Bank-Fintech Relationships: Key Regulatory Developments

Bank-Fintech Relationships: Key Regulatory Developments

Bank-fintech relationships and the Banking-as-a-Service (BaaS) landscape have become major regulatory focuses in the last two years and it's essential to follow the latest compliance developments. We’re tracking and updating this page for key regulatory guidance, events, and discussions on bank-fintech oversight expectations.

Subscribe to our newsletter and follow us on LinkedIn and Twitter to get the latest news!

💡
The Fed's new Novel Activities Supervision Program is ushering in new scrutiny of bank-fintech relationships. How do banks and their fintech or crypto partners need to respond now? Find out in our webinar on August 31, 2023 - click here to register today!

Bank-fintech compliance in the spotlight

BaaS and embedded finance markets are growing exponentially as new forms of partnership between banks, technology providers, and businesses emerge to adapt to the latest banking, merchant, and consumer trends.

But regulators have taken note, even drawing parallels between the rise in emerging bank-fintech business models and the 2008 financial crisis.

It’s clear that successful fintech partnership programs require partner banks to maintain robust, effective compliance programs and closely manage risks in their fintech relationships.

As a result, the leading companies in this space are closely watching bank-fintech partnership regulatory developments, and investing in compliance tools to optimize fintech program oversight, onboarding, and scaling.

Cable is the complete effectiveness testing platform enabling BaaS banks and fintechs to grow faster with confidence in financial crime compliance, supercharged onboarding, and real-time oversight across all fintech programs.

Schedule a demo to see Cable's platform in action!

Timeline: Key bank-fintech regulatory developments

July 2021

The US federal bank regulatory agencies (the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and Federal Reserve) releases proposed interagency guidance on how banks should manage risks in third-party relationships, including bank-fintech partnerships. The guidance also says that under certain circumstances, the agencies may even examine banks’ third-parties, including their AML and sanctions compliance.

Takeaway: The guidance signals regulators’ increasing attention on banks’ oversight and management of fintech relationship risks, and the growing scrutiny on banks and fintechs alike.

November 2021

In two speeches here and here, the OCC's Acting Comptroller Michael Hsu speaks about “modernizing the bank regulatory perimeter.” He notes the OCC has seen “fintechs make technical, and questionable, arguments that their products or services fall outside the existing regulatory framework,” and warns against “regulatory arbitrage” in certain BaaS arrangements. He also says regulators should clarify “what is acceptable in a bank-fintech relationship.”

Takeaway: Under Hsu’s tenure, the OCC’s attention on bank-fintech partnerships has intensified. His speeches signal that banks and fintechs should expect heightened regulatory scrutiny on activities conducted in bank-fintech partnerships.

April 2022

The OCC announces its restructuring of community and midsize bank supervision, including adding fintech supervision specialists and appointing a deputy comptroller with primary responsibility for “novel banks and technology service providers.”

  • Read our breakdown here:
What the OCC’s restructuring and bank-fintech partnership focus means for compliance officers
As compliance officers well know, fintechs and banks already take on a host of legal, regulatory, and business challenges when entering into arrangements with each other. But recent restructuring decisions at the U.S. Office of the Comptroller of the Currency (OCC) are a signal that regulatory scrut…

The US Consumer Financial Protection Bureau (CFPB) also enters the regulatory fray by announcing it will invoke a little-used authority to supervise fintechs and other nonbank companies determined to pose risks to consumers for potentially unfair, deceptive, or abusive acts or practices, or other acts or practices that potentially violate federal consumer financial law. The CFPB finalized its rule on making these determinations in November 2022.

Takeaway: Multiple regulators are focused on risks posed by bank-fintech partnerships. Greater oversight by banks is necessary, particularly for compliance with financial crime and consumer protection requirements.

July 2022

Various rumors of regulatory crackdowns on banks and BaaS providers emerge with reports of serious compliance issues at some banks and other banks slowing or ceasing onboarding of new fintechs.

  • Read our summary of these issues here:
How Partner Banks Can Manage Increased Regulatory Scrutiny on BaaS & Fintech Relationships
Two partner banks with rapidly growing BaaS businesses are facing serious regulatory concerns following supervisory examinations, according to new reporting from industry sources. Other partner banks are reportedly slowing or stopping onboarding of new BaaS and fintech clients, or even ending existi…

August 2022

The earlier rumors become real with public disclosure of an agreement between the OCC and Blue Ridge Bank requiring the bank to strengthen its BSA/AML program and oversight of fintech programs, among other corrective actions, and imposing restrictions on the bank’s onboarding of new fintech partners or new activities with current partners.

  • Read about the new clarity from this OCC agreement on regulatory expectations for bank-fintech partnerships here:
New Clarity on OCC Expectations for Bank-Fintech Relationships
Recently, we wrote about rumors swirling of regulatory crackdowns on bank-fintech partnerships and how to stay ahead of regulatory scrutiny. Those rumors have now become concrete.

