The fintech-bank governance gap: who owns model oversight?

By David Stickney

In the bank-fintech partnership model, there is a persistent governance gap that shows up in nearly every examination: both sides assume the other is handling model oversight.

The bank says, “The fintech built the model, they test it, they confirmed everything is fine.” The fintech says, “The bank approved our standards, so we’re good.” Neither position is defensible.

Having reviewed approximately 50 fintechs in advisory work, the pattern is consistent: you cannot delegate your compliance responsibilities to your partner. Both sides own governance. Both sides must test independently. The interagency guidance on third-party relationships makes this explicit: banks remain responsible for activities conducted through third parties to the same extent as if the activity were performed by the bank itself.

The delegation trap

The most common failure pattern works like this:

  1. A fintech builds a proprietary model for underwriting, fraud detection, or credit decisioning
  2. The bank sponsor conducts initial due diligence and approves the relationship
  3. The fintech provides periodic reporting that says, in effect, “everything looks good”
  4. The bank accepts this reporting as sufficient evidence of oversight
  5. An examiner asks the bank to demonstrate independent testing, and the bank cannot

As a bank sponsor, you cannot say you are good because the fintech does all of the testing and they came back and reported no issues. You cannot delegate that. You are responsible for testing it yourself. The interagency guidance emphasizes that oversight is not a one-time approval exercise. It extends through planning, due diligence, contract negotiation, ongoing monitoring, and termination.

This applies in both directions. The fintech can’t rely on bank approval as a substitute for its own governance program. It can’t sit there and say the bank cleared them, so they do not need to worry about it. It’s still responsible for all that testing and compliance, too. And where the fintech’s model affects credit decisions, the use of complex algorithms does not relieve creditors of the obligation to provide specific and accurate reasons for adverse action.

Different partners, different risk profiles

The governance gap becomes even more pronounced when a fintech works with multiple bank sponsors, which is common.

Consider a lending fintech that originates loans across a range of APRs. One bank sponsor may take on the lower-risk portion of the portfolio (25% APR and under). Another bank sponsor may take on everything above that threshold.

Each bank sponsor now has a fundamentally different risk profile from the same fintech partner:

  • The risk characteristics of their respective portfolios differ
  • The fair lending exposure differs
  • The testing parameters and monitoring thresholds should differ
  • The compliance reporting they need from the fintech differs

The fintech is looking at it thinking they have this entire portfolio across all of their lenders. But one bank’s risk profile involves riskier applicants, and their testing is going to look different. There is no blanket or umbrella testing that covers everyone. Each partner must conduct testing that reflects its own risk appetite and portfolio characteristics. The interagency guidance says the same thing: third-party risk management should be tailored to the banking organization’s size, complexity, and risk profile, as well as to the nature of the third-party relationship.

The IP and audit tension

One of the biggest friction points in bank-fintech governance is intellectual property. Fintechs invest heavily in building proprietary models and understandably want to protect their competitive advantage. Banks need enough visibility to satisfy their regulatory obligations.

This is fundamentally a contracting problem. Fintechs need to protect their IP through strong agreements that still give bank partners the visibility regulators require. Without that visibility, the regulator will come in, look at the bank, and the bank will face consequences. The market has already moved past the idea that “proprietary” means “not reviewable.” Federal Reserve Vice Chair for Supervision Michael Barr addressed this directly in 2025, noting that banks need to understand the tools offered by fintech partners for their own risk management, even where fintechs want to protect the details of their proprietary methods.

The consequences of getting this wrong are severe. If the bank cannot demonstrate visibility into the model’s construction, data inputs, and decisioning logic, the result can range from corrective action to consent orders.

As Amber de Volk put it during our recent webinar, “Gone is the day where you could say it’s proprietary in nature, you don’t get to look at it. I think a sign of a mature organization is embracing the requirements, knowing that if you’re going to work with a regulated entity, they’re subject to this oversight.”

Here are some approaches that work in practice:

  • Controlled on-site reviews where designated bank personnel review model variables and logic in person, without taking copies
  • Contractual agreements that define exactly what documentation the bank can access, who can access it, and under what conditions
  • More frequent output monitoring as a supplement when full model transparency is constrained by IP protections
  • Independent validation of partner models conducted by qualified third parties with appropriate access

What each side needs to own

For bank sponsors

  • Independent testing: Conduct your own testing on the portfolio the fintech originates for you. Do not accept fintech-provided testing as a substitute.
  • Risk-specific monitoring: Define monitoring thresholds and testing parameters that reflect your risk appetite and portfolio characteristics, not the fintech’s aggregate portfolio.
  • Contractual governance: Build governance requirements into your agreements. Define documentation access, validation rights, change notification protocols, and retraining disclosure requirements.
  • Board-ready reporting: Ensure your model governance reporting to the board includes third-party model risk as a standing item with independent validation results.

For fintechs

  • Governance infrastructure: Build model governance processes that meet the expectations of your most demanding bank sponsor. This is the floor, not the ceiling.
  • Transparent documentation: Document model development, training data, feature selection, change management, and validation results in a format that bank partners can review.
  • Proactive communication: Notify bank partners when material model changes occur. Do not wait for the next due diligence cycle.
  • Separate compliance obligations: Maintain your own compliance program, fair lending testing, and risk assessments independent of what your bank partners do.

Building the bridge

The organizations that navigate this well share a common trait: they treat the bank-fintech relationship as a shared governance responsibility, not a boundary where accountability stops.

This means regular communication between compliance teams on both sides. It means shared language around model risk, data quality, and testing methodology. It means contracts that reflect the reality of regulatory expectations, not just commercial terms.

This requires both sides to accept that governance is a cost of operating in regulated financial services. The investment in transparency, documentation, and independent oversight is what makes the partnership sustainable.

Can't get enough compliance? Neither can we.

Join our newsletter to receive fresh content from expert compliance operators. Get notified of job postings, upcoming trainings and events.

Google reCaptcha: Invalid site key.

Build AI governance before examiners ask for it

A practical guide for AI and model governance readiness for banks, fintechs, and crypto companies, aligned with 2026 regulatory expectations.

Download the ebook