Bank-fintech relationships and the Banking-as-a-Service (BaaS) landscape have become major regulatory focuses in the last two years and it's essential to follow the latest compliance developments. We’re tracking and updating this page for key regulatory guidance, events, and discussions on bank-fintech oversight expectations.
Bank-fintech compliance in the spotlight
BaaS and embedded finance markets are growing exponentially as new forms of partnership between banks, technology providers, and businesses emerge to adapt to the latest banking, merchant, and consumer trends.
But regulators have taken note, even drawing parallels between the rise in emerging bank-fintech business models and the 2008 financial crisis.
It’s clear that successful fintech partnership programs require partner banks to maintain robust, effective compliance programs and closely manage risks in their fintech relationships.
As a result, the leading companies in this space are closely watching bank-fintech partnership regulatory developments, and investing in compliance tools to optimize fintech program oversight, onboarding, and scaling.
Schedule a demo to see Cable's platform in action!
Timeline: Key bank-fintech regulatory developments
The US federal bank regulatory agencies (the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and Federal Reserve) releases proposed interagency guidance on how banks should manage risks in third-party relationships, including bank-fintech partnerships. The guidance also says that under certain circumstances, the agencies may even examine banks’ third-parties, including their AML and sanctions compliance.
In two speeches here and here, the OCC's Acting Comptroller Michael Hsu speaks about “modernizing the bank regulatory perimeter.” He notes the OCC has seen “fintechs make technical, and questionable, arguments that their products or services fall outside the existing regulatory framework,” and warns against “regulatory arbitrage” in certain BaaS arrangements. He also says regulators should clarify “what is acceptable in a bank-fintech relationship.”
The OCC announces its restructuring of community and midsize bank supervision, including adding fintech supervision specialists and appointing a deputy comptroller with primary responsibility for “novel banks and technology service providers.”
- Read our breakdown here:
The US Consumer Financial Protection Bureau (CFPB) also enters the regulatory fray by announcing it will invoke a little-used authority to supervise fintechs and other nonbank companies determined to pose risks to consumers for potentially unfair, deceptive, or abusive acts or practices, or other acts or practices that potentially violate federal consumer financial law. The CFPB finalized its rule on making these determinations in November 2022.
Various rumors of regulatory crackdowns on banks and BaaS providers emerge with reports of serious compliance issues at some banks and other banks slowing or ceasing onboarding of new fintechs.
- Read our summary of these issues here:
The earlier rumors become real with public disclosure of an agreement between the OCC and Blue Ridge Bank requiring the bank to strengthen its BSA/AML program and oversight of fintech programs, among other corrective actions, and imposing restrictions on the bank’s onboarding of new fintech partners or new activities with current partners.
- Read about the new clarity from this OCC agreement on regulatory expectations for bank-fintech partnerships here:
Acting Comptroller Hsu makes remarks causing more waves in the banking industry, as he notes bank-fintech partnerships are growing at “exponential rates” and compares this trend to safety and soundness concerns from the 2008 financial crisis. He believes that, “this process, if left to its own devices, is likely to accelerate and expand until there is a severe problem or even a crisis.” Hsu also shares the OCC’s plan to “subdivide bank-fintech arrangements into cohorts with similar safety and soundness risk profiles and attributes” to better understand how to manage risks.
The OCC also releases its 2023-2027 Strategic Plan, highlighting its goal to “facilitate community banks’ safe and sound transition to digital banking” and new fintech arrangements.
The OCC announces it will establish an Office of Financial Technology, building on and incorporating its Office of Innovation. As we wrote in our 2023 Financial Crime Predictions, this is a positive indication of the OCC’s intent to invest resources in understanding and making bank-fintech partnerships work.
Additionally, the Wolfsberg Group releases updated Financial Crime Principles for Correspondent Banking, explicitly stating banks may extend the third-party risk management principles to “Non-Bank Financial Institutions (NBFIs) and Payment Service Providers (PSPs), including but not limited to, Money Services Businesses (MSBs) / Money or Value Transfer Services (MVTS), financial technology companies (FinTechs), Virtual Asset Service Providers (VASPs) and new payment method (NPM) companies.”
The US Treasury Department releases its report “Assessing the Impact of New Entrant Non-bank Firms on Competition in Consumer Finance Markets” recommending that US federal banking regulators implement a clear and consistent supervisory framework for bank-fintech relationships, including finalizing the July 2021 proposed interagency guidance on third-party risk management and suggesting language for banks’ oversight provisions in contracts with fintechs.
Acting Comptroller Hsu pens an article re-iterating the need to modernize the bank regulatory perimeter and calling for more coordination across regulatory agencies to reduce regulatory arbitrage.
US Senate Banking Committee Chairman Sherrod Brown introduces the “Close the Shadow Banking Loophole Act” to level the regulatory playing field for retail and tech companies seeking to offer banking services through state-chartered industrial loan companies (ILCs). This came on the heels of Elon Musk’s indication of plans to integrate payments into Twitter.
BaFin, the German financial regulator, announces a ban on Solaris, a German BaaS provider, from entering into new partnerships without first obtaining the regulator’s approval, due to deficiencies in risk management and anti-money laundering measures. This follows alleged previous audit findings identifying compliance and money laundering issues at Solaris, which led the regulator to appoint an auditor over the firm.
