
“We have seen bigger BaaS programs that have been doing this for years, and Core Bank is more mature. Core’s TPRM program is impressive.”
- Examiner, during Core Bank’s most recent in-office examination
Core Bank, a $1B community bank in Omaha, automated its initial and ongoing fintech partner due diligence with Kobalt Labs - reducing manual review time, increasing consistency, and setting the foundation for its embedded banking program to scale. The result caught the attention of regulators themselves.
The Challenge
When Core Bank made a strategic investment in its sponsor and embedded banking business in late 2025, it became clear the team needed to build a scalable onboarding and due diligence process - and fast. Core’s team brought real expertise to the table, but that knowledge lived with a small group of subject matter experts rather than in a standardized framework - so the same questionnaire could get interpreted differently depending on who was reviewing it. Existing tools stored information, but couldn’t help reviewers act on it, so analyzing policies and mapping evidence to controls across dozens of documents stayed a manual, inefficient process.
That left growth capped by headcount: the only way to review more fintechs was to grow the SME pool, one hire at a time.
“We were at the point where it was either invest in software or hire another person. A single SOC report would take hours to review properly, which is not a good use of internal resources nor does it allow us to deliver the experience we want to for our fintech partners.
- Erica · Risk Officer · Core Bank
The Solution
Kobalt worked with Core to redesign its due diligence process around a structured controls framework, AI-assisted reviews, and standardized risk assessments - built around the actual workflow risk teams manage every day.
Standardized, controls-based reviews
Working alongside Core’s subject matter experts, Kobalt transformed years of institutional knowledge into a centralized controls framework. Every fintech is now evaluated against the same standardized requirements, with controls mapped to the appropriate risk owners and weighted according to Core’s existing risk methodology. Reviews that previously depended on individual judgment now produce consistent, explainable outcomes.
AI-powered document analysis
Core uploaded its policies, procedures, and review requirements into Kobalt, which automatically extracts requirements, analyzes fintech documentation, and maps evidence directly to the appropriate controls. Instead of spending hours reading documents line by line, reviewers now start with an evidence-backed assessment that flags missing controls, potential gaps, and follow-up questions. Absent or partially compliant controls flow directly into Kobalt’s issue management system and power customizable, automatically generated reporting.
Automated, partner-ready reporting
When a review is complete, Kobalt generates a standardized assessment report that, once reviewer-validated, is ready to share with internal stakeholders and is audit-ready to support regulatory examinations. Findings, residual risk scores, supporting evidence, and reviewer commentary flow directly into customizable templates - no manual report writing required.
“The reports are a huge win. Executives and Committees want clean, polished reports, and now we can generate them directly in Kobalt. We can pull any field into a template and the system maps it automatically.”
- Erica · Risk Officer · Core Bank
The Results
Workflow* | Before Kobalt | With Kobalt |
|---|---|---|
Due Diligence Document review | 10-16 hours¹ | 1-3 hours² |
Risk assessment (mapping controls to risks) | 8 hours | 2-3 hours |
Insurance Coverage Assessment | 30 minutes | 5 minutes |
Contract, MSA, Agreement Reviews | 2-3 hours | 30 minutes³ |
SOC Analysis and CUEC Documentation | 3 hours | 30 minutes⁴ |
*high-risk third party
The Impact
The impact for Core went beyond speed and efficiency to a robust due diligence operation that unlocked time to revenue for a scaling embedded banking business. Kobalt brought Core speed, scalability, and a stronger compliance posture - their transformation impressed the examiners tasked with diving into the TPRM Program and day-to-day administration.
“Kobalt Labs speeds up our time to yes – unlocking revenue for the bank and our partners. Recently, one partner went from review to live in 5 days, and by day 6 they onboarded their first end-user!”
- Suzanne Mendlik · Chief Risk Officer · Core Bank
While other BaaS programs are still sending out manual questionnaires and buried in spreadsheets, Core Bank built a review process regulators point to as the standard. Find out how here.
—————
Footnotes
¹ Before Kobalt reflects reading time only. Typical time could extend up to two business days dependent on SME availability. Required document updates, Q&A, etc. added ~2 hours.
² Reflects time of the Risk Officer. Where a SME review is required (escalation), expect ~3 hours.
³ Does not include fintech end-user agreements where SME review is required, increasing time.
⁴ Time is for fintech partner review, regular bank<>third party reviews require additional time for internal CUEC coordination.