Last month, the Federal Deposit Insurance Corporation (“FDIC”) took action against a bank for alleged unsafe or unsound banking practices. This, in and of itself, is not usual or newsworthy. What is unusual and newsworthy, however, is that this enforcement action was based entirely on a single banking-as-a-service (“BaaS”) relationship maintained by the bank.
This is the latest evidence of the FDIC’s increased scrutiny of financial technology (“fintech”) and BaaS relationships maintained between banks and third-party providers. The message is clear: banks have to answer to their regulators for their BaaS/fintech partners’ activities.
The bank and the FDIC ultimately entered into a consent order that has been made public via an SEC filing by the bank. While the order does not contain granular detail about the activity that led to the enforcement action, it is clear the bank has been held responsible for its BaaS partner’s alleged violations of various consumer protection laws, including the Truth in Lending Act (“TILA”), the Real Estate Settlement Procedures Act (“RESPA”), and the Electronic Fund Transfer Act (“EFTA”). Specifically, the FDIC took issue with the BaaS partner’s “implied claims that credit products with non-optional debt cancellation features were unemployment insurance.”
This consent order is very similar to another consent order issued by the FDIC in March of this year. This time, however, the FDIC examined issues related to both credit and deposit products offered by the bank in conjunction with a third party. This is a clear indication that BaaS partnerships are quickly becoming a focal point for this regulator.
This enforcement action comes less than six months after the FDIC, the Federal Reserve, and the Office of the Comptroller of the Currency (the “Agencies”) issued updated Interagency Guidance on Third-Party Relationships: Risk Management (the “Interagency Guidance”). While the Interagency Guidance “does not have the force and effect of law and does not impose any new requirements” on banks, the Agencies made clear they will pursue enforcement actions to address any violations of law or unsound banking practices undertaken either by the bank or the third-party with whom the bank is transacting. It looks like the FDIC is making good on that promise.
The FDIC has ordered the bank to “review, revise, develop, and/or implement, as necessary a sound, risk-based” compliance program that addresses compliance with consumer protection laws “as it concerns activities related to [the bank’s] third-party relationships.” And, notably, the FDIC has ordered the bank to build out or revise policies and procedures for assisting risk and conducting due diligence on its BaaS/fintech partners before a contract is in place. This type of front-end examination is crucial to help banks minimize the long-term regulatory risk associated with BaaS/fintech partnerships. If the third party does not have a robust compliance program or is otherwise unable to withstand detailed due diligence before the contract is signed, the regulatory risk to the bank increases exponentially as the relationship continues.
The FDIC ordered the bank to correct all violations identified by the FDIC as well as implement procedures to prevent future violations of relevant statutes and regulations. Among other actions, the FDIC:
- ordered the bank’s board of directors and management team to implement an adequate compliance program to address all consumer compliance risks associated with the bank;
- restricted the bank’s future ability to establish any new relationships with fintech vendors prior to receiving a written non-objection from the FDIC;
- required the bank to review, revise and implement effective policies, monitoring, training and auditing procedures for all of the bank’s agreements with third parties and the services performed for the bank pursuant to those agreements; and
- required the bank to provide regular written progress reports to its parent company and the FDIC.
To be sure, the use of third parties can give banks access to new technologies, human capital, delivery channels, products, services and markets. But, with this latest enforcement action, the FDIC is communicating that the use of third-parties does not diminish a bank’s responsibility to perform its activities in compliance with applicable laws and regulations, including those related to consumer protection and security of consumer information.
As fintech and BaaS relationships continue to grow, and as the contractual ecosystem between these parties becomes increasingly complex, look for increased enforcement actions by the FDIC and the other prudential regulators.
Below are a few implications and recommendations for organizations across the fintech/BaaS ecosystem.
- Banks should review and update their processes for identifying “critical activities” as well as their third-party risk management policies and procedures and update any potential gaps. If it has not already been done, banks should consider implementing a process for inventorying all of their third-party relationships.
- Smaller banks should also understand that entering into any relationships with fintech providers may result in increased costs related to onboarding and monitoring.
- Any bank technology vendor or supplier should familiarize themselves with the Interagency Guidance. The Interagency Guidance encourages banks to increase due diligence efforts, undertake more granular contract review, and increase monitoring and auditing of their vendors. The downstream effect on vendors means they can expect increased costs and allocation of labor associated with responding to requests for information from their potential bank clients.
- Although the Interagency Guidance applies directly to banks only, fintechs partnering with banks need to familiarize themselves with the framework in which they are expected to exist. The Interagency Guidance makes it clear that the Agencies will increase their focus on third-party risk management processes related to fintech partnerships in particular. Fintechs should understand the five stages of the third-party life cycle and work in tandem with their bank clients, especially in the onboarding and monitoring stages.
Our attorneys are ready to serve our clients in addressing regulatory issues and analyzing their third-party relationships. If you are subject to, or are a third party that may be affected by the Interagency Guidance, do not hesitate to contact us to see if we can be of any assistance.
About Our Author
Amy Hanna Keeney (CIPP/US) is the Adams and Reese Financial Services Regulatory and Compliance Team Leader. A Partner practicing in the Atlanta office, Amy assists banks, credit unions, and non-bank financial service providers launch and service new financial products, and helps them navigate the complex regulatory landscape for fintech services and products. Amy has an in-depth understanding of financial privacy rights and how those impact a financial institution or service provider's third-party risk management program.