TAKEAWAYS
- The Federal Deposit Insurance Corporation (FDIC) recently published a consent order issued against Cross River Bank that alleged the bank’s fair lending program’s noncompliance and weaknesses in its oversight of fintech lending partners.
- The Office of the Comptroller of the Currency (OCC) entered a similar consent order against Blue Ridge Bank in 2022 based on allegations that the bank engaged in unsafe and unsound practices related to its partnerships with fintechs.
- Given the FDIC and OCC consent orders, as well as established fair lending compliance principles, banks should consider evaluating their own compliance programs.
Banking regulators have recently imposed restrictive consent orders on leading banking-as-a-service (BaaS) providers, the most significant of which alleged a series of fair lending violations. These actions should serve as a warning that all banks and fintechs must be prepared for heightened fair lending scrutiny.
The Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) have each issued recent consent orders that place significant restrictions on the subject banks’ ability to provide BaaS and enter into new partnerships with fintechs. The FDIC’s recent consent order is especially significant because it focuses on fair lending, an area on which regulators are laser focused for all banks and that presents unique compliance challenges in the context of bank-fintech partnerships.
Recent Enforcement Activity
On April 28, 2023, the FDIC published a consent order issued against Cross River Bank, one of the BaaS industry’s leading providers, that alleged the bank’s fair lending program’s noncompliance and weaknesses in its oversight of fintech lending partners. The FDIC consent order does not cite any specific discriminatory practices, nor does it require the bank to make restitution to customers. However, it does require the bank to engage in substantial due diligence and obtain the FDIC’s prior approval before entering into any new fintech partnership—a significant restriction on the bank’s BaaS program. The consent order also requires the bank to take a series of actions focused on strengthening the bank’s fair lending and third-party risk management compliance programs.
The OCC entered a similar consent order against Blue Ridge Bank in August 2022 based on allegations that the bank engaged in unsafe and unsound practices related to its partnerships with fintechs. Like the recent FDIC order, the OCC’s order also requires the bank to obtain the OCC’s prior approval before onboarding any new fintech partners and implement a series of compliance reforms.
Soon after the OCC consent order became public, Acting Comptroller Michael Hsu addressed BaaS in a series of public remarks discussing the growing market for BaaS and the OCC’s increased supervisory focus on bank-fintech partnerships. Mr. Hsu indicated that the OCC had implemented a more targeted approach to examining banks that focus on BaaS as a core component of their business model and that the OCC was also beginning to engage more directly with fintechs that partner with banks. Mr. Hsu also indicated that the OCC has been collaborating with its peer regulators on BaaS issues, and the FDIC’s recent consent order appears to be evidence of that collaboration.
Although the FDIC’s recent consent order arose out of allegations involving noncompliance with lending laws, all BaaS providers and fintechs should take note. The alleged compliance failures and required enhancements that the FDIC and OCC have identified extend beyond lending, and regulators can and likely will apply these principles to all banks involved in partnerships with fintechs.
Compliance Housekeeping: Areas at Risk
Bank regulators have made clear that they are intently focused on the unique compliance challenges in bank-fintech partnerships. These relationships will continue to be a focus of examinations, and, if regulators identify compliance weaknesses, they will not hesitate to impose additional consent orders.
Given this regulatory environment, banks should consider immediately assessing their fair lending compliance and third-party risk management programs. High-priority compliance tasks include:
- Reviewing the role of the Board and bank management in fair lending compliance.
- Evaluating the frequency and scope of the bank’s fair lending risk assessments.
- Assessing the bank’s procedures for evaluating the fair lending risk of fintech partners.
As banks prepare for an increased focus by regulators on fair lending compliance, the suggestions above can provide a useful tool for prioritizing and focusing on areas for more immediate action. However, they are not intended to be a comprehensive list or a substitute for an ongoing fair lending program and comprehensive evaluation of a bank’s fair lending and third-party risk.
[View source.]