The Bank of Lithuania finds that PayRNet, a subsidiary of Railsr, the prominent UK BaaS provider, had “grossly and systematically” violated AML regulations, leading the regulator to seek restrictions on PayRNet’s ability to onboard new clients while the compliance deficiencies were addressed.
The shocking failures of Silicon Valley Bank and Signature Bank cause significant upheaval across the banking industry, triggering immediate calls for greater bank oversight. For example, Senator Elizabeth Warren immediately called for more regulatory scrutiny of banking practices in an op-ed: “Bank regulators must also take a careful look under the hood at our financial institutions to see where other dangers may be lurking.”
Crypto companies also come under further criticism. NYDFS Superintendent Adrienne Harris, in later public statements about Signature Bank, noted many crypto companies have insufficient AML compliance controls and checks. Notably, she criticized many crypto firms’ use of paper programs and Excel spreadsheets as representing immature AML compliance approaches:
“Speaking more broadly about the crypto industry, Ms. Harris said the sector still lacks maturity in its compliance programs even as it has grown in prominence. During many of the NYDFS’s examinations and enforcement actions, her team would find that many companies’ compliance programs consisted of 'reams of paper' and Excel spreadsheets, among other things, she said. ‘There is still a lack of maturity around Bank Secrecy Act-anti-money-laundering [compliance] and cybersecurity,’ Ms. Harris said. ‘We’re eager for the day when those systems mature and scale as the business side does.’”
Separately, in the UK, the FCA issues a “Dear CEO” letter warning payment services providers and EMIs about the regulator’s concerns with rising financial crime and lack of effective controls at firms to mitigate these risks:
“Over the past two years we have seen increasing evidence of financial crime in the payments portfolio. The ability to provide bank-like services, willingness to service high-risk customers, and weaknesses in some firms’ systems and controls, make PIs and EMIs a target for bad actors.”
The FCA's letter outlines numerous common AML deficiencies, emphasizes the need for a firm’s AML compliance program to be “effective and commensurate with the risks in the business, including as it grows over time” and highlights the expectation that a firm “conduct regular reviews to assess its compliance with anti-money laundering obligations and sanctions requirements, and to work swiftly to remediate weaknesses identified.”
Additionally, Hindenburg Research issues a scathing report about Cash App, which called out “an effort to grow Cash App’s user base by strategically disregarding Anti Money Laundering (AML) rules,” among other allegations. The report makes note of numerous problematic transactions that were routed through Cash App’s partner bank, Sutton Bank.
Finally, the OCC announces the establishment of its Office of Financial Technology, with Prashant Bhardwaj appointed as Deputy Comptroller and Chief Financial Technology Officer.
- Read more about compliance pitfalls presented in bank-fintech relationships following these developments in the bank-fintech regulatory landscape:
Federal Reserve Governor Michelle Bowman touches on compliance issues in bank-fintech partnerships in a speech about de novo bank formation in the U.S. She highlights challenges in identifying who is responsible for compliance obligations in bank-fintech partnerships, and the regulatory expectation that full compliance measures are applied:
“This can raise challenging operational issues about who should "own" the customer relationship, but more importantly, about who is responsible for compliance obligations. From a policy perspective, there should be no net difference in the compliance expectations for banking-as-a-service and de novo banks that engage in the same underlying activity.”
Acting Comptroller Michael Hsu also touches on bank-fintech partnerships again in a speech about open banking regulation in the U.S. He notes critical culture clashes between banks and tech companies, with the latter emphasizing “moving fast and breaking things” instead of prioritizing trust:
“The culture of banking is small-c conservative. Because a bank’s greatest vulnerability is a loss of confidence, bank culture is defined by stability, prudence, and governance. By contrast, the culture of the tech industry believes in disruption, “moving fast and breaking things,” and the superiority of code. . . . In banking, trust is everything. It cannot be engineered or manufactured or bought. It must be earned, carefully maintained, and vigorously protected. An open banking culture that recognizes that and puts trust above other objectives, including growth and profit, will succeed and thrive over time.”
The month ends with a bang as the FDIC announces a consent order with Cross River Bank. According to the FDIC, the bank failed to establish and maintain "internal controls, information systems, and prudent credit underwriting practices," causing the regulator to impose numerous fair lending compliance requirements on the bank, which provide a good example of regulatory expectations for managing consumer protection risks in bank-fintech partnerships.
The requirements include, among others:
- Assessments of the bank's ability to appropriately monitor its third-party relationships for fair lending compliance;
- Risk assessments of the bank's partners and products for fair lending risks; and
- Increased internal controls, oversight, and monitoring to ensure fair lending compliance by the bank's partners.
The FDIC also requires the bank to seek the regulator's written non-objection before offering new credit products or partnering with new third parties.
The Federal Reserve Board further reinforces the rising wave of supervisory concernw with bank-fintech relationships with its creation of the Novel Activities Supervision Program to enhance supervision of any so-called "novel activities" by banks.
Such activities include: "activities related to crypto-assets, distributed ledger technology (DLT), and complex, technology-driven partnerships with nonbanks to deliver financial services to customers."
The FRB identifies certain challenges and risks associated with novel activities, including that they pose "unique questions around their permissibility, may not be sufficiently addressed by existing supervisory approaches, and may raise concerns for the broader financial system."
The regulator's supervisory approach will be "risk-based, and the level and intensity of supervision will vary based on the level of engagement in novel activities by each supervised banking organization. The Federal Reserve will notify in writing those supervised banking organizations whose novel activities will be subject to examination through the Program."