Once just considered computer technology in the back offices of banks and trading firms, financial technology (fintech) can also now describe any company that uses technology to automate financial services and processes. When consumers apply for a loan online or transfer money or deposit a check via a banking app on their smartphone, they are benefitting from the evolution of fintech. The COVID-19 crisis has only pushed this trend further, as customers are expected to increase their use of digital channels even beyond the crisis, according to a May 2020 McKinsey Financial Decision Maker Pulse survey.
One of the earliest uses of fintech was in lending practices, which includes startups and banks that offered loans directly to businesses or individuals through digital-only, mobile-first channels. And while these products and services represented significant innovations, fintech also has brought considerable changes to the credit risk management process.
For internal auditors working in the fintech lending sector, it’s important to understand the challenges around credit risk and how internal audit functions can best respond so that they can stay relevant in a dynamic business environment.
Data Risk: Reliability and Continuity
Data is the lifeblood of credit risk management in fintech lending, so its quality and continuity are business-critical. Lenders rely on data extensively for decisions on assessing fraud risk, creditworthiness, and repayment willingness.
Fintech lenders can collect data directly from customer inputs or by sourcing from third parties, such as banks, social media, and online shopping sites, with the customer's consent. Though it's not always possible, it is best to diversify data sources, as one downside of depending on a single data source owner is it can unexpectedly downgrade the service-level agreement, which can lead to lost lending opportunities because credit decisions are made without the best available information. In addition, loans facilitated by fintech tend to be in smaller amounts but with higher frequency, putting data processing pressure on partnering banks to issue loans out of their legacy core systems.
Audit Response Internal audit should review agreements with the data-source owners and operators to ensure that alternative data providers exist or that transition arrangements have been made to address when a data source is discontinued. Additionally, auditors should review data quality metrics and ensure that exception-handling protocols have been defined for all major data sources. Auditors should determine how these metrics are implemented and if significant nuances of each data source have been examined.
Fraud Risk: The Ever-evolving Battle
Criminals are able to take advantage of peoples’ personal information accessible via the web due to data breaches and use that information to exploit the accessibility and convenience of fintech lending, causing more losses early in the credit risk cycle. Fintech lenders can resort to big data and artificial intelligence (AI)-driven solutions to minimize losses in an ever-evolving battle against digital fraudsters. Staying vigilant and swiftly uncovering and fixing any vulnerabilities is pivotal to remaining viable.
Audit Response Internal audit should review internal and external customer complaint records to look for potential cases where customers may have suffered an attack via identity theft or unauthorized transactions. To ensure the organization’s incident triage process is effective, timely, and complete, auditors should trace such cases to historic records within the in-house anti-fraud team and perform post-action reviews to ensure incident-response procedures are followed.
Platform Risk: The Extended Enterprise
Digital-only fintech lenders usually embed themselves into an online platform, extending their lending in conjunction with other services to support a one-stop customer experience, such as offering installment loans during online shopping checkout (buy now, pay later). This brings a massive scale of economics to loan origination, but also unparalleled exposure to platform risk. For example, the platform, itself, may operate under different incentives than the fintech lender and may push for undesirable customer actions from a risk perspective. Customers may say they were misled or lured into opting in to “buy now, pay later” for purchases they cannot afford and may dispute repayment later in the collection process. Technology constraints or user experience considerations also pose a risk by inhibiting due diligence from being performed because the third-party platform does not collect all the required data.
Audit Response Internal audit should first identify differences in inputs and algorithms for credit decision-making from different originations and investigate the justification for such differences to verify against subsequent loan performance. Next, auditors should review the contractual agreements with platform owners or operators to assess whether any risk-mitigating arrangements, such as loss sharing, exist should credit losses deteriorate from the individual sourcing platforms. Practitioners should determine whether platform risk is included as part of the broader risk monitoring program, what metrics are being measured, and how exceptions will be handled.
Credit Risk Monitoring: The Old Game With New Dynamics
Risk monitoring is integral to any lending activity. In the context of fintech, however, two major challenges emerge. The first is the limitations around purely digital processes. Established banks and fintech lenders both rely on multiple sources to determine the likelihood of a borrower paying back a loan. They may pull data on a potential customer’s utility, rent, or auto payments and may even look at spending behaviors or social media patterns. However, bank branches also have the benefit of developing relationships and connections with local customers. This is not an option for digital-only fintech lenders. Formulating and deciding quickly on loan applications matters more than deriving risk insights from the different data sources. The second challenge is around model risks. Credit risk decisions are mostly automated by models and algorithms that can have an ongoing ripple effect on credit risk, so fintech lenders have to closely monitor the performance metrics of risk models.
Audit Response Internal audit should review the models and algorithms used for risk monitoring to understand their design, how alerts or red flags are implemented, and what follow-up strategy is defined for each red flag. Then, auditors should assess model risk metrics to determine their completeness and relevance throughout the credit life cycle, especially their predictive power and consistency. Next, internal audit should determine how model performance deviation is identified, further resolved, and integrated into the overall risk monitoring program. To ensure that alerts have been appropriately triggered and followed by due course of action, and any lessons learned are identified, auditors should trace nonperforming loans to historic risk monitoring results and risk treatment activities. Then, internal audit should review whether performance of risk monitoring strategies, metrics, and data sources, themselves, also are being continuously monitored and reviewed to accommodate for risk dynamics. Finally, internal audit should inspect how privacy-related agreements with customers are adhered to when further customer-facing actions are warranted from risk monitoring.
Compliance Risks: Innovation in a Legacy World
The regulation landscape is evolving with the growth of fintech lending, but it is not always in sync. In fact, desynchronization is the root of many compliance issues facing fintech lenders. On one hand, regulation is based on past decades of banking experience and multiple financial innovation failures turning into chaos. Fintech lenders running on innovative business models might seem vulnerable from a regulatory perspective, not to mention the resistance from established banks to safeguard their interests aligned with existing regulation. On the other hand, fintech lenders should not fear regulation. Fintech lending or fintech at-large can be nurtured for financial inclusion, but it also can be abused because of greed. For example, peer-to-peer (P2P) lending enabled by digital platforms once boomed in China amid little or no regulation, but as these platforms unduly issued loans from individual investors’ money instead of from their own pockets, large-scale defaults emerged, resulting in a near collapse of the entire P2P lending sector.
Audit Response Given the regulatory uncertainty, internal audit should look beyond just compliance with black-and-white rules, and give additional attention to two things. The first is whether mutual trust and understanding has been established between regulators and management of the fintech firms. This can be assessed by reading through the communication records with regulators for a new product or business model launch. Auditors should ascertain that a proactive approach has been taken by management should concerns arise and that mitigating controls are in place before proceeding with new business. The second is whether a culture of compliance has been fostered within the organization from the bottom up. Auditors can assess this by examining how the product and compliance teams collaborate during different product cycles. They should focus on the level of respect for compliance on the ground within the product teams and the level of integration as they go about day-to-day activities.
Keeping Up With Disruption
Imperatives for credit risk management have evolved in the fintech era, as has internal audit’s role in the Three Lines Model. This mandates internal auditors to take on a more holistic approach toward fintech and credit risk management to assess risks arising in this new business ecosystem.