On July 25, 2024, the federal banking agencies issued a joint statement flagging potential risks in bank-fintech arrangements, along with a request for public information (RFI) on the benefits, risks, and risk management practices associated with these innovative and often complex arrangements. The RFI requests feedback on a broad range of bank-fintech arrangements, including with respect to deposits, payments, and lending products and services; how they are structured; their benefits and risks; best practices for managing safety, soundness, and risk, and competition. Comments are due 60 days after the RFI is published in the Federal Register.

The Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) have spent the past several years reviewing bank-fintech partnerships in examinations and have observed various potential risks that require tailored and enhanced compliance and operational measures. The joint statement and RFI should be considered within the current supervisory and enforcement context, in which the agencies have announced numerous consent decrees with institutions that failed to implement appropriate risk management programs in connection with their fintech partnerships. This most recent announcement, along with the agencies’ recent supervisory and enforcement actions and their broader focus on third party risk management, serves as a reminder that banks—of any size— seeking to partner with fintechs must do so carefully and pursuant to a robust risk management and oversight framework. For additional background on the agencies’ focus on third-party risk management, see here and here.

According to the joint statement and RFI, the agencies support innovation and third-party banking arrangements that are managed consistently with safe and sound practices and applicable laws and regulations. These types of arrangements are used to provide consumers and businesses with various services, including access to deposit accounts, payment services, and loans, among other financial products. From the bank perspective, these programs can help the institution access new technology and customer bases quickly and efficiently. For their part, fintechs generally seek out bank partnerships to gain access to payment systems and card networks and to minimize potential state requirements, such as those governing money transmission and lending licensure and other restrictions. When done right, these partnerships can introduce new products into the market, expand access to affordable financial services, and increase competition to the benefit of consumers and businesses.

Notwithstanding these potential benefits, the banking agencies have found that these arrangements may present consumer protection, safety and soundness, and compliance risks, and that some institutions lack sufficient compliance and risk management programs, given the inherent complexity of third-party arrangements. The joint statement in particular outlines various potential risks with bank-fintech partnerships, including in areas such as operational compliance, governance, anti-money laundering, and consumer protection.

These concerns are not new—in fact, the federal banking agencies have been especially active in bringing enforcement actions on the precise issues noted in the joint statement following the failure of three U.S. regional banks in the spring of 2023, and the recent bankruptcy of Synapse, a leading banking-as-a-service fintech that purportedly lost millions of dollars of customer funds. Some of these recent enforcement actions have focused on bank-fintech partnerships, for example:

• In January 2024, the OCC found a national bank to be in “troubled condition” as a result of continued failures to address BSA/AML compliance issues. The consent order required the bank to improve its risk management program for third-party fintech partners.
• In January 2024, the FDIC executed a consent order with a state nonmember bank that required an overhaul of its fintech-partnership program and limited the bank’s ability to grow its fintech partnerships pending FDIC approval.
• In September 2023, the Federal Reserve issued a cease and desist order to a state member bank that included 20 pages of detailed directions covering much of what the joint statement addresses.

Taken together, these matters (along with the Synapse collapse) suggest that the joint statement and RFI are part of an existing and ongoing initiative to push banks to improve their risk management and oversight of fintech partnerships. As noted, the joint statement provides a comprehensive summary of potential risks with these types of partnerships, which broadly aligns with prior banking agency guidance on third-party risk management. Reading between the lines, however, there are certain topics that likely are more relevant and should be prioritized in connection with a bank’s review of its risk management program. These include:

• Access to records related to deposits and transactions. In many fintech partnerships, the fintech is assigned responsibility for maintaining the ledger for transactions. However, a lack of access to these records, or a failure in the fintech’s ledgering system, can present various legal and compliance risks. These risks are likely heightened where the bank has established accounts “for the benefit of” (FBO) the fintech’s end users.
• Reliance on the fintech to perform regulatory compliance, particularly with respect to AML, presents various potential risks. Relatedly, the agencies have expressed concern that many fintech partnerships involve various levels of third parties, which can make it difficult for a bank to identify its customer identification and due diligence obligations. Accordingly, the banking agencies have emphasized the need for banks and their fintech partners to enter into contracts that clearly define the various roles and responsibilities of the participants.
• Oversight and governance through policies and procedures that address organizational structures, lines of reporting, expertise and staffing, internal controls, and audit functions. In various enforcement actions, the banking agencies have targeted institutions that purportedly grew their fintech partnerships programs faster than their corresponding risk management and operational capabilities.
• Lack of risk assessments and implementation of risk management controls to address AML, consumer protection, and other legal requirements. Areas that require particular attention include the potential for misleading statements related to deposit insurance, pricing, and terms and conditions. The joint statement also highlights the need for programs to ensure compliance with consumer protection laws such as Regulation E, and to manage and resolve customer complaints and disputes.

Underlying these risks is the federal banking agencies’ repeated emphasis on the importance of effective board and management oversight of bank-fintech partnerships. The board is ultimately responsible for a bank’s compliance with applicable laws and regulations. Accordingly, the agencies expect the board to provide clear guidance regarding acceptable risk appetite and policies and procedures, and to ensure that these steps and requirements are implemented in practice.

*  *  *  *

The recent joint statement and RFI continue the federal banking agencies’ scrutiny of the bank-fintech partnership model. These announcements, coupled with recent enforcement actions, demonstrate that the agencies expect banks and their fintech partners to implement robust and appropriate risk management practices and comply with all applicable laws. For those interested in learning more about bank-fintech partnerships, see our prior article, a Fintech Guide to Bank Partnerships: A Practical and Legal Roadmap.