Federal regulators have been ramping up scrutiny of banks’ third-party relationships for years, but the emergence of banking-as-a-service and other fintech relationships intensified debate and produced new interagency guidance in early June. As the guidance nears the six-month mark, assessment of its impact is highly divergent — from “a chilling effect” on BaaS deals to a workaday belief that the document underscores the responsibilities of both banks and fintechs as they increasingly work together.
The June document, “Interagency Guidance on Third-Party Relationships: Risk Management,” was jointly issued by the Federal Reserve, the Comptroller of the Currency and the Federal Deposit Insurance Corp.
Two sessions at the November policy summit of the American Fintech Council exposed a wide assortment of viewpoints on its guidance. One featured a former FDIC chair and the other a panel of financial institutions, consultants and other experts on bank-fintech partnerships.
This FI Built Two Branches Without Adding Consumer Lending Employees.
Heartland wanted to expand. Being short-staffed made it hard. Here’s how deploying a new technology helped them build two new branches anyway.
Read More about This FI Built Two Branches Without Adding Consumer Lending Employees.
How eSignature workflows can win over the next generation
Listen and learn how Denison State Bank has adapted their strategies to meet the evolving needs of today’s consumers in this 15-minute interview.
Read More about How eSignature workflows can win over the next generation
Banking Agency Document has ‘Chilling Effect’ on Partnerships
Twice during a fireside chat about federal legal developments, former FDIC Chairman Jelena McWilliams spoke of the guidance having a “chilling effect” on bank-fintech deals, including banking-as-a-service relationships. McWilliams, a Trump appointee whose term straddled the Trump and Biden administrations, is now managing partner of the Washington, D.C., office of Cravath, Swaine & Moore LLP and head of the firm’s financial institutions group.
“Banks need to know how to comply. If you don’t give them road lines to stay within lanes, they will be hesitant to engage in partnerships.”
—Jelena McWilliams, Cravath, Swaine & Moore, LLP
This worries her because many of the nation’s surviving banks are small and can’t compete effectively without support, in her view.
“They have to partner up with fintechs in order for them to stay viable and in business,” said McWilliams. Nonetheless, she believes that the current top federal regulators don’t like bank-fintech partnerships, including BaaS, seeing them as potentially risky, and wish to discourage them, though she said they know that they can’t bar them outright. Instead, “they are trying to make it more difficult.” She acknowledged that there have been statements from Acting Comptroller Michael Hsu, for example, indicating belief that BaaS is here to stay. But she predicted that the concept would face “troubled waters, dire straits” for the next couple of years.
McWilliams gave two broad reasons for her assessment.
First, she said that as a former general counsel of a regional bank (Cincinnati’s Fifth Third), she would have difficulty advising a board and management how to proceed under the guidance. For all its length — nearly 70 pages — she finds it hard to tell what institutions’ boundaries are.
“Banks need to know how to comply,” said McWilliams. “If you don’t give them road lines to stay within lanes, they will be hesitant to engage in partnerships.”
Her second reason for a “chilling effect,” McWilliams said, was that, while the guidance concerns partnerships in some form, “all of the responsibility and risk management rests with the bank.”
This presents a problem when communicating with regulators. McWilliams says several fintech clients have shared the experience of having a strong compliance program in place but being worried about whether their current or would-be banking partner could explain it to their regulator – often in response to queries from regulators.
She said these fintechs have asked to speak directly to the regulators, but that the banks frequently balk. The banks’ typical reaction is, “Heck no! You’re not speaking to my regulators because I don’t know what you’re going to say,” according to the attorney.
Read more: Maybe BaaS Is Absolutely the Last Strategy Your Bank Should Be Looking At
McWilliams: Boards Shouldn’t Be Managing Fintech Deals
In addition, McWilliams noted that a common feature of recent regulatory consent orders between institutions and federal agencies is tasking members of the bank’s board to manage the third-party relationships. She said that this role is inappropriate for bank directors and goes beyond the expertise that most board members at community banks have.
She added that consent orders in this area have often tagged banks for issues dealing with anti-money-laundering and Bank Secrecy Act compliance.
[An August 2023 report by Alloy found that 86% of U.S. fintechs surveyed paid more than $50,000 in compliance fines, 60% reported paying at least $250,000 and one-third over $500,000. Overall, 93% of the sample paid some measure of compliance fines.]
