How Core Bank Built a Fintech Review Program that Examiners Called "Impressive"

How Core Bank Built a Fintech Review Program that Examiners Called "Impressive"

“We have seen bigger BaaS programs that have been doing this for years, and Core Bank is more mature. Core’s TPRM program is impressive.”

- Examiner, during Core Bank’s most recent in-office examination


Core Bank, a $1B community bank in Omaha, automated its initial and ongoing fintech partner due diligence with Kobalt Labs - reducing manual review time, increasing consistency, and setting the foundation for its embedded banking program to scale. The result caught the attention of regulators themselves.

The Challenge

When Core Bank made a strategic investment in its sponsor and embedded banking business in late 2025, it became clear the team needed to build a scalable onboarding and due diligence process - and fast. Core’s team brought real expertise to the table, but that knowledge lived with a small group of subject matter experts rather than in a standardized framework - so the same questionnaire could get interpreted differently depending on who was reviewing it. Existing tools stored information, but couldn’t help reviewers act on it, so analyzing policies and mapping evidence to controls across dozens of documents stayed a manual, inefficient process.

That left growth capped by headcount: the only way to review more fintechs was to grow the SME pool, one hire at a time.


“We were at the point where it was either invest in software or hire another person. A single SOC report would take hours to review properly, which is not a good use of internal resources nor does it allow us to deliver the experience we want to for our fintech partners. 

- Erica · Risk Officer · Core Bank

The Solution

Kobalt worked with Core to redesign its due diligence process around a structured controls framework, AI-assisted reviews, and standardized risk assessments - built around the actual workflow risk teams manage every day.

Standardized, controls-based reviews

Working alongside Core’s subject matter experts, Kobalt transformed years of institutional knowledge into a centralized controls framework. Every fintech is now evaluated against the same standardized requirements, with controls mapped to the appropriate risk owners and weighted according to Core’s existing risk methodology. Reviews that previously depended on individual judgment now produce consistent, explainable outcomes.

AI-powered document analysis

Core uploaded its policies, procedures, and review requirements into Kobalt, which automatically extracts requirements, analyzes fintech documentation, and maps evidence directly to the appropriate controls. Instead of spending hours reading documents line by line, reviewers now start with an evidence-backed assessment that flags missing controls, potential gaps, and follow-up questions. Absent or partially compliant controls flow directly into Kobalt’s issue management system and power customizable, automatically generated reporting.

Automated, partner-ready reporting

When a review is complete, Kobalt generates a standardized assessment report that, once reviewer-validated, is ready to share with internal stakeholders and is audit-ready to support regulatory examinations. Findings, residual risk scores, supporting evidence, and reviewer commentary flow directly into customizable templates - no manual report writing required.


“The reports are a huge win. Executives and Committees want clean, polished reports, and now we can generate them directly in Kobalt.  We can pull any field into a template and the system maps it automatically.”

- Erica · Risk Officer · Core Bank

The Results

Workflow*

Before Kobalt

With Kobalt

Due Diligence Document review

10-16 hours¹

1-3 hours²

Risk assessment (mapping controls to risks)

8 hours

2-3 hours

Insurance Coverage Assessment

30 minutes

5 minutes

Contract, MSA, Agreement Reviews

2-3 hours

30 minutes³

SOC Analysis and CUEC Documentation

3 hours

30 minutes⁴

*high-risk third party

The Impact

The impact for Core went beyond speed and efficiency to a robust due diligence operation that unlocked time to revenue for a scaling embedded banking business. Kobalt brought Core speed, scalability, and a stronger compliance posture - their transformation impressed the examiners tasked with diving into the TPRM Program and day-to-day administration.


“Kobalt Labs speeds up our time to yes – unlocking revenue for the bank and our partners. Recently, one partner went from review to live in 5 days, and by day 6 they onboarded their first end-user!”

- Suzanne Mendlik · Chief Risk Officer · Core Bank


While other BaaS programs are still sending out manual questionnaires and buried in spreadsheets, Core Bank built a review process regulators point to as the standard. Find out how here.


—————

Footnotes

¹ Before Kobalt reflects reading time only. Typical time could extend up to two business days dependent on SME availability. Required document updates, Q&A, etc. added ~2 hours.

² Reflects time of the Risk Officer. Where a SME review is required (escalation), expect ~3 hours.

³ Does not include fintech end-user agreements where SME review is required, increasing time.

⁴ Time is for fintech partner review, regular bank<>third party reviews require additional time for internal CUEC coordination.