Regulators’ Consent Orders Signal Increased Focus on Bank-Fintech Partnerships
Overview: The Federal Deposit Insurance Corporation (“FDIC”) and Office of the Comptroller of the Currency (“OCC”) have each issued recent consent orders that place significant restrictions on the subject banks’ ability to provide banking-as-a-service (“BaaS”) and enter new partnerships with fintechs. The regulators have also publicly expressed concern about bank-fintech partnerships more broadly, and both banks and fintechs should be prepared for heightened regulatory scrutiny.
Within the past year, the federal banking regulators have taken a series of steps demonstrating that they are increasingly focused on compliance issues involving BaaS and bank-fintech partnerships. In August 2022, the OCC entered into a consent order with Blue Ridge Bank based on allegations that the bank engaged in unsafe and unsound practices related to its partnerships with fintechs. The consent order requires the bank to implement a series of compliance reforms and, most significantly, requires the bank to engage in substantial due diligence and obtain the OCC’s prior approval before onboarding any new fintech partners.
Soon after that consent order became public, Acting Comptroller Michael Hsu addressed BaaS in a series of public remarks discussing the growing market for BaaS and the OCC’s increased supervisory focus on bank-fintech partnerships. The Acting Comptroller indicated that the OCC had implemented a more targeted approach to examining banks that focus on BaaS as a core component of their business model, and that the OCC was also beginning to engage more directly with fintechs that partner with banks. Mr. Hsu also indicated that the OCC has been collaborating with its peer regulators on BaaS issues, and the FDIC recently issued a consent order that is the most significant indication yet that banks that specialize in BaaS and the fintechs they partner with must be prepared for regulators’ increased scrutiny.
FDIC Consent Order Alleges Fair Lending Violations in Bank-Fintech Partnership
On April 28, 2023, the FDIC published a consent order with Cross River Bank that addresses allegations relating to the bank’s fair lending compliance program and related oversight of its fintech lending partners. This consent order is particularly significant both because the bank is one of the leading BaaS providers in the banking industry, and because the order focuses on fair lending, an area on which regulators are focused for all banks and that presents unique compliance challenges in the context of bank-fintech partnerships.
The FDIC consent order does not cite any specific discriminatory practices, nor does it require the bank to make restitution to customers. However, it requires the bank to provide the FDIC a complete list of its current fintech partners and, like the previous OCC consent order, requires the bank to obtain the FDIC’s prior approval before entering into any new fintech partnership not included on the current list the bank must provide to the FDIC.
The consent order also requires the bank to take a series of actions focused on strengthening the banks’ fair lending and third-party risk management compliance programs. The key compliance enhancements required under the consent order include:
- Increasing the Board’s supervision of the bank’s management and its oversight and monitoring of the bank’s compliance program;
- Retaining an independent third party to review the bank’s underwriting technology and evaluate whether the bank maintains sufficient information concerning its credit products and models to monitor for compliance with fair lending laws;
- Conducting a comprehensive fair lending risk assessment;
- Evaluating each of the bank’s fintech partners’ fair lending compliance on an annual basis;
- Ensuring the bank has adequate staff to handle fair lending compliance, and that such staff, the Board, and other bank employees involved in credit decisions are well trained on fair lending compliance.
All BaaS Providers and Fintechs Should Prepare for Heightened Scrutiny
Although the FDIC’s recent consent order arose out of allegations involving noncompliance with lending laws, all BaaS providers and fintechs should take note. The alleged compliance failures and required enhancements that the FDIC and OCC have identified in consent orders and public remarks extend beyond lending, and regulators can and likely will apply these principles to all banks involved in partnerships with fintechs.
Banks that provide BaaS to fintechs, as well as the fintechs they partner with, should consider evaluating their own compliance programs in comparison to the FDIC and OCC consent orders. Such banks should be prepared for their regulators to focus examinations on their fintech partnerships, and fintechs should be prepared for a related increase in scrutiny from their bank partners, as well as the potential for regulators to increase their focus directly on fintechs themselves.
Outlook: Bank regulators have made clear that they are intently focused on the unique compliance challenges in bank-fintech partnerships. These relationships will continue to be a focus of examinations, and if regulators identify compliance weaknesses they will not hesitate to impose additional consent orders.
Treasury Department Publishes De-Risking Report
Overview: On April 10, 2023, the U.S. Treasury Department published its 2023 De-Risking Strategy report (the “De-Risking Report”). The AML Act of 2020 required the Treasury Department to consult with federal and state banking regulators, as well as appropriate public- and private-sector stakeholders, in order to provide a formal review of the practice of de-risking and develop a strategy to address it. The De-Risking Report is the product of that effort. It contains a review of the causes and effects of de-risking as well as numerous recommendations aimed at a broad spectrum of industry participants and stakeholders, including Congress, federal regulators, and financial institutions.
