On July 25, 2024, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB), and the Federal Deposit Insurance Corporation (FDIC) (collectively, the Banking Agencies) issued a “Joint Statement on Banks’ Arrangements With Third Parties to Deliver Bank Deposit Products and Services” (the Statement) as well as a “Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses” (the RFI).
The Statement and RFI came on the heels of a speech by Acting Comptroller of the Currency Michael Hsu on “Trends Reshaping Banking” discussing, among other trends, “the increasing complexity of bank-nonbank relationships” and amidst bankruptcy proceedings for Synapse, formerly a leading “middleware” provider standing between banks and their fintech partners. With Synapse’s failure leaving many customers without access to deposits and reports of a shortfall in customer funds, pressure on leaders of the Banking Agencies to take action has been building for months. The Statement and RFI are the latest indication that regulatory scrutiny of bank-fintech partnerships is only increasing.
Below, after briefly describing the relevant context, we summarize the Statement and RFI, highlighting key areas of focus and apparent regulatory concern. We also discuss open questions and potential next steps.
What’s the Context for the Statement and RFI?
The fintech sector—including digital payments providers, neobanks, and buy-now-pay-later firms, among others—exploded over the last decade, with annual customer growth in some segments averaging more than 50% and market capitalization of publicly-traded fintech companies doubling since 2019. Some believe this growth may not only continue but accelerate. A 2023 Boston Consulting Group study projected that global fintech revenues will grow sixfold by 2030 (to reach $1.5 trillion) and more than triple current penetration of banking revenue as a whole (from 4% to 13%).
At least in the United States, however, access to the infrastructure underpinning modern finance—payments and credit card networks and Federal Reserve master accounts, for example—remains mostly limited to traditional financial institutions. For this reason, behind almost every fintech stands a bank, and the bank-fintech partnership model will be necessary unless and until there are wholesale changes to the US regulatory framework. As demand for products and services offered by fintech companies has grown, so too have banking as a service and embedded finance offerings (together, for ease, BaaS). In these business models, traditional banks partner with fintech providers to offer an array of financial products and services to customers.
Various BaaS structures exist but almost every model involves a fintech company offering the product or service at issue directly to consumers (generally through a digital application) with the financial product(s) or service(s) being provided by a bank or other regulated institution, sometimes on a “white label” basis. Although this model allows the fintech company to “own” the customer relationship and experience at the front end, it is the regulated entity on the back end that ultimately provides the financial services on offer.[1]
Growth in the fintech sector and the BaaS framework on which it depends has, of course, increased interdependencies between (mostly unregulated) fintech providers on the one hand and regulated financial institutions on the other—in some cases with a “middleware” provider interposing a technology layer to help them communicate. In his recent speech, Acting Comptroller Hsu described these as “long-intermediated supply chains of discrete services” that he believes are, by their nature, more complex and riskier than the direct banking relationships that prevailed for decades before—when, he noted, “[t]o place a deposit, get a loan, or make a payment, customers worked with [and only with] banks.”
Regulatory concern about these interdependencies and perceived risks has been growing for some time, evidenced most dramatically by a string of public enforcement actions against BaaS providers that began in late 2022 and continues. During this time, the Banking Agencies have taken multiple actions, often including heavy fines, against many of the most prominent fintech partner banks.[2] The collapse of Synapse in April 2024, and the Banking Agencies’ lack of tools to address the disruptions its customers faced, has only increased scrutiny on bank-fintech partnerships.
What Do the Statement and RFI Say About Bank-Fintech Partnerships? What Are the Banking Agencies’ Concerns and Areas of Focus?
Key Themes and Areas of Focus
Against this backdrop, the Statement and RFI are unsurprising in their substance and timing, and themes from the recent BaaS enforcement actions run through both. The Banking Agencies’ principal areas of focus will therefore be familiar.
Ultimate accountability for compliance with law remains with the bank.
Although the recent spate of enforcement actions against BaaS providers should leave little doubt that banks—and not their fintech partners—will be held accountable for legal compliance, we suspect the Banking Agencies felt compelled to emphasize this theme because of issues revealed in Synapse’s bankruptcy proceedings. And it is prominent.
On the very first page of the Statement, banks are reminded that “use of third parties does not diminish [their] responsibility to comply with all applicable laws and regulations.”[3] Likewise, the RFI notes that “different aspects of the end-user relationship may be allocated among the parties to a bank-fintech arrangement. However, banks remain responsible for compliance with applicable law.”[4]
Governance and compliance oversight structures must be commensurate with the risk and complexity of the business model.
Both documents, and especially the RFI, acknowledge the diversity of use cases involving bank-fintech partnerships, which “vary significantly in structure and product offerings.”[5] This diversity makes broadly applicable governance standards or compliance practices difficult to articulate; helpfully, the Banking Agencies do not attempt to do so in these documents.
Instead, the Statement and RFI suggest that the Banking Agencies expect entities within their jurisdiction to take a risk-based approach when determining how best to manage their fintech partnerships. For example, the Statement encourages development of “appropriate” and “adequate” policies and procedures, risk assessments, monitoring processes and reporting processes but stops short of prescribing specific requirements or expectations.[6]
Ordinary tools for risk management should be adapted to account for novel business models and applications.
Notwithstanding the diversity of bank-fintech partnerships and the associated difficulties of prescribing specific standards for risk management and compliance, the Banking Agencies make clear in both documents—as they have in earlier pronouncements and enforcement actions—that existing tools for risk management can, and should, be adapted and deployed to manage these arrangements. To this end, the Statement points to long-standing regulatory guidance that, the Agencies believe, should inform approaches to bank-fintech partnerships: the Interagency Guidelines Establishing Standards for Safety and Soundness and the Interagency Guidance on Third-Party Relationships.[7]
Discussion of Specific Vectors of Risk in Bank-Fintech Partnerships
The Statement and RFI also help to illuminate specific vectors of risk the Banking Agencies see in bank-fintech partnership arrangements. Although these also have been addressed in earlier statements, guidance, and enforcement actions, the documents provide greater detail and offer hints about areas for supervisory scrutiny going forward.
Not surprisingly, operational complexity features prominently in both documents—for example, arrangements characterized by fragmentation and dispersion of responsibilities, significant reliance on third parties, and barriers to accessing information or systems necessary for risk management and compliance.[8] Similarly, arrangements featuring increased Anti-Money Laundering / Countering the Financing of Terrorism compliance risk are also highlighted as increasing the risks inherent in bank-fintech partnerships.[9] These are routine themes in regulatory statements and enforcement actions concerning BaaS arrangements.
However, the Statement and RFI also discuss risk-amplifying factors that have not, to date, been emphasized in the context of bank-fintech partnerships. For example, the Banking Agencies identify strategic risk, particularly rapid growth and misaligned incentives between the parties, as features that can increase the risk of a partnership.[10]
Customer concentration resulting from fintech use cases targeting specific industries or demographics is another—this, according to the Banking Agencies, could increase liquidity risk and lead to financial stresses that banks must consider.[11] Finally, the Agencies highlight consumer compliance risk in fintech partnerships—“end-user confusion and misrepresentation regarding deposit insurance coverage”—as having the potential to magnify an institution’s risk profile in ways its ordinary banking business might not.[12]
The extent to which any of these factors may be present and factor into supervisory reviews of a bank-fintech partnership will vary, of course. But the Statement and RFI make clear that the Banking Agencies see them as concerns.
What’s Next for Banks and Their Fintech Partners?
The Statement does not create new obligations or impose additional requirements on banks and the RFI is, of course, an information-gathering tool that will not necessarily lead to new regulations.[13] Together, their immediate impact is therefore limited.
But as an indication of regulatory priorities and areas for future supervisory focus the Statement and RFI need to be taken seriously. To this end, when evaluating new or existing partnerships, banks and fintechs alike should consider the themes articulated in these documents and take steps to address them proactively, including for example by:
- Considering whether governance structures and compliance requirements are sufficient to address the specific risks of a bank-fintech partnership;
- Reviewing and, as necessary, revising contractual allocation of responsibilities, including where possible to reduce fragmentation and third-party reliance; and
- Ensuring that customer terms, agreements, and marketing materials are appropriate and clear.
* * * * *
We will continue monitoring developments and provide additional updates as warranted.
__________
[1] The US largest banks have not entered the BaaS market at scale; it is dominated instead by community and smaller regional banks, many of which found partnering with fintech companies to be a lifeline in an otherwise unfavorable landscape for smaller institutions.
[2] By some estimates, the odds of a BaaS provider being targeted by a regulatory enforcement action were multiples higher than those faced by banks not operating a BaaS program.
[3] Statement at 1.
[4] RFI at 18.
[5] Id. at 10.
[6] E.g., Statement at 4–7.
[7] Statement at 5
[8] E.g., Statement at 2–3, RFI at 18–19, 24–25.
[9] E.g., Statement at 7, RFI at 21.
[10] E.g., Statement at 3–4, RFI at 21–23.
[11] E.g., Statement at 3, RFI at 23.
[12] Statement at 4, RFI at 20–21.
[13] Responses to the RFI are due 60 days after publication in the Federal Register, which had not yet occurred at time of writing.