“The message being sent is that your every step is being watched,” said McWilliams, “and it’s not going to take a lot for you to get dinged on BSA/AML.” She said that these BSA/AML compliance shortfalls cited don’t happen because banks have poor regulatory programs, but “because that stuff is hard.”
McWilliams also expressed concern about the increasing politicization of the FDIC’s board, something that led her to resign her post as chairman at the end of 2021. McWilliams ascribed her 2021 departure to a “hostile takeover” focused on bank merger policy, which she described in an op-ed in the Wall Street Journal. The FDIC is historically an independent agency and she feels efforts by its board members, including CFPB director Rohit Chopra, to have it toe the current administration’s line will whipsaw regulators to match the political winds. And she predicted that each time the regulatory tail wags, banks will spend thousands of dollars on new compliance measures.
Read more: Should Fintechs Buy or Build Their Way into Banking Today?
What Practitioners Report from the Field
In a separate panel, multiple speakers indicated that scrutiny of deals has stepped up, adding to momentum that was already increasing. In addition, the expectation is that institutions will monitor their deals continuously.
“You have to study all of these consent orders and try to glean from them where the parameters lie.”
—Rob Lavet, SoFi
“‘Ongoing monitoring’ isn’t happening once a year now, like it was 15 years ago,” said Janet Hale of FTI Consulting. She said she’s heard players say that it helps to treat a fintech arrangement as if it were a branch of the bank. She acknowledges that that can be helpful in some situations. Hale said that the guidance makes it clear that the three issuing agencies reserve the authority to directly review third parties that banks team up with.
“Examiners are drilling down more and more into the fintechs in terms of their expectations,” said John Beccia of FS Vector, a consulting firm that works with banks and fintechs.
A clear warning from the panel was that merely looking at what the guidance has to say won’t be enough to remain up to date on policy. Rob Lavet, general counsel of SoFi, said institutions and fintechs in deals should focus on every consent order that comes out.
“You have to study all of these consent orders and try to glean from them where the parameters lie,” said Lavet. He added that it was important to discern differences between each agency’s orders, because nuances exist between their viewpoints. SoFi comes under the Comptroller’s Office as a bank and the Federal Reserve as a holding company, and also came under the Consumer Financial Protection Bureau as it has passed $10 billion in assets. The CFPB has its own guidance on third-party deals.
Read more:
- How Banks and Fintechs Can Get the Best Results from Their Partnerships
- Avoiding ‘Me-Too’ Fintechs with Unusual Banking-as-a-Service Strategy
- Neobank Winners and Laggards Point to Long-Term Fintech Strategic Shift
Solve the Puzzle of Core Deposit & New Client Growth
In this strategy-centered webinar, Crack the Code of Core Deposit & Client Growth, learn how to create sustainable deposit and client growth. Watch Now.
Read More about Solve the Puzzle of Core Deposit & New Client Growth
The Latest Trends & Groundbreaking Innovations in Banking for 2025
Over 2,000 of the brightest minds in banking will be at The Financial Brand Forum in April exploring the big ideas and best practices that will reshape banking in the year ahead. Will you be there?
Read More about The Latest Trends & Groundbreaking Innovations in Banking for 2025
A Special Focus for Third-Party Deals: Fair-Lending Law
Fair-lending laws and rules are a special focus for the compliance staff at banks and fintechs. Fair lending continues to be a Biden administration priority, in general. In addition, as more fintechs and banks adopt artificial intelligence for credit evaluation, concerns persist that AI’s training on historical lending patterns can result in the software absorbing past bias.
Cross River Bank is under a consent order to stiffen its attention to fair lending, after regulatory review and not in the wake of specific findings of bias, said panelist Arlen Gelbard, general counsel. He said banks must remember that no matter which partner performs analysis on a loan application, the resulting loan belongs to the bank and therefore the bank bears the ultimate responsibility for any fair-lending violation that has been committed.
SoFi’s Lavet said a bank evaluating a potential partner needs to dig into the fintech’s internal due diligence over its fair-lending performance. A key part of that analysis concerns testing for “disparate treatment” and for “disparate impact” on applicants due to race or other protected status.
Disparate treatment concerns overt discrimination — refusal to lend to this racial group or that, for example — in the course of setting standards, arranging marketing, and more. (Redlining — physical or digital — is an example.) Disparate impact, by contrast, entails discriminatory results when nothing about a policy or process is overtly discriminatory, but results in different results among multiple groups of applicants.