Under the authority of the AML Act of 2020, Congress directed the Treasury Department to consult with the federal financial regulators, state banking supervisors, and appropriate stakeholders both in the public and private sectors in order to complete a formal review of certain financial institution obligations under the Bank Secrecy Act (“BSA”) and consider a range of factors related to the drivers and adverse consequences of de-risking. In part, the review was intended to “propose changes, as appropriate, to those [BSA] requirements . . . to reduce any unnecessarily burdensome regulatory requirements” and develop a strategy to mitigate financial sector de-risking and its adverse effects.
The De-Risking Report defined the term as “the practice of financial institutions terminating or restricting business relationships indiscriminately with broad categories of clients rather than analyzing and managing the risk of clients in a targeted manner.” De-Risking is not a new issue. In April of 2005 FinCEN and federal banking regulators felt compelled to issue a joint interpretive guidance aimed at convincing banking institutions that they “have the flexibility to provide services to a wide range of money services businesses while remaining in compliance with the Bank Secrecy Act.” The guidance was widely viewed as a direct response to the increasing trend of money services businesses (“MSBs”) losing their banking relationships due to de-risking. It is also not a uniquely American issue. In 2015 the World Bank conducted two surveys which confirmed that large global banks were restricting or terminating relationships with certain industries, particularly money transfer operators.
Exacerbating the problem is the fact that banks often received conflicting information from regulators regarding the risks of certain customers. On the one hand, regulators have been issuing policy statements for nearly two decades encouraging banks to exercise a risk-based approach to engaging with customers, but on the other hand banks have reported that informal statements from examiners and scrutiny of certain activities during exams reflected an unspoken belief on the part of examiners that banks should not engage in such business. The De-Risking report notes that numerous financial institutions interviewed for the report cited the perceived potential for added scrutiny from examiners as a reason they chose not to bank certain customers such as MSBs.
Overview of the De-Risking Report
The report identified three types of banking customers that are facing the most acute de-risking challenges: (i) small- and medium-sized MSBs that offer money transmission services; (ii) non-profit organizations (“NPOs”) operating in high-risk areas; and (iii) foreign financial institutions with low correspondent banking transaction volumes, particularly those operating in areas known for high anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) risks. One of the key findings of the De-Risking Report is that the primary driver of de-risking is profitability. However, Treasury noted that profitability is based on a broad range of factors such as a financial institution’s available resources (both human and monetary), the cost of implementing necessary AML/CFT compliance measures to support high-risk customers, concern about reputational risk, lack of clarity regarding regulatory expectations, overall compliance burdens, and other considerations.
The report also discusses the major adverse consequences of de-risking, including: driving financial activity out of the regulated financial system; hampering remittances; preventing low- and middle-income populations from accessing the financial system; delaying or encumbering the transfer of international development funds and humanitarian aid; and undermining the centrality of the US financial system.
To address these adverse consequences, the De-Risking Report provides an extensive list of recommendations aimed at a wide assortment of industry participants, including federal and state legislatures, regulatory agencies, financial institutions, and the affected customers themselves. One of the core points of the De-Risking Report is that Treasury wants banks to assess all customers on a case-by-case basis, and that no category of customer, including MSBs, should be considered uniformly high risk. The strategy also calls on the federal government collectively to take certain actions, some of which include:
- Promote consistent supervisory expectations, including through training of federal examiners, that consider the effects of de-risking.
- Analyze account terminations of NPO and MSB customers to identify ways to support longer notice periods before termination.
- Consider new regulations that require banks to have reasonably designed risk-based AML/CFT programs supervised on a risk basis, possibly taking into account the effects of financial inclusion.
- Consider clarifying and revising AML/CFT regulations and guidance for MSBs.
- Track and measure aggregate changes in banking relationships with financial institutions, MSBs, and NPOs.
- Encourage ongoing public and private sector engagement with MSBs, NPOs, banks, and regulators.
After providing its numerous recommendations and policy options, Treasury was careful to note that no individual recommendation is likely to be transformative on its own. Rather, Treasury believes that the recommendations can have a cumulative impact on the issue of de-risking.
Outlook: It is too early to know the impact of the De-Risking Report, but it has potential to start a discourse among the parties able to leverage these recommendations. Although Treasury expects effective change to only come from engagement by multiple federal policymakers, the report can also serve as a basis for industry stakeholders to advocate for regulatory changes.
Craig Saperstein, a member of Nacha’s Government Relations Advisory Group, is a partner in the Public Policy practice of Pillsbury Winthrop Shaw Pittman LLP in Washington, D.C. In this capacity, he provides legal analysis for clients on legislative and regulatory developments and lobbies congressional and Executive Branch officials on behalf of companies in the payments industry. Deborah Thoren-Peden is a partner and member of the Financial Institutions Team at Pillsbury Winthrop Shaw Pittman LLP. She provides advice to financial institutions, bank and non-bank, and financial services companies. Daniel Wood is a Counsel and member of the Financial Services Regulatory Team. He provides analysis for financial institutions, technology companies, and clients that offer consumer financial products. Brian Montgomery is a Senior Counsel and member of the Financial Services Regulatory Team. He provides analysis for financial institutions, technology companies, and clients that offer consumer financial products. The information contained in this update does not constitute legal advice and no attorney-client relationship is formed based upon the provision thereof.