September 2022

Acting Comptroller Hsu makes remarks causing more waves in the banking industry, as he notes bank-fintech partnerships are growing at “exponential rates” and compares this trend to safety and soundness concerns from the 2008 financial crisis. He believes that, “this process, if left to its own devices, is likely to accelerate and expand until there is a severe problem or even a crisis.” Hsu also shares the OCC’s plan to “subdivide bank-fintech arrangements into cohorts with similar safety and soundness risk profiles and attributes” to better understand how to manage risks.

The OCC also releases its 2023-2027 Strategic Plan, highlighting its goal to “facilitate community banks’ safe and sound transition to digital banking” and new fintech arrangements.

Takeaway: These developments further solidify regulators’ heightened concerns with bank-fintech partnerships, but also demonstrate regulators’ efforts to understand how best to facilitate and supervise these relationships as the market evolves.

October 2022

The OCC announces it will establish an Office of Financial Technology, building on and incorporating its Office of Innovation. As we wrote in our 2023 Financial Crime Predictions, this is a positive indication of the OCC’s intent to invest resources in understanding and making bank-fintech partnerships work.

Financial Crime Predictions for 2023
What will the 2023 financial crime landscape look like? We spoke with industry experts at Alloy, Alloy Labs, Fintech Business Weekly, Griffin, and Treasury Prime to learn what next year holds in store.

Additionally, the Wolfsberg Group releases updated Financial Crime Principles for Correspondent Banking, explicitly stating banks may extend the third-party risk management principles to “Non-Bank Financial Institutions (NBFIs) and Payment Service Providers (PSPs), including but not limited to, Money Services Businesses (MSBs) / Money or Value Transfer Services (MVTS), financial technology companies (FinTechs), Virtual Asset Service Providers (VASPs) and new payment method (NPM) companies.”

Takeaway: This guidance signals the broad call for more oversight in correspondent or quasi-correspondent banking relationships with fintechs. Previous lighter-touch oversight approaches by some banks will become riskier.

November 2022

The US Treasury Department releases its report “Assessing the Impact of New Entrant Non-bank Firms on Competition in Consumer Finance Markets” recommending that US federal banking regulators implement a clear and consistent supervisory framework for bank-fintech relationships, including finalizing the July 2021 proposed interagency guidance on third-party risk management and suggesting language for banks’ oversight provisions in contracts with fintechs.

Takeaway: This report reflects growing regulatory concern about the lack of oversight for fintechs offering consumer financial products, and the focus on holding banks accountable for overseeing their third-party relationships.

December 2022

Acting Comptroller Hsu pens an article re-iterating the need to modernize the bank regulatory perimeter and calling for more coordination across regulatory agencies to reduce regulatory arbitrage.

US Senate Banking Committee Chairman Sherrod Brown introduces the “Close the Shadow Banking Loophole Act” to level the regulatory playing field for retail and tech companies seeking to offer banking services through state-chartered industrial loan companies (ILCs). This came on the heels of Elon Musk’s indication of plans to integrate payments into Twitter.

Takeaway: Lawmakers are paying greater attention to the connection between banking institutions and tech firms, and adding to the calls for greater regulation and oversight.

January 2023

BaFin, the German financial regulator, announces a ban on Solaris, a German BaaS provider, from entering into new partnerships without first obtaining the regulator’s approval, due to deficiencies in risk management and anti-money laundering measures. This follows alleged previous audit findings identifying compliance and money laundering issues at Solaris, which led the regulator to appoint an auditor over the firm.

February 2023

The Bank of Lithuania finds that PayRNet, a subsidiary of Railsr, the prominent UK BaaS provider, had “grossly and systematically” violated AML regulations, leading the regulator to seek restrictions on PayRNet’s ability to onboard new clients while the compliance deficiencies were addressed.

March 2023

The shocking failures of Silicon Valley Bank and Signature Bank cause significant upheaval across the banking industry, triggering immediate calls for greater bank oversight. For example, Senator Elizabeth Warren immediately called for more regulatory scrutiny of banking practices in an op-ed: “Bank regulators must also take a careful look under the hood at our financial institutions to see where other dangers may be lurking.”

Crypto companies also come under further criticism. NYDFS Superintendent Adrienne Harris, in later public statements about Signature Bank, noted many crypto companies have insufficient AML compliance controls and checks. Notably, she criticized many crypto firms’ use of paper programs and Excel spreadsheets as representing immature AML compliance approaches:

“Speaking more broadly about the crypto industry, Ms. Harris said the sector still lacks maturity in its compliance programs even as it has grown in prominence. During many of the NYDFS’s examinations and enforcement actions, her team would find that many companies’ compliance programs consisted of 'reams of paper' and Excel spreadsheets, among other things, she said. ‘There is still a lack of maturity around Bank Secrecy Act-anti-money-laundering [compliance] and cybersecurity,’ Ms. Harris said. ‘We’re eager for the day when those systems mature and scale as the business side does.’”

