On July 25, 2024, the Fed, the OCC and the FDIC (the "Banking Regulators") released a "Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses" (the "RFI"). The RFI was published in the Federal Register on July 31, 2025. The Banking Regulators also issued a joint statement on the RFI.
Responses to the RFI must be received on or before September 30, 2024.
The RFI states that the Banking Regulators "support responsible innovation and banks pursuing bank-fintech arrangements in a manner consistent with safe and sound banking practices, and with applicable laws and regulations..." and that "Bank-fintech arrangements can provide benefits." But . . . "supervisory experience has highlighted a range of potential risks with these bank-fintech arrangements."
Of course, for practitioners in this space, the contracts put into place between banks and fintechs attempt to address the potential risks and ensure that full compliance with law occurs. While the RFI recognizes that contractual allocation of duties to ensure compliance is standard in these relationships, it reveals that the Banking Regulators seem to be uneasy about whether allocation of duties is a valid means for reaching compliance. Considering that the Banking Regulators are fully aware that banks use a wide variety of third parties to ensure compliance for their day-to-day obligations, the wariness of bank-fintech contractual arrangements seems to be outsized.
The RFI seeks public comment on 41 discrete questions (by a tally of the question marks) and provides the public 60 days to answer them. Among these questions is a query whether "additional clarifications or further guidance" would be helpful for banks. To our minds, the Banking Regulators already have provided guidance on most of the topics covered by the RFI, which is to say that as long as the bank and the fintech work together to ensure that the bank has sufficient information and sufficient agency to fulfill its obligations with respect to its own safety and soundness, liquidity, and capital requirements, as well as its obligations to comply with consumer protection, privacy and security laws, then specific guidance for the bank-fintech relationship is not really necessary.
Having said that, we think there are a couple of areas where a statement from the Banking Regulators could set expectations and make things a bit smoother at the negotiating table. Specifically:
- To the extent the fintech's compliance obligations are lesser than the obligations a bank must meet, the fintech must instead meet the bank's compliance obligations.
- Proper due diligence by the bank for the program with the fintech should identify parameters for when a certain amount of growth will give rise to liquidity, capital reserves or safety and soundness challenges.
- The contract should provide a means for banks to throttle back the program with the fintech in case the growth is such that liquidity, capital reserves or safety and soundness thresholds cannot be shifted quickly enough.
- While banks and fintechs may continue to negotiate ownership of data generated from the program, banks should be assured a broad enough and long enough license to such data that will allow them to meet compliance obligations.
In sum, we think that the Banking Regulators should tread lightly in this area, which sentiment is consistent with this statement regarding the RFI, by Federal Reserve Board Governor Michelle W. Bowman -- she stated that while she supports the RFI, she is "concerned that the agencies continue to publish piecemeal guidance and other documents based on an incomplete understanding of current bank-fintech relationships" and that any guidance or rulemaking that arises from the RFI poses "the risk of pushing out innovation from the regulated banking system."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.