As payment partnerships proliferate, here’s how bank risks are changing

• Key insights: Banks partner with fintechs for a host of services, including processing payments, buy now/pay later, international payments, virtual accounts, stablecoins and other crypto services. 
• What’s at stake: These connections have strengthened over time, but the need to control risk has grown as well. 
• Forward look: Regulators are pressuring banks to improve operational resilience, third-party risk, data governance and AI transparency.

Many banks are battening down the hatches on fintech partnerships to mitigate risk more effectively. 
And with good reason, given that 80% of sponsor banks find meeting compliance requirements challenging, and 39% lost at least $250,000 due to compliance violations, according to a 2024 report by Alloy, an identity and fraud prevention platform.

Processing Content

Banks partner with fintechs for a host of services, including processing payments, buy now/pay later, international payments, virtual accounts, stablecoins and other crypto services. These connections have strengthened over time, but the need to control risk has grown as well. 

Banks that aren’t careful about policing their fintech partnerships can create “systemic risks,” Brian Shniderman, Accenture’s North American Payments lead, told American Banker. “Fintechs can destroy or nearly destroy a bank,” he added.

Here are five considerations for banks as they continue to navigate partnerships with payment fintechs: 

Regulators have upped their expectations

Regulators are most concerned about operational resilience, third-party risk, data governance, and AI transparency, according to Andy Schmidt, vice president and global industry lead for banking at CGI, an IT and business consulting firm. “Regulators expect banks to maintain full control and accountability across increasingly complex fintech ecosystems, ensure real-time systems remain stable under stress, and guarantee that data is protected and AI-driven decisions are explainable, auditable, and compliant,” he wrote in an email. “Ultimately, regulators are not just assessing individual technologies, but the bank’s ability to manage risk holistically across a fragmented, real-time, and ever-expanding interdependent ecosystem.” 

Rules and regulations are changing rapidly, especially as artificial intelligence proliferates. As such, banks need to be more selective about their fintech partners and double down on efforts to ensure the bank is protected, Linda Lerner, partner at law firm Halloran Farkas + Kittila, told American Banker. “Regulatory and compliance is not the place to try to save money.”

Take a deeper dive into a partner or potential partner’s business model

A careful look under the hood is especially important as federal agencies, including the FDIC, OCC and Federal Reserve, have boosted oversight of fintech partnerships. This means banks need to have a clear understanding of who owns customer data and where it’s held, how users are onboarded and screened, fraud controls, the risk to the wider financial ecosystem, identity controls, and money-transfer risks, if applicable, Ed Metzger, vice president of payments efficiency and platforms at LexisNexis Risk Solutions, told American Banker.

Banks also need to understand a fintech’s anti-money-laundering-related policies, business continuity plans, and cybersecurity policies and procedures, Lerner said. Good vendors will have a prepared description of the steps they take to safeguard the information they obtain, Lerner told American Banker. This can include physical security of their building and ensuring they have a hot site and a warm site for disaster recovery purposes. If a tornado rips through Virginia, a bank needs to know the fintech has a site in Oregon that’s immediately available, she said. It’s also important to ask how many intrusion events a fintech has had. “If they say none, you can’t believe them,” Lerner said. 

Many banks now insist on more oversight of a fintech’s vendor relationships, whether that’s their cloud provider, the company offering know-your-customer solutions, the fraud prevention contractor, or the fintech’s AI model providers, Steve Schult, chief product officer at InvoiceCloud, a digital billing and payment platform, told American Banker. A bank may be comfortable approving a particular AI model, for example, but if the vendor moves from OpenAI to Anthropic or vice versa, the bank will want to approve that, Schult said. 

Banks are asking that vendor names be written into contracts, and they’re requiring notice of a change and the option to agree or break the contract. Banks “want to be able to approve material changes,” Schult said.

Shift to ongoing assessments

Many banks review fintech partnerships annually. However, CGI’s Schmidt said banks should move from periodic assessments to continuous, risk-based oversight of fintech partners. “This means strengthening real-time monitoring, clear accountability frameworks, and end-to-end visibility across the ecosystem, while ensuring robust data governance and auditability — especially for AI-driven capabilities,” he wrote. “Banks should also actively manage concentration risk by diversifying partners and maintaining credible exit strategies.”

Watch for warning signs of a risky fintech relationship

Banks should watch for nonobvious red flags such as weak back-end integration behind strong UX, “fake” real-time capabilities, opaque data models, hidden concentration risk, limited scalability, and AI systems lacking transparency, Schmidt noted. Data protection and cybersecurity are other warning signs. How does the fintech authenticate? Does it encrypt data in transit and at rest? Who has access to client data? When was their last network penetration test, and what were the findings? And if the fintech is offering an app, when was their last application penetration test, and what were the findings?

“The issue that banks often encounter is that fintechs may prioritize functionality over security to get to market more quickly in an environment where the bank’s only asset is trust,” Schmidt wrote.

Smaller banks need to rely more heavily on core providers

Community banks can still get access to fintech payments products such as digital asset solutions, including stablecoin, and instant payment overlay services — value-added applications to enhance customer experience — but they should work with their core providers to vet potential partners, Accenture’s Shniderman told American Banker. For smaller banks, “I think it’s very risky to go down the path of partnering with fintechs directly. I think they need an intermediary behind them.”