Demystifying the Bank Vendor Management Process | Part I

Blog Posts
April 18, 2023

In this two-part series, we will share key observations and learnings that aim to demystify the bank vendor management process. Part I will share key observations and considerations to help fintechs better prepare for the bank vendor management process. Part II will dive deeply into contract negotiation, particularly the legal terms that regularly hold negotiations up.

Too often, business negotiations stall or fall apart during the vendor onboarding process. Fintechs are often surprised to discover that an arduous due diligence and negotiation process follows after what may otherwise be perceived as a final sale. Legal, compliance, and procurement processes are long, complex, and expensive, and can be tough for a fintech with limited runway (and budget) to face. On the other side, banks must adhere to strict due diligence and onboarding standards to address evolving regulatory expectations, especially given that vendor risk is ultimately born by the bank. Further, banks feel as though some fintechs come unprepared and with unrealistic expectations of the sales cycle and vendor management process, only compounding frustrations on both sides of the table.

At Canapi, we’ve thought a lot about these challenges from the perspective of both fintechs and banks. As former founders, bankers, regulators, and advisors we understand first-hand how banks and fintechs can best team up to deliver exceptional customer experiences, products, and services. We’ve outlined below some best practices for founders, developed in collaboration with several of our strategic bank LPs.

Key Observations


There is no worse feeling for a long-distance runner than rounding the last bend, only to discover it wasn’t the last bend at all. The idea of the “false finish line” in the vendor management process is similarly dispiriting. The onboarding process goes well beyond the initial “sale,” and what many fintechs perceive to be the finish line is actually the starting line of an intensive vendor management and due diligence process.

Fintechs should have an understanding of the full vendor management process (including its various phases, timelines, and requirements) before they begin. By entering bank conversations with an awareness of what is to come, both parties can more easily align on expectations, flag and remove any surprises that might derail an engagement, and help fintechs adequately plan for time and cost.

Understanding the vendor management process also requires that a fintech be familiar with the right people within the targeted bank. Fintechs should know who the key players in the onboarding process are (e.g., procurement / third-party risk management, legal, compliance, infosec, technology, project management, and the relevant business head) and proactively loop all parties into the process as soon as possible. By connecting with these parties early in the process, fintechs will better understand expectations, responsibilities, and anticipated timelines. This can be revealing of where a fintech stands in the sales process. For example, if a buyer is hesitant to bring procurement, legal, or compliance into the conversation, then the seller likely isn’t as far along in the sale as they might have thought.

When it comes to contracting, non-disclosure agreements (“NDA”) are non-negotiable. If a fintech takes issue with the bank’s NDA, it immediately raises red flags for the bank as a leading indicator for a challenging contracting process. Our bank partners recommend that fintech partners do not negotiate the NDA up front; at most, identify one or two critical items and stop there.


The vendor onboarding process at financial institutions can vary greatly bank-to-bank based on several factors, including but not limited to:

  • Complexity of the fintech’s product and type of service (e.g., a crypto-related service will require more due diligence by the bank, as well as written notification to and approval of the partnership by a regulator);
  • Size of the financial institution (e.g., a larger bank will have higher regulatory expectations and vendor onboarding requirements than a smaller community bank); and
  • The criticality of services the vendor provides and whether the vendor will have access to customer data/Personally Identifiable Information (“PII”).

These factors and others will influence the duration of a vendor management process. Fintechs are often surprised by how long the bank onboarding process can take, but the vendor management timeline can greatly vary. We’ve outlined below how long the onboarding process might take, also highlighting factors that can reduce and increase duration.

Our bank partners have emphasized the importance of realizing that several onboarding paths exist. While many fintechs may be expecting a “full commercialization” path, where a bank immediately engages a fintech in vendor onboarding for the product or service they provide, another common path is a proof of concept, where a fintech provides access to a simplified version of the fintech’s overall offering, either in scope or use of customer data. A proof of concept does not remove any of the required components of a vendor management process, but it does create a streamlined version of the vendor management steps up front. This allows banks to identify and mitigate potential risks earlier in the process, which may accelerate the onboarding process.


The due diligence process will vary for each fintech based on a combination of a fintech’s inherent risk and a bank’s risk appetite. For example, due diligence for a large supplier with access to confidential client data and a contract worth tens of millions of dollars will require greater scrutiny, and will take longer, than due diligence for a boutique marketing business serving a local bank branch. That said, we find that several relatively consistent due diligence requests prove more challenging for fintechs than others. Most of the time, these challenges arise simply because fintechs feel blindsided by and are unprepared to adequately respond to certain requests.

  • Customer Data Security.
    Regulators are looking to ensure that certain provisions and steps are being taken to protect customer data. As such, due diligence is much more intensive for fintechs that handle customer data. Applicable fintechs must evidence that they have standard data security protocols and protections in place (e.g., SOC report, two step authorization).  
  • Third- and Fourth-Party Risk Management.
    Many fintechs have third- and fourth-party critical providers that stand behind their infrastructure, one common example being cloud providers. Banks are obligated to inquire into the nature of and controls around those relationships, so it would be prudent of technology providers to assemble and provide that information early in the due diligence process. Doing so gives the bank due diligence team a certain level of comfort in knowing that the fintech is aware of regulatory requirements and knowledgeable of their relationship with third- and fourth-party providers.
  • Business Continuity Plan.
    Fintechs are often hesitant to share their business continuity plan (or don’t yet have one), but this is a critical requirement for banks, particularly if the technology solution is a critical part of the technology stack or touches customers directly.

Fintechs should be cognizant that due diligence is often a cyclical step. Due diligence is rarely completed after one request and tends to be interactive and iterative. Fintechs that proactively develop robust responses to typical vendor management questions can reduce the amount of back-and-forth with bank prospects.

Going Deeper: The Canapi Alliance Vendor Management Playbook

Based on our learnings and work with nearly 70 financial institution investment partners, we developed the Canapi Alliance Vendor Management Playbook that explores these topics and more in greater detail.

For members of the Canapi Alliance, the Vendor Management Playbook includes a due diligence checklist, which provides further context as to what banks typically require from fintechs during the due diligence process and what fintechs should prepare ahead of time. The checklist leverages regulatory guidance that Canapi Alliance banks are instructed to follow, as well as requirements voiced specifically by Canapi Alliance banks.

The Vendor Management Playbook and Canapi Conversation are available to all Canapi Alliance members through the Canapi Connect portal and upon request.