On June 14, the Federal Reserve Board (Fed) released a cease and desist order against an Arkansas-based banking-as-a-service (BaaS) provider for compliance and risk management failures. As part of the order, the bank is prohibited, without prior approval, from (i) establishing any new fintech partners, subsidiaries, business lines, products, programs, services, or program managers, or (ii) offer new products, programs, or services to an existing fintech partner, program manager, or subsidiary.

According to the Fed, its examination found risk management deficiencies with the bank back in August 2023, and a subsequent review in January 2024 revealed further non-compliance with anti-money laundering (“AML”), Bank Secrecy Act (“BSA”), and Office of Foreign Asset Control (“OFAC”) requirements. The Fed also revealed deficiencies in the bank’s management of consumer compliance risks.

Under the order, the bank is required to undertake several measures. These include:

• The board of directors must draft a plan to strengthen board oversight of the bank’s management and operations and its compliance with BSA/AML and OFAC regulations; 
• Submit a plan to enhance its risk management practices including written policies and procedures to identify and manage risks with fintech partners; steps to ensure staff are adequately trained and have sufficient expertise and independence to manage its fintech partnerships; and have a process to quickly identify and report risk exposures related to its fintech partner program;
• Hire an independent third party to audit and review its fintech partner program for compliance with consumer laws and regulations;
• Develop a plan to improve its capital risk management in consideration of its fintech partner program and assess the adequacy of the bank’s capital; the bank must also come up with a plan to improve its liquidity risk management;
• Improve its processes and controls related to its BSA/AML program; and,
• Enhance its lending and credit risk management practices related to its fintech partner program. 

Putting It Into Practice: The bank joins a growing list of BaaS providers that have seen orders demanding better oversight over their fintech partnerships. (see our blog posts on similar consent orders in the past here, here, and here). The orders highlight the concern among federal regulators that banks lack proper oversight over their fintech partners, resulting in unsafe and unsound banking practices. This order once again underscores the need for banks to proactively reassess their fintech partnerships and current risk management practices against the prudential regulators’ final interagency guidance to ensure compliance and mitigate risk.