This article was contributed by Megan Pillsbury, former executive director at Morgan Stanley and Asia head of technology business development and innovation, based both in New York and Hong Kong. In 2018 DigFin named her a woman leader in fintech. She left the firm in late 2019.
Selling software to large financial services institutions can be very lucrative (they have scale) but navigating your way to success is labyrinthine. Even the most game-changing technology solutions can be passed over for seemingly archaic reasons.
Most large financial institutions (FIs) have a reputation of being slow or unwilling to adopt new technologies, and some for preferring to build software rather than buy it from the market. It’s helpful to understand the internal dynamics that drive FI behavior, so that you can more easily navigate the complexities they face and help them move faster.
I cannot overstate the impact of regulations on FIs, and for good reasons. These companies are foundational to global economic stability, as demonstrated during the 2008 financial crisis. They are the guardians of most of the world’s wealth and enablers of investment that drives growth. Necessarily they are regulated at many levels and in many ways, including what new technologies they can adopt, how, and when. For example, while nearly every other type of (lightly regulated or unregulated) company can simply sign up for a new SaaS service, FIs need to clear a number of hurdles before they can even test new software-as-a-service models internally.
I cannot overstate the impact of regulations
Regulatory hurdles become even higher and more complex for FIs that operate globally, as there is little consistency across regulatory jurisdictions. In fact, global FIs have been calling on regulators to collaborate with each other to work towards more consistent regulatory frameworks, to make it more affordable and achievable to comply.
Some examples of regulations that impact banks are:
- Client data protection — FSIs have to take a number of steps to protect and demonstrate how they are protecting client data.
- Data location — Some countries require that certain types of data be kept in their country, or outside of certain countries.
- Archiving — FSIs, for various reasons, need to archive pretty much every form of data created in their firm, from emails to client details, in case the regulator needs to call on it for audit or investigation purposes.
- Recovery — In case a vendor service goes offline, FSIs need a back-up plan to get services up and running again. The more important the service, the more quickly the service will need to be recovered.
In addition to complying with regulations, FIs also need to continuously demonstrate that they are complying. Technology and process changes are therefore much more complex. This partly explains why FIs are slow to adopt new technology. It is much more resource-intensive for FIs to adopt new technologies and processes while ensuring regulatory compliance.
Many services provided by FIs are so important to the global economy, and to regulatory and government agencies, that FIs have developed robust risk-management regimes to minimize the risk of outages. If a technology platform goes offline, resulting in the disruption of an important service, the FI could be heavily fined, even if that disruption is due to a vendor issue. Thus FIs extend their risk-management regimes to vendor engagements.
Don’t hide anything that could pose a risk
As a vendor or potential vendor, understand that you will need to help the FI manage the risks of working with you. The more open and collaborative you are with FIs, the easier it will be for them to work with you. Don’t hide anything that could pose a risk.
FIs will evaluate different types of vendor risks, including:
- Cyber risks (more on this below) — How robust and sophisticated is your cybersecurity posture? They will conduct thorough assessments and may require enhancements to meet their very high standards.
- Regulatory risk — Are they able to manage data and achieve regulatory requirements with your solution?
- Reliability risk — What would happen if your system went down? How quickly would they need it brought back up? How much control would they have to help bring it back up? Is there an alternate solution in case your system goes down?
- Financial risk — Is your company financially sound? If not, what happens in case of failure? Startups and smaller companies are sometimes reluctant to expose their weak financial position, but they should be open. If your solution is good, FIs will take extra measures to manage the risk. And in some cases they may help you find sources of funding — they are banks after all.
- Reputation risk — The monetary system is based on trust, and FIs that suffer reputation setbacks pay heavily for it. Hence they will look for any red flags around your firm’s reputation.
- Third-party vendor risk — If your solution is based on a third-party vendor (e.g. a cloud service provider if you are a SaaS), the FI will subsequently conduct their risk assessments on your vendors.
