Fintech and Banks - Improving a Complicated Relationship with Third Party Assurance

September 2016

Over the past few years, there has been a significant investment made in Fintech, supporting the digital transformation revolution in the financial services sector. Big banks are taking firm steps and engaging with Fintech organizations in order to maintain their competitive edge.

Large financial institutions are now engaging with smaller private companies and external technology organizations who have basic management structures and immature control environments. This creates major opportunities for the large financial institutions, but not without significant challenges and risks. As Fintech companies become a virtual extension of their control environment, steps must be taken to mitigate risk.

Fintechs are small, nimble and customer-preference-friendly. They are built from the ground up with core technology and processes designed to exceed client preferences and deliver enhanced client experiences. Given the nature of the supplier/client relationship, Fintech companies often interact with the big banks’ business and IT processes, giving them access to critical financial, operational and client data. Fintechs are also delivering unique client experiences by enabling online investment advice with robo-advisors and online borrowing capabilities including mortgages.

With the rise of reliance on Fintech relationships comes an increase in operational and financial risk, which has prompted dominant organizations to hold their service and application providers to a high level of control and IT governance standards.

Within Third Party Assurance, there are a number of reports to aid in effectively determining the risk involved in a relationship. Service Auditor’s Reports, also known as Service Organization Control (SOC) Reports, are designed to provide information and assurance on controls within a third party provider and service organizations, such as Fintech, data centres, fund administration, back office operations, and application service providers . As more challenges and
risks arise in the current marketplace, obtaining a SOC Report can help service organizations:

  • Meet client expectations and contractual commitments
  • Distinguish themselves from their competitors by taking a proactive approach to controls, thereby providing a competitive advantage
  • Lower inherent risks by identifying and addressing potential weaknesses in their systems

The value of a Service Organization Control (SOC) Report

SOC reports are used by Fintech companies, service organization and their clients or their clients’ auditors to understand and obtain assurance that the internal controls placed in operation are designed effectively and operating as intended.

The SOC report helps clients, prospects, stakeholders and other interested parties understand and gain confidence in the internal control environment of the Fintech organization

The SOC Report can offer many benefits:

  • Minimizes the need to deal with the clients’ respective auditors, which can be very intrusive and time-consuming when multiple auditors are involved.
  • Helps reduce client audit fees by minimizing the effort required by external auditors to audit the service organization controls (the cost of the process is normally passed to the client through service charges).
  • Helps demonstrate that there are processes and procedures in place to ensure that the services being outsourced are managed properly. This can be a key factor in obtaining new business; most request for proposals require a third party assurance report from the service organization.
  • Identifies efficiency issues as well as duplicate controls in an effective and proactive way.

Which report is right for you?

These types of reports can be divided into two basic groups:

  1. Reports focused on systems involved in the processing of financial transactions
  2. Reports focused on information security, availability, integrity, privacy, and confidentiality

Reports to satisfy financial requirements

The CSAE 3416 and SSAE 16 SOC 1 Reports focus on the controls involved in processing financial transactions by a service organization. They are conducted in accordance with the CPA Canada Standards and/or the American Institute of Certified Public Accountants (AICPA). Both of these reporting standards satisfy the International ISAE 3402 requirements, but have minor modifications that are country specific. In developing these new standards, stakeholders expressed a strong view for reporting consistency with the U.S. to maintain a North American consistency.

Fintech_ServiceAuditorReport_Chart.jpg

Reports to satisfy requirements other than financial

Organizations that outsource the processing or custody of their information are looking for assurance that it will remain confidential, available based on agreements, and secure against unauthorized access. The (AICPA) SSAE 16 SOC 2 & SOC 3 Reporting standards have been developed to provide organizations that outsource the collection, storage, or transmission of information a mechanism to assess the oversight and governance at the service organization. This is particularly important when the physical location is impractical to inspect due to its geographical location, or if located in “the cloud.”

The SOC 2 and SOC 3 reports are not limited to financial systems, but rather based on five key principles:

  • Security of information
  • Availability of information/systems
  • Processing integrity
  • Confidentiality
  • Privacy

The SOC 2 & SOC 3 reports also provide service organizations with a method to differentiate themselves and demonstrate to current and prospective clients that they have adequate controls and safeguards related to hosting or processing information through an in-depth audit. The Trust Service Principles are used to conduct such audits; providers may select the principles that meet their reporting objectives and nature of business. For each principle, there is underlying criteria (or controls to support the specific principle) that is pre-defined, allowing for standardized reporting. These trust service principles and criteria are further sub-divided into four broad areas: policies, communications, procedures, and monitoring.

How to select your audit partner?

You want an audit partner that can work closely with you and tailor their approach to meet your unique needs and business requirements. It is critical to develop a solution that fits with the organization’s resources and needs which includes leveraging existing templates and expertise to accelerate the process, identify potential issues at the planning stage and understand the expectations of the end users.

Banks and Fintech companies must determine how to best optimize their relationship given their varying eco-systems. As banks continue to partner with Fintech companies for immediate access to innovative solutions, Fintech companies will continue to gain market share. By obtaining the appropriate Third Party Assurance report, Fintech companies can simplify working relationships, exceed client expectations, meet contractual commitments and increase their access to a significant market share.

Contact us today for a preliminary assessment of your business requirements in determining which Service Organization
Control Report is right for you.

Other articles in this series:
Feb 2016 - The certification Process
March 2016 - irreconcilable Differences
May 2016 – Organizational Transformation in client-centric environments


To learn more, contact your local BDO office or:

About BDO
One of the nation’s leading accounting firms, BDO Canada provides assurance, accounting, tax, and advisory services. As a member of the BDO international network, which spans more than 150 countries and 1,400 offices, BDO provides seamless and consistent cross-border services to clients with international needs.

About BDO’s Financial Services Practice
BDO’s Financial Services Practice helps clients in the financial services sector succeed in a changing landscape marked by regulatory reform, disruptive technology, and new service delivery channels. Our services, ranging from governance, risk and compliance to business process reviews and more, are tailored to meet the unique needs of financial services organizations.

Sam Khoury
National Industry Leader, Financial Services
416 369 6030
[email protected]


Gerry O’Mahoney
Strategic Advisor, Financial Services
416 369 6065
[email protected]