In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders with two banks who partner with fintechs to offer “banking as a service” (BaaS) related to safety and soundness, compliance with applicable laws, and third party oversight. BaaS refers to arrangements in which banks integrate their banking products and services into the services of non-bank third-party distributors and the distributors deliver the integrated banking services directly to the customer. A common example of BaaS is banks’ delivery of lending services through fintech partners’ digital platforms. BaaS has gained popularity in recent years as the bank partner can generally roll out banking services to customers at a much faster pace and for lower costs than traditional banking products and services.
In June 2023, the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements. The guidance explained that supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations. At that time, we noted that we expected increased regulatory attention to bank/fintech partnership programs like the BaaS relationships addressed here. While these FDIC consent orders did not specifically cite to the interagency guidance, we suspect the guidance was used to support the third party oversight criticisms in the supervisory examinations of the two banks.
February 1, 2024 Consent Order (FDIC-23-0110b)
The first consent order raised safety and soundness concerns related to the bank’s compliance with the Bank Secrecy Act (BSA) and third party oversight. The consent order requires the bank to implement a revised written Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) program, which is reasonably designed to, among other things to comply with 12 C.F.R. § 326.8 (the FDIC’s implementing BSA regulation). The consent order specifically requires the bank to ensure that its AML/CFT Program meets the following minimum requirements:
- Is commensurate with the bank’s money laundering/terrorist financing (ML/TF), and other illicit financial activity risk profile (ML/TF Risk Profile);
- Addresses the deficiencies and weaknesses identified in the Report of Examination;
- Includes the appropriate assessment and oversight, both initial and on-going, of any entity or party that has entered into a business relationship or arrangement with the bank (Third Party) wherein any AML/CFT regulatory requirement or obligation of the bank is outsourced to the Third Party with satisfactory documentation of such assessment and oversight;
- Includes procedures for monitoring the performance of, and the bank’s adherence to, the AML/CFT Program with processes for documenting, tracking, and reporting on such performance and adherence to the Board;
- Includes procedures for periodically reviewing and revising the AML/CFT Program to ensure that it is reasonably designed to monitor the bank’s BSA compliance; and
- Satisfies the requirements of the consent order.
The bank must take the following actions to correct deficiencies and violations of laws related to AML/CFT and Customer Identification Program (CIP):
- Review its AML/CFT resources and ensure staffing and systems are adequate based on the “Bank’s size and growth plans, complexity and organizational structure, geographic locations, customers, products and services offered, systems, the AML/CFT Risk Assessment, the Money Laundering/Terrorist Financing Risk Profile, and the deficiencies and weaknesses identified in the 2023 Report;”
- Revise its policies, procedures, processes, and systems for the identification, monitoring, and reporting of suspicious activity;
- Develop and implements a comprehensive AML/CFT training program;
- Revise its policies and procedures for third party risk management;
- Require Prepaid Third-Party Program Managers to collect all required CIP information, including the full first name of customers at account opening, and test for compliance during the CIP testing process;
- Require Prepaid Third-Party Program Managers to develop procedures for responding to circumstances in which the bank cannot verify the identity of a customer, including timely resolution of identified deficiencies and outline circumstances and timeframes in which accounts must be closed when deficiencies are identified; and
- Perform a 4-year lookback to ensure CIP information has been obtained and verified.
February 27, 2024 Consent Order (FDIC-23-0038b)
The second consent order with the FDIC raises similar safety and soundness concerns related to the bank’s oversight of third party relationships and BSA compliance. The order also includes violations of Regulation E and Regulation DD. The bank is required to enhance its AML/CFT Program, Compliance Management System (CMS), and Third Party Relationship Program (TPR Program). Specifically, the bank must ensure that its CMS has (i) appropriate staffing of officers with experience and expertise to comply with applicable laws; (ii) systems and procedures to monitor and test the effectiveness of policies, procedures, and processes to comply with applicable laws; (iii) an independent and effective quality assurance internal audit function appropriate for the size of the bank and the nature, complexity, and scope and risk of the bank and its activities; (iv) appropriate committee governance and meetings; and (v) assessment of consumer compliance risk. The bank must also adopt an interest rate risk action plan. The bank must take corrective action to correct unsound banking practices and violations of applicable laws and review data and systems to create an action plan to address any deficiencies or weaknesses identified.
For its TPR Program, the bank must perform a risk assessment on its relationships to identify any deficiencies, weaknesses, issues, and/or concerns related to due diligence; written agreements; oversight, monitoring and testing; and data systems and reporting and execute an action plan to address each identified concern from the risk assessment.
For its AML/CFT Program, the bank must implement similar program requirements as those set forth above for the first consent order. Additionally, the bank must revise its customer due diligence procedures and perform independent testing of its AML/CFT Program.
The bank is required to perform a 2-year lookback for its transaction and suspicious activity report and a 4-year lookback for its handling of Regulation E disputes.
The bank also is required to submit its Funds Management Program and Strategic Plan to the FDIC Regional Director for review, comment, and non-objection.
Additionally, each bank must share its respective consent order with its shareholders.
“True Lender” Laws
Bank/fintech partnership programs have also faced challenges as many states are proposing and enacting “true lender” laws. Generally, these “true lender” laws provide that a bank’s non-bank partner is the actual lender when the non-bank holds or acquires the predominant economic interest in the loans, and/or markets, arranges, or facilitates the loans; and/or provide that the loan is deemed to be made by the non-bank if “the totality of the circumstances” indicates that the non-bank is the lender and the transaction is structured to evade the requirements of the statute. These laws are intended to defeat interest rate and fee exportation and support imposition of state licensing requirements.
Ballard Spahr attorneys are experienced in helping banks and fintechs risk assess their BaaS relationships and prepare for supervisory examinations.