As you can see, risk management in a financial institution is extensive and complex, especially when you consider they have to assess and manage these risks on an ongoing basis. It is resource-intensive and becomes more so if vendors are not cooperative. Responsibility for managing these various risks is usually delegated to different teams or divisions within the FI, and sometimes in many layers. This is to ensure that the people doing the diligence have expertise in doing so, and there may be multiple “lines of defense” for added rigor.
F.I. risk assessment poses the biggest hurdle to new vendors
FI risk assessment and management probably poses the biggest hurdle to new vendors. Even if your technology is massively differentiated and valuable, if you can’t get past these hurdles, you aren’t getting in. Do your research, ask lots of questions, prepare as much as possible, and be highly responsive, thorough, and constructive during the process.
FIs large and small are huge targets for cyber crime. They have to invest aggressively and intelligently to protect themselves from the many types of threats. This is a great opportunity if you are selling cybersecurity solutions. For other vendors, realize that you will have to prove how you do and how they can protect the technology platform and data. Third-party security certifications are a great start, but the FI is likely to conduct their own diligence. Be prepared to offer up your security engineers’ time to facilitate cybersecurity assessments.
The larger and more well-established the FI, the more likely they have legacy technology infrastructure and software that they wish they could but haven’t yet dismantled. The easier it is for your solution to integrate with or talk to these other systems, and to enable a transition to next generation systems, the more favorably it will be seen. Also realize that some push-back might be motivated by reluctance to make changes to legacy systems. It’s easy to underestimate how complicated this might be, and how much additional cost it might add to your implementation. Ask questions and offer assistance to try to overcome concerns.
Buy versus build
Some FIs have a reputation for building all their own technology, rather than buying what’s available in the market. There are a number of motivations for this:
- Competitive differentiation — Most importantly, FIs can differentiate themselves from competition through technology they have developed. In other words, technology that they build enables revenue.
- Control and risk management — Due to high reliability and security requirements, FIs may build their own technology so they have ultimate control over how it works, how it integrates with other systems, and how to fix it when something goes wrong.
- Security — Up until just a couple of years ago, most cloud-based technology providers couldn’t match the security requirements demanded by the FI. Building something on-premise was the only way to ensure a high standard of security.
- It’s cheaper and easier — Though it seems counter-intuitive, sometimes the above-mentioned hurdles to onboarding a new vendor are so high that it is actually easier, cheaper, or faster to build a solution.
- Because they build stuff — Some FIs are stacked with talented technology developers, but even they can be wary of new technology. Naturally they can prefer to build a solution with technology they know, rather than integrate technology they don’t yet understand.
Business school 101 tells you to outsource anything that is not a source of competitive differentiation and can be done better, cheaper, and faster by someone else. FIs are wising up to this and tweaking their organizations to focus more on buying. This is great news for vendors! But keep in mind that the above reasons for building are still influencing decisions.
Your guide to getting in
Now that you have a better understanding of how FSIs think about adopting new technology solutions, here are a few tips to giving yourself the best shot at getting in:
- Get enterprise ready
While FIs won’t necessarily expect small companies and startups to have 24/7 support, 99.99999% uptime, and military-grade security, the closer you get, the easier it will be for them to bring you on.
- Be transparent and collaborative
FIs face unique challenges due to their regulatory environment and the nature of their services. By helping them to thoroughly understand the risks and rewards of working with you, and understanding you may need to accommodate some requests, they will be more confident in building a lucrative partnership with you.
- Charm everyone
There are many different decision makers and potential blockers involved in bringing on a new technology vendor. Your strongest champion will be the team that benefits the most from your solution. Get them on your side, and then get everyone else on your side, especially the internal technology stakeholders who will enable your integration. Educate them on your technology and help them understand the value of working with you rather than building an alternative solution internally.
- Do your homework
The more you understand the potential barriers to adoption, be they regulatory, regional, political, legacy systems, etc., the more likely you’ll be able to collaborate with the FI to find a path forward. Because FIs are so complex, the more effort you put in, the lower the barrier will be.
I don’t guarantee that if you follow this advice you will be successful, but hopefully it puts you in the best position possible to work for and find success. Good luck!