Separately, in the UK, the FCA issues a “Dear CEO” letter warning payment services providers and EMIs about the regulator’s concerns with rising financial crime and lack of effective controls at firms to mitigate these risks:

“Over the past two years we have seen increasing evidence of financial crime in the payments portfolio. The ability to provide bank-like services, willingness to service high-risk customers, and weaknesses in some firms’ systems and controls, make PIs and EMIs a target for bad actors.”

The FCA's letter outlines numerous common AML deficiencies, emphasizes the need for a firm’s AML compliance program to be “effective and commensurate with the risks in the business, including as it grows over time” and highlights the expectation that a firm “conduct regular reviews to assess its compliance with anti-money laundering obligations and sanctions requirements, and to work swiftly to remediate weaknesses identified.”

Additionally, Hindenburg Research issues a scathing report about Cash App, which called out “an effort to grow Cash App’s user base by strategically disregarding Anti Money Laundering (AML) rules,” among other allegations. The report makes note of numerous problematic transactions that were routed through Cash App’s partner bank, Sutton Bank.

Finally, the OCC announces the establishment of its Office of Financial Technology, with Prashant Bhardwaj appointed as Deputy Comptroller and Chief Financial Technology Officer.

  • Read more about compliance pitfalls presented in bank-fintech relationships following these developments in the bank-fintech regulatory landscape:
How to avoid compliance pitfalls in bank-fintech relationships
A recent survey found that 40% of all bank partnerships fail, despite the rapid growth and increased focus on bank-fintech partnership strategies. In fact, the survey results showed that the vast majority of banks struggle significantly with managing their fintech relationships:

April 2023

Federal Reserve Governor Michelle Bowman touches on compliance issues in bank-fintech partnerships in a speech about de novo bank formation in the U.S. She highlights challenges in identifying who is responsible for compliance obligations in bank-fintech partnerships, and the regulatory expectation that full compliance measures are applied:

“This can raise challenging operational issues about who should "own" the customer relationship, but more importantly, about who is responsible for compliance obligations. From a policy perspective, there should be no net difference in the compliance expectations for banking-as-a-service and de novo banks that engage in the same underlying activity.”

Acting Comptroller Michael Hsu also touches on bank-fintech partnerships again in a speech about open banking regulation in the U.S. He notes critical culture clashes between banks and tech companies, with the latter emphasizing “moving fast and breaking things” instead of prioritizing trust:

“The culture of banking is small-c conservative. Because a bank’s greatest vulnerability is a loss of confidence, bank culture is defined by stability, prudence, and governance. By contrast, the culture of the tech industry believes in disruption, “moving fast and breaking things,” and the superiority of code. . . . In banking, trust is everything. It cannot be engineered or manufactured or bought. It must be earned, carefully maintained, and vigorously protected. An open banking culture that recognizes that and puts trust above other objectives, including growth and profit, will succeed and thrive over time.”

The month ends with a bang as the FDIC announces a consent order with Cross River Bank. According to the FDIC, the bank failed to establish and maintain "internal controls, information systems, and prudent credit underwriting practices," causing the regulator to impose numerous fair lending compliance requirements on the bank, which provide a good example of regulatory expectations for managing consumer protection risks in bank-fintech partnerships.

The requirements include, among others:

  • Assessments of the bank's ability to appropriately monitor its third-party relationships for fair lending compliance;
  • Risk assessments of the bank's partners and products for fair lending risks; and
  • Increased internal controls, oversight, and monitoring to ensure fair lending compliance by the bank's partners.

The FDIC also requires the bank to seek the regulator's written non-objection before offering new credit products or partnering with new third parties.

Takeaway: Given the bank's prominence in the BaaS space and numerous fintech partnerships, commentators view the consent order as a warning turning up the heightened scrutiny of bank-fintech partnerships to even higher levels.

August 2023

The Federal Reserve Board further reinforces the rising wave of supervisory concernw with bank-fintech relationships with its creation of the Novel Activities Supervision Program to enhance supervision of any so-called "novel activities" by banks.

Such activities include: "activities related to crypto-assets, distributed ledger technology (DLT), and complex, technology-driven partnerships with nonbanks to deliver financial services to customers."

💡
The Fed's new Novel Activities Supervision Program is ushering in new scrutiny of bank-fintech relationships. How do banks and their fintech or crypto partners need to respond now? Find out in our webinar on August 31, 2023 - click here to register today!

The FRB identifies certain challenges and risks associated with novel activities, including that they pose "unique questions around their permissibility, may not be sufficiently addressed by existing supervisory approaches, and may raise concerns for the broader financial system."

The regulator's supervisory approach will be "risk-based, and the level and intensity of supervision will vary based on the level of engagement in novel activities by each supervised banking organization. The Federal Reserve will notify in writing those supervised banking organizations whose novel activities will be subject to examination through the Program."


Should we add anything to this page? Let us know on LinkedIn or get in touch here!

Schedule a demo to see Cable's platform in action!

Powered by Ghost