Bank due diligence, also known as bank underwriting, refers to the process commercial banks use to assess the risk of partnering with a company that provides financial products or services.
During this process, companies need to demonstrate to banks that:
- They are a viable business with revenue potential (usually measured via payment processing fees or net interest income)
- They are not exposing the bank to outsized risk.
The bank due diligence process starts with the company gathering materials that represent its operations to the bank, and in particular, describe the company’s ownership structure, business model, and compliance program.
As we’ve discussed previously in the Journal, there are numerous long-term benefits to sitting in the flow of funds by partnering directly with a bank: more control, visibility, and faster payment processing times. Leveraging these benefits requires successfully completing the bank due diligence process, which may require an upfront investment, especially if this is your first time partnering with a bank.
This six-part checklist outlines some of the questions you are likely to encounter during the bank due diligence process. While by no means exhaustive, our hope is that it helps you better prepare for the underwriting conversation with your partner bank.
1. Business Information
You will need to share materials that allow bankers to fully understand your business. These include: basic company information, your company’s financials, your flow of funds, and your product features.
- What is your business? Your company website?
- Who is your company’s leadership (i.e., an org chart)?
- Have you raised funding?
- What products do you offer?
- What is your flow of funds model?
- Do you serve consumers, businesses, or both?
- What is your core financial product?
- What is your core revenue model?
- Interchange Fees
- Interest Fees
- Transaction Fees
- Software Fees
- What are your business economics (i.e., customer acquisition costs, margin profile)?
- What are your business projections?
- How much cash is on your balance sheet?
- What is your burn rate?
- What are your liabilities?
- Do you have audited financial statements?
- What are your historical ACH return rates?
2. Legal Information
Incorporation and Ownership
You will need to provide copies of your formation documents (e.g., articles of incorporation and operating agreements) and details for all beneficial owners (typically persons that own more than 25% of the company).
This includes copies of all existing insurance policies owned by your business, such as general liability, professional liability, directors’ and officers’ liability, cyber insurance, and more.
You will need to show the bank that you have the appropriate licenses required for your business (e.g., FinCEN registration, money transmission licenses, state-specific licensing, etc.).
You will need to inform the bank of any pending, threatened, or ongoing investigations or litigation against your company since its founding. You will also need a process for handling Section 314(a) and 314(b) requests.
Some banks may also require you to provide contact details of your legal team, whether in-house or outside counsel.
3. Compliance Program
A compliance program is a set of rules, protocols, and procedures an organization puts in place to comply with government regulations on money movement, such as the Bank Secrecy Act and the Anti-Money Laundering Act of 2020. For bank due diligence, you will need to have a compliance program in place that consists of the requirements listed below.
- A named Chief Compliance Officer (CCO) responsible for overseeing the AML framework
- Background information for this individual
- The reporting structure for the role
- The roles and responsibilities for the role
Onboarding Processes for Customers
Banks will want to know your processes for onboarding users to your application. They will also want to see a representation of the user interface (UI) and user experience (UX).
Customer Identification and Due Diligence Programs
You will need to share your Customer Identification Program (CIP) which is designed to:
- Verify the identity of a user opening an account
- Maintain records of the information used to verify a user
- Determine if the user appears on any known or suspected terrorist or sanctions lists
You will need to provide evidence of a Customer Due Diligence (CDD) program. This program demonstrates that you understand the nature and purpose of your user relationships. In particular, it affirms that you understand your users’ businesses and professional activities, the sources of their income or assets, and how they plan to use your product and services. You should also be prepared to demonstrate an enhanced diligence process for users that are considered “high risk” as part of bank due diligence.
You will need to show banks a process for monitoring transactions to identify unusual or suspicious activity. This involves risk-based processes that evaluate individual transactions and transaction patterns to classify them as high, medium, or low risk with clear procedures for handling each category.
Suspicious Activity Reporting
In some cases, you will need to demonstrate a program for monitoring suspicious activity and filing Suspicious Activity Reports (SARs) to help identify criminal activity. In many cases, this includes documentation such as:
- Triggers for SAR filing
- Records of SAR decisioning
- Procedures for terminating customers/users according to SAR filings
- Data on the number of transactions monitored and SARs filed
4. Training and Oversight
You will need to confirm to the bank that you have a security and compliance training program for your employees according to their role and privileges.
Vendor and Partner Management
You will need to show banks a documented program outlining your relationships with vendors during bank due diligence. This should include:
- List of vendors and partners
- Diligence and onboarding processes
- Contractual obligations and termination processes
- Ongoing oversight procedures
All compliance policies should be reviewed and approved by the board and senior committee.
You will need to conduct independent testing of your compliance program via an internal audit function or independent third party to confirm your BSA/AML responsibilities every 12-18 months.
For bank due diligence, you will need to outline your record-keeping process (e.g. for transactions and SARs), and affirm that this process complies with relevant laws.
5. Data Privacy
Banks will want to see documentation for your data privacy programs. In particular, you should have policies that:
- Maintain a source of truth for consumer information
- Log access to all consumer information
- Encrypt consumer information in transit
- Scan for vulnerabilities and patch vulnerable systems
- Enforce least privilege access to consumer information
- Train employees on secure handling of consumer information
- Respond to bank requests for security programming
- Report data breaches of consumer information to the bank
In some cases, depending upon your use-case, banks will also ask that you provide materials on your marketing organization and marketing plans. Banks will want to ensure that your marketing materials are within federal and state requirements.
Find a Bank Partner with Modern Treasury
Modern Treasury currently has integrations with more than 30 commercial banks globally, with new banks joining our network every month. In addition to managing the technical complexity of integrating with different banks and payment methods, we also help companies building embedded financial products find the best bank partner for their use case and make it easy to integrate compliance software and payments workflows with our Compliance product. With Modern Treasury, bank due diligence is more streamlined and transparent than before.
To learn more about our platform and how we help with finding a bank partner, reach out today.
Subscribe to Journal updates
Discover product features and get primers on the payments industry.