Interagency Issuances On Bank-Fintech Partnerships Highlights Risks, Opportunities, Importance Of Industry Participant Engagement

Summary

The recent bank regulatory Joint Statement and request for information (RFI) on third-party deposit relationships and bank-fintech partnerships emphasize afresh regulators' long-standing concern with financial institutions' management of third-party relationships,¹ albeit with a new level of intensity that reflects rapid changes in the provision of financial services. This concern has been punctuated by last year's bank failures and the recent bankruptcy of banking fintech partner Synapse and is reflected in recent enforcement actions,² including against Evolve Bank and Trust and Green Dot Bank. Bank partnerships with fintechs have grown increasingly complex in recent years, as have business models relying on banking-as-a-service (BaaS) arrangements in which financial institutions are sometimes "junior partners" (i.e., smaller in assets/revenue than fintechs and/or less sophisticated or complex).

These issuances present banks and fintechs the opportunity to increase regulators' understanding of appropriate business and risk management models in this highly technical, fast-changing space. While some view the Joint Statement as a caution against fintech partnership, the RFI suggests that at least some regulators sincerely seek to better understand the nature of these relationships and the industry's view of effective compliance models. The issuances also reflect the importance of banks involved in such arrangements reexamining controls (i.e., policies, procedures, contractual terms, monitoring controls and access to customer records) governing such relationships. The RFI may result in more stringent supervisory expectations applied to banks, which in turn would flow through to their third-party partners. This could significantly increase risks for both banks and fintechs that have increasingly codependent business models. Hence, it is important for industry participants to consider submitting comments.

Regulatory Concern

On July 25, 2024, the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) (collectively, the agencies) issued a joint statement (Joint Statement) and request for information (RFI) to address potential risks associated with arrangements between banks and third parties that provide banking products and services to consumers and businesses (end users).³ The associated RFI seeks public comment on the nature of bank-fintech arrangements, including their benefits and risks, effective risk management practices, and potential implications.⁴

According to Federal Reserve Governor Michelle Bowman in a recent speech, incidents within some bank-fintech partnerships "highligh[t] the need for improvements in bank supervision, with several notable failures to identify and appropriately escalate issues during the examination process."⁵ Acting Comptroller of the Currency Michael J. Hsu also recently noted the "increasing complexity of bank-nonbank relationships" and ensuing "interdependencies between banks and nonbanks, including fintechs."⁶

The issuances present a rare opportunity for industry participants to educate and influence regulators by presenting effective bank-fintech risk management models and differentiating the regulation most appropriate to the many different partnership arrangements that exist in this rapidly growing ecosystem.

Key Highlights of the Issuances

These issuances define "fintech" broadly to capture a variety of companies, including "intermediate platform providers" as well as "certain processors and payments platforms" and "certain non-financial retail businesses seeking to expand into markets for financial products and services through arrangements that could allow them to leverage their existing infrastructure and customer relationships to offer a one-stop[]shop to access financial and non-financial products and services."⁷

In the context of third parties performing compliance functions, the Joint Statement notes that the "bank remains responsible for failures to comply with applicable requirements," a responsibility that extends to third-party providers that aid in anti-money laundering (AML) and sanctions compliance, including nested fintechs, meaning arrangements in which nonbank partners themselves use subcontractors.⁸

The Joint Statement and RFI emphasize that elevated risks include fragmented deposits and records, reduced operational visibility, contract gaps, growth-related challenges such as misaligned incentives, liquidity risks, capital pressures, and end-user confusion about who is ultimately responsible for safeguarding customer assets. Banks must ensure their programs are consistent with existing guidance, such as the "Interagency Guidelines Establishing Standards for Safety and Soundness and the Interagency Guidance on Third-Party Relationships: Risk Management." In particular, this means reviewing controls over:

• third-party risk management (including due diligence, contracting and monitoring);
• operations and compliance (including contingency planning, deposit risk mitigation and AML/sanctions compliance);
• growth, liquidity and capital risk management (including watching concentration limits, diversification, liquidity planning and exit strategies); and
• consumer protection (particularly policies regarding deposit insurance representations).

RFI

The RFI solicits data that may influence future guidance (e.g., supervisory exam material or similar regulatory guidance) through 30 questions specific to bank-fintech arrangements. Key themes include:

• Bank-Fintech Arrangement Descriptions: The agencies seek information on how institutions are structuring and implementing bank-fintech arrangements, including benefits of these arrangements, data usage practices, end-user status determination, third-party provider involvement, affiliate arrangements, and associated costs and resources.
• Risk and Risk Management: In particular, the agencies seek information regarding:
• • Safety and Soundness Practices—examples of practices to maintain safety, soundness and regulatory compliance in bank-fintech arrangements.
  • Consumer Protection Risks—managing increased consumer protection risks, such as discrimination or unfair practices.
  • Contractual Allocation of Functions—information on how parties allocate functions and manage associated risks in bank-fintech arrangements.
  • Risk Management Strategies—strategies for managing various risks, including credit, liquidity, concentration, compliance and operational risks.
  • Disclosure Practices—strategies for ensuring accurate and compliant disclosures to end users.
  • Intermediate Platform Provider Risks—how the use of intermediate platform providers may amplify or mitigate risks.
  • Technology and Data Exchange Risks—information on practices for managing risks associated with connecting to multiple technology platforms and exchanging data.
  • Contingency Planning—practices for planning for arrangement exits, stress events or operational disruptions.
• Trends and Financial Stability: The agencies also seek input on the data needed to monitor developments in bank-fintech arrangements, potential impacts on financial access, ways these arrangements may amplify or mitigate financial shocks, and factors determining support for responsible innovation and market competitiveness.⁹

Opportunities for Engagement

The issuances provide several opportunities for engagement with different parties and stakeholders. First, the RFI provides an opportunity for both banks and fintechs to engage with regulators. Through engaging in the RFI process, banks can (i) educate regulators about reasonable legal/compliance risk management models and demonstrate to them that banks can be "self-sufficient" in properly managing third-party risks and (ii) demonstrate that well-managed fintech partnerships can create new opportunities for bank growth and financial inclusion.

