Skip to main content
Selling to banks is the process of navigating a multi-stakeholder buying structure where risk, compliance, IT security, and procurement teams each hold independent veto power over a commercial decision. Unlike standard B2B sales, bank sales require the vendor to satisfy assurance requirements before the commercial buyer can act. Most fintech founders underestimate this. They build for the business sponsor — the person who wants to buy — but lose months or years when the risk team, legal, or IT security raise blockers. The companies that sell successfully to banks treat assurance as the first workstream, not the last.

Why is selling to banks different from standard enterprise sales?

Banks are regulated institutions. Every new vendor introduces operational risk, data risk, and regulatory exposure. The buyer (often a product or innovation lead) cannot approve a purchase alone. They must satisfy internal assurance teams before procurement will process the contract. This creates a buying structure with at least four independent decision-makers:
  • Business sponsor — owns the use case and budget. Wants the product.
  • Risk and assurance team — evaluates vendor stability, data handling, and operational risk. Can veto.
  • IT security — assesses infrastructure, penetration test results, access controls, and deployment model. Can veto.
  • Procurement and legal — manages contract terms, SLAs, liability, and commercial structure. Can delay indefinitely.
Each group operates on its own timeline and criteria. A fintech that impresses the business sponsor but cannot satisfy risk will stall. The sales cycle in banking typically runs 6 to 18 months, and the assurance phase — not the demo — is where most of that time is spent.

What do banks actually evaluate before buying?

Banks assess vendors across five areas before signing a contract. Each area requires documented evidence, not verbal assurance.
AreaWhat the bank needsTypical evidence
Security postureProof the vendor can protect data and systemsISO 27001, SOC 2, Cyber Essentials Plus, penetration test reports
Data handlingClarity on what data is accessed, where it is stored, and who can see itData processing agreements, GDPR compliance docs, data flow diagrams
Financial stabilityConfidence the vendor will exist in 12 monthsFiled accounts, funding history, insurance certificates
Operational resilienceAssurance the service will not fail under loadSLAs, uptime history, disaster recovery plans, incident response procedures
Regulatory complianceProof the vendor operates within the relevant regulatory frameworkFCA registration (if applicable), AML/KYC policies, compliance certifications
The Scottish Scale-Up Panel found that 53% of Scottish scale-up leaders identify sales and business development as their key skills gap. In banking, the gap is not selling skill — it is evidence preparation. Founders who assemble their evidence pack before the first meeting close faster than those who scramble to produce documents during the assurance phase.

How should a fintech sequence its approach to a bank?

The most common mistake is leading with a product demo. The demo impresses the business sponsor but creates urgency without readiness. When the sponsor tries to progress, they hit internal blockers. A more effective sequence:
  1. Build the evidence pack first. Assemble security certifications, pen test reports, data handling documentation, filed accounts, and reference cases before outreach. See the Evidence Pack Builder framework for the method.
  2. Qualify the bank’s internal process. Before investing time, ask: who approves new vendors? What is the typical timeline? Is there budget allocated or exploratory? What certifications are mandatory?
  3. Engage the risk team early. Request an introductory call with risk and assurance alongside the business sponsor. This surfaces blockers at week 2, not month 6.
  4. Run a scoped proof of value. Propose a 4-to-8-week pilot with defined success criteria, a named budget holder, and clear exit terms. Avoid open-ended free trials.
  5. Progress assurance and commercial in parallel. While the pilot runs, submit evidence to IT security and risk. Do not wait for the pilot to end before starting assurance.
  6. Close with procurement, not the sponsor. The sponsor is your champion. Procurement is your buyer. Prepare contract terms, SLAs, and pricing before the procurement conversation begins.

What does the buying timeline actually look like?

