The FDIC recently announced that it has entered into a Consent Order with Cross River Bank (CRB or Bank) to resolve FDIC charges that the Bank engaged in unsafe or unsound practices related to its fair lending compliance. (The Consent Order was issued in March 2023 but not made public until the end of last month.) Because the Bank is a “banking as a service provider” that makes loans through numerous partnerships with fintech companies, the Consent Order is widely-considered to be a warning to other banks that their bank-fintech partnerships are likely to receive increased scrutiny from regulators. In addition, while focused on fair lending compliance, many of the requirements imposed on the Bank by the Consent Order are likely to be indicative of FDIC expectations for how banks should be addressing other consumer protection risks associated with bank-fintech partnerships.
Key provisions of the Consent Order require the Bank to:
- Provide the FDIC with a list of each product through which credit is currently being offered by, through, or in conjunction with the Bank (CRB Credit Product) and identify any entity other than the Bank currently offering a CRB Credit Product (Third Party) and the CRB Credit Product(s) it is offering. (“Credit” has the meaning of such term in Regulation B.)
- Obtain the FDIC’s written non-objection before executing a binding commitment or agreement with a new Third Party, allow a New Third Party to offer a Credit Product through or in conjunction with the Bank or offer a New CRB Credit Product, either directly or indirectly. (A “New Third Party” and a “New CRB Credit Product,” are respectively, a Third Party and a CRB Credit Product that is not on the list of current list of Third Parties and CRB Credit Products.)
- Engage an independent, third party acceptable to the FDIC to assess whether the Bank’s Information pertaining to each CRB Credit Product, Third Party, and CRB Credit Model appropriately allows the Bank to determine and monitor whether such CRB Credit Products, Third Parties, and CRB Credit Models comply with applicable fair lending laws and regulations. (“Information” is defined to mean data, documents, records, and any other information in any medium or form. “CRB Credit Model” is defined to mean any models or systems, including any variables or weightings, used or relied on in connection with a CRB Credit Product.) The independent third party must also assess whether the Bank’s Information Systems allow the Bank to access, collect, and analyze the Information necessary to appropriately monitor, in a timely manner, each CRB Credit Product, every Third Party, and any CRB Credit Models and ensure that each such CRB Credit Product is offered, and every Third Party and CRB Credit Model operates, in compliance with applicable fair lending laws and regulations. (“Information Systems” is defined to mean the networks, systems, devices, software, hardware and other information resources, tools, mechanisms, and/or compensating controls used by the Bank to collect, process, maintain, use, share, disseminate, or dispose of Information pertaining to a CRB Credit Product, Third Party, or CRB Credit Model.)
- Conduct a risk assessment of all CRB Credit Products and Third Parties on the current lists to identify fair lending risks, including any risk associated with an “application” or “Credit Transaction” as defined in Regulation B, conducted by, through, or in conjunction with the Bank, and engage an independent, third party acceptable to the FDIC to conduct a fair lending resources study. The study must consider (i) the Bank’s size and growth plans; (ii) the current and anticipated number of CRB Credit Products and respective volumes, Third Parties, and merchants offering one or more CRB Credit Products through or in conjunction with a Third Party; (iii) the volume of decisions made by the Bank or on behalf of the Bank by a Third Party in conjunction with an application, including Credit underwriting practices, a CRB Credit Transaction, or any CRB Decisions; and (iv) the Bank’s use of non-staff resources, including software, automated systems and other technology. (“CRB Decisions” are decisions made in connection with the marketing of a CRB Credit Product, including the terms and conditions described in the marketing of a CRB Credit Product.) The independent third party’s report must identify any non-staff fair lending resource needs and enhancements recommended to ensure fair lending compliance, identify the type and number of mangers needed to supervise bank staff responsible for fair lending compliance, and identify the type and number of bank staff positions needed for compliance with the Consent Order and fair lending compliance.
- Develop fair lending internal controls that must be reviewed periodically on a risk basis but not less than annually and adjusted appropriately. The controls must include fair lending policies and procedures designed to (i) address and mitigate any risks identified in the fair lending assessment, (ii) require appropriate oversight and monitoring of all decisions made in connection with the marketing of a CRB Credit Product, including the terms and conditions described in the marketing of a CRB Credit Product, (iii) ensure fair lending compliance, and identify statistically significant disparities involving a prohibited basis (as defined in Regulation B). The policies and procedures must determine whether disparities are the result of acts or practices that do not comply with fair lending laws and regulations and determine appropriate corrective or remedial action and mitigation steps to prevent recurrences. The controls must also provide for fair lending training for Board members and managers and personnel with roles and responsibilities related to CRB Credit Products and must provide for satisfactory monitoring of CRB Decisions, Credit Products, and Third Parties for fair lending compliance. The Consent Order lists detailed minimum requirements for training and monitoring.
- Engage an independent, third party acceptable to the FDIC to assess the fair lending compliance of each Third Party offering a CRB Credit Product for a period of six months or more during a designated time frame. The Bank must develop a written plan for addressing any recommendations in the independent third party’s report of actions to be taken where a Third Party is not in compliance with fair lending laws and regulations.
- Develop policies and procedures to conduct periodic, but not less than annual, assessments of whether each Third Party offering CRB Credit Products for a period of more than six months during a calendar year preceding the assessment offered the products in compliance with fair lending laws and regulations. The Bank must also develop third party compliance internal controls that include policies and procedures designed to ensure fair lending compliance by Third Parties. The detailed minimum requirements for such policies and procedures are set forth in the Consent Order and include due diligence requirements for new Third Parties and new CRB Credit Products.