Fintechs, on the other hand, can (i) provide input on how supervision can be applied across different types of companies in a tailored and nuanced approach that reflects the participants' particular role in the provision of financial products and services and (ii) showcase how they reasonably manage their own risks (such as, for example, cybersecurity risk).

Additionally, the RFI provides banks with the opportunity to engage with their existing service providers. Banks should consider reviewing their current relationships (as well as their own internal controls) and consider whether the arrangement is sufficient for the bank to meet its current regulatory obligations and expectations. The RFI provides banks with greater leverage to influence fintech partners to enhance controls to reduce their risk of being de-risked by banks or regulators (an existential business risk), as the RFI highlights, not only the dependency of banks on fintechs, but also of fintechs on their banking partners. Both parties face potentially existential risks if regulators are not satisfied that compliance models are appropriate to manage the risks of such arrangements.¹⁰

Banks and fintechs have a large stake in the compliance models that regulators will ultimately adopt for examinations of bank-fintech partnerships. Industry participants should closely consider participating in the comment process to ensure their perspectives are taken into account. They would be prudent to also review current controls in light of heightened regulatory focus.

Footnotes

1. See, e.g., Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed. Reg. 37,920 (June 9, 2023); Interagency Guidelines Establishing Standards for Safety and Soundness, 12 CFR part 30, Appendix A (OCC), 12 CFR part 208, Appendix D-1 (Board), and 12 CFR part 364, Appendix A (FDIC); Interagency Guidelines Establishing Information Security Standards, 12 CFR Part 30, Appendix B (OCC), 12 CFR part 208, Appendix D-2 (Board), and 12 CFR part 364, Appendix B (FDIC); Third-Party Risk Management: A Guide for Community Banks (May 2024), FDIC FIL-192024, Board SR 24-2/CA 241 and OCC Bulletin 2024-11; Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks (Aug. 27, 2021), FDIC FIL-59-2021, Board SR 21-15/CA 21-11 and OCC Bulletin 2021-40.

2. See, e.g., Blue Ridge Bank, N.A., Office of the Comptroller of the Currency, No. AA-ENF-2023-68 (Feb. 15, 2024); Piermont Bank, Fed. Deposit Insurance Corp., No. FDIC-23-0038b (Feb. 27, 2024); Evolve Bancorp, Inc. & Evolve Bank & Trust, Fed. Reserve Sys., No. 24-012-B-HC (June 14, 2024); Green Dot Bank, Fed. Reserve Sys., No. 24-005-B-SM (July 19, 2024).

3. Board of Governors of the Fed. Reserve Sys., Fed. Deposit Insurance Corp., Office of the Comptroller of the Currency, Joint Statement on Banks' Arrangements with Third Parties to Deliver Bank Deposit Products and Services (July 25, 2024), https://www.occ.treas.gov/news-issuances/news-releases/2024/nr-ia-2024-85a.pdf.

4. Office of the Comptroller of the Currency, Fed. Deposit Insurance Corp., Fed. Reserve Sys., Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses (July 25, 2024), https://www.occ.treas.gov/news-issuances/news-releases/2024/nr-ia-2024-85b.pdf.

5. Governor Michelle W. Bowman of the FDIC, "Liquidity, Supervision, and Regulatory Reform" Speech Before the Research Conference, Cosponsored by the Federal Reserve Banks of Dallas and Atlanta (July 18, 2024) ("Supervision that is not focused on core risks erodes the resiliency in the banking system. Bank failures and losses to the deposit insurance fund certainly demand attention, review, and accountability, but the underlying issues suggest we need to ensure that supervision works appropriately over time.")

6. Acting Comptroller of the Currency Michael J. Hsu, "Size, Complexity, and Polarization in Banking," Remarks Before the Exchequer Club (July 17,2024).

7. Joint Statementat n. 4.

8. Joint Statement at 2.

9. The absence of the National Credit Union Administration from the Joint Statement is notable, given credit unions' presence in the BaaS space. Credit unions and their fintech partners may want to seek clarity on how these guidelines will apply to them.

10. Additionally, as evidenced by recent enforcement actions (e.g., Green Dot) and the RFI, both banks and fintechs should also consider a review of any policies and procedures related to unfair and deceptive acts or practices compliance as well as any current disclosures about offerings and products. For example, the RFI specifically notes that a "fintech company's role in providing disclosures may increase the risk of inaccurate or misleading representations" and that "[s]uch risks may be heightened where the fintech company controls the end-user relationship and uses the bank's name and branding in marketing or when an intermediate platform provider is used and further distances the bank from the end user." Note that the FTC has found companies liable for deception where a false representation (or forged or counterfeit item) has been provided to another, for example, a service provider "with knowledge that it was possible the means could be placed in the stream of commerce and passed on to consumers." Andrew Smith, "Multiparty liability," Fed Trade Comm'n: Bus. Blog (Jan. 29, 2021), https://www.ftc.gov/business-guidance/blog/2021/01/multi-party-liability. Typically, the "means" by which the public may be misled involve marketing materials, which may include, for example, logos. See, e.g., ECM BioFilms, Inc. v. F.T.C., 851 F.3d 599, 605 (6th Cir. 2017) ("ECM also provided plastic manufacturers with material to market their products as biodegradable, including a logo marked 'ECM Biodegradable' against a tree design.").

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.