A realistic bank sales process runs across three overlapping workstreams: Months 1-2: Qualification and access
  • Identify the business sponsor and their specific pain point
  • Confirm budget exists (not exploratory interest)
  • Map the internal buying structure — who else must approve
  • Share the evidence pack proactively
Months 2-4: Proof of value
  • Run a scoped pilot with defined success criteria
  • Engage risk and IT security in parallel
  • Begin the vendor onboarding questionnaire (often 200+ questions)
Months 4-8: Assurance and contract
  • Complete the security review and risk assessment
  • Negotiate contract terms with procurement and legal
  • Finalise SLAs, data processing agreements, and liability terms
  • Close
The timeline compresses when the fintech has completed evidence preparation before outreach and when the bank has an existing fast-track procurement pathway. It expands when the fintech is the bank’s first vendor in a new category, when certifications are missing, or when the pilot lacks clear conversion criteria.

How should startups handle the vendor onboarding questionnaire?

Most banks require new vendors to complete a standardised risk questionnaire. These typically run 100 to 300 questions covering security, data handling, business continuity, financial stability, and regulatory compliance. Practical approach:
  1. Maintain a master response document. Keep a living document with pre-written answers to the most common questions. Update it after each bank engagement.
  2. Identify gaps before submission. If you cannot answer a question with evidence, fix the gap before submitting. A blank answer triggers deeper scrutiny.
  3. Attach evidence rather than describing it. Link directly to certificates, reports, and policies rather than summarising them in free text.
  4. Ask for the questionnaire early. Request the vendor onboarding pack during the first meeting, not after the pilot. This gives you months to prepare rather than weeks.

What is the credibility gap?

The credibility gap is the distance between the buyer’s silent fears and the founder’s evidentiary proof. Institutional buyers do not buy “innovation” — they buy “defensibility.” While the business sponsor listens to the product pitch, the risk committee is silently asking a different set of questions:
What the founder answersWhat the risk committee silently asks
”Our product does X""Will this create a headline-grabbing data breach?"
"We have traction""If this company folds in six months, what happens to our customers?"
"We use AI""Can we explain this to a regulator if it goes wrong?"
"Banks love it""Which bank, and can we speak to their risk team?”
Bridging the credibility gap requires pre-built evidence, not better demos. Founders who treat the evidence pack as their primary sales artefact — not the slide deck — close faster because they address the silent questions before they are asked.

What is Problem B discovery?

Most founders pitch Problem A — the problem they think they are solving. But Problem A is often not what the buyer will pay to fix right now. Problem B is the actual pain with real budget and urgency behind it. Discovery must invite the buyer to redirect the conversation. Instead of presenting a solution and asking “does this resonate?”, ask open questions that let the buyer reveal their real constraints:
  • “What keeps coming back to your desk that you cannot solve with existing tools?”
  • “If you could fix one thing before your next board review, what would it be?”
  • “Where is budget already allocated that is not delivering the outcome you need?”
Problem B is often adjacent to Problem A but more specific, more urgent, and already funded. Founders who discover Problem B before pitching can position their product as the solution to an existing pain rather than a new initiative requiring fresh budget.

Common mistakes

  • Leading with the demo. The demo creates excitement but not readiness. Business sponsors who are excited but cannot get internal approval become frustrated champions.
  • Ignoring the risk team. Risk can veto any deal. Treating them as a final gate rather than an early stakeholder adds months.
  • Running free pilots without conversion terms. A pilot with no defined success criteria, no budget holder, and no timeline becomes a permanent free trial.
  • Assuming the sponsor can override procurement. Even senior sponsors cannot bypass risk and assurance. They need ammunition — your evidence pack — to advocate internally.
  • Treating each bank as unique. The questionnaires differ in detail but converge on the same categories. Build once, adapt per bank.
  • Underestimating the timeline. Founders who plan for a 3-month sales cycle in banking will run out of cash or patience. Plan for 6 to 18 months and work backwards.

Key takeaways

  • Bank sales are assurance-led, not demo-led. Satisfy risk before expecting a commercial decision.
  • Build the evidence pack before outreach. Certifications, pen tests, and data handling docs are table stakes.
  • Engage risk and IT security early and in parallel with the business sponsor.
  • Design pilots with defined success criteria, named budget holders, and clear exit terms.
  • Maintain a master questionnaire response document and update it after every engagement.
  • The timeline is 6 to 18 months. Sequence your activities so assurance runs in parallel with the pilot.