Self-evidence index. A single index, control reference by control reference, naming the artifact, the artifact owner, the location (system of record, vendor portal, document repository), the last-refreshed date, and a freshness flag (current / aging / stale / not-on-file). The sponsor-bank TPRM team consumes this index; it is the bridge between the inventory and the evidence.

Gaps and recommended remediation. Each gap: description, source citation by file path into references/source-anchors.md, severity, owner role, target close date. The portfolio is the bridge from evidence pack to work plan; it does not approve or decide. Recommended disposition (ready-for-sponsor-bank-review, ready-with-conditions, remediate-then-re-review, not-ready) — a draft recommendation. The named approver decides.

Quality bar

Cite a source for every material claim by file path into references/source-anchors.md (or a loaded overlay); mark unsupported claims [evidence needed]. Separate source evidence from management assertion, public-source obligation, generated inference, and open legal question — the artifact shows the seams. The skill stops at draft; the named approver signs off. No fabricated regulatory facts, owners, dates, thresholds, or evidence. Named institutions appear in narrative only when they are public defendants in a finalised enforcement action with a published consent order. The §1033 status note repeats wherever §1033 obligations are touched (the rule was finalised October 22, 2024 — verify the firm's tier and the docket status on each engagement). MSB-vs-not is configuration-specific against the FinCEN administrative-ruling library, not a categorical claim. The 2023 RFI on bank-fintech arrangements is not the binding statement; cite the July 2024 joint statement. NACHA and card-network rule citations carry the disclaimer "current edition; specific sections to be confirmed against the firm's licensed copy."

Adaptation

Depth and length flex to the trigger and the audience. A sponsor-bank annual review reads longer than a sponsor-questionnaire response; a state-MTL exam pack leads with the state geography row and the MTL / NMLS posture; a new-rail delta pack focuses on the affected rail, the affected program-agreement clauses, and the customer-dispute-pathway change. Sector overlay loading is fixed (this skill is the payments-fintech sector flagship; the overlay is references/sector-overlays/payments-fintech.md). Cross-cutting overlay loading: cyber and conduct are default-on for any consumer-facing program on payment rails; privacy is default-on where customer NPI flows for fraud or AML monitoring beyond baseline.

Pointers

• references/source-anchors.md — citations and excerpts for the named anchors.
• references/sector-overlays/payments-fintech.md — the payments-fintech sector flavour, required-on for every engagement (rail-by-rail control families, sponsor-bank construct, FBO mechanics, the §1033 status note, the MSB-vs-not discipline).
• references/cross-cutting/cyber.md — sponsor-bank cyber-notification chain, GLBA Safeguards passed through the program agreement, FFIEC IT booklets used by sponsor-bank examiners.
• references/cross-cutting/privacy.md — sponsor-bank GLBA posture on customer data, state privacy laws, §1033 implications.
• references/firm-overlay.md — firm-installed policy, taxonomy, decision forums and sign-off owners, control-family thresholds beyond the regulatory baseline; consumed when present.
• templates/default-output.md — content spec for the memo and inventory.
• schemas/fintech-partner-controls.schema.json — structured-output contract; the controls-evidence record consumed by the sponsor-bank TPRM system and by downstream skills (payment-operations-incident-review reads the control inventory when an incident lands; payments-risk-assessment reads the program-agreement control map; concentration-risk-review reads the subcontractor register).
• examples/ — BaaS program operator preparing for an annual sponsor-bank review post-2024 deposit-arrangement guidance; mid-stage neobank adding FedNow-funded instant payouts under an existing sponsor-bank ACH agreement.
• TROUBLESHOOTING.md — recurring pitfalls.

Output

Default to drafting against templates/default-output.md. Render as Word, Excel, PowerPoint, or Markdown when the audience or workflow asks for it; the typical pair is a Word memo via the docx skill plus an Excel control inventory via the xlsx skill (both in the document-skills plugin). Produce the structured record at schemas/fintech-partner-controls.schema.json when downstream automation or a registered consumer needs it. The sponsor-bank TPRM team consumes the workbook against its own intake template; the memo travels with the workbook as the second-line cover and the disposition recommendation. The schema is the cross-skill contract; additive changes only.