Reported by Kristen E. Larson & Kaley Schafer

In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders with two banks who partner with fintechs to offer “banking as a service” (BaaS) related to safety and soundness, compliance with applicable laws, and third party oversight.  BaaS refers to arrangements in which banks integrate their banking products and services into the services of non-bank third-party distributors and the distributors deliver the integrated banking services directly to the customer.  A common example of BaaS is banks’ delivery of lending services through fintech partners’ digital platforms.  BaaS has gained popularity in recent years as the bank partner can generally roll out banking services to customers at a much faster pace and for lower costs than traditional banking products and services.

In June 2023, the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements.  The guidance explained that supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.  At that time, we noted that we expected increased regulatory attention to bank/fintech partnership programs like the BaaS relationships addressed here.  While these FDIC consent orders did not specifically cite to the interagency guidance, we suspect the guidance was used to support the third party oversight criticisms in the supervisory examinations of the two banks.

February 1, 2024 Consent Order (FDIC-23-0110b)

The first consent order raised safety and soundness concerns related to the bank’s compliance with the Bank Secrecy Act (BSA) and third party oversight.  The consent order requires the bank to implement a revised written Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) program, which is reasonably designed to, among other things to comply with 12 C.F.R. § 326.8 (the FDIC’s implementing BSA regulation).  The consent order specifically requires the bank to ensure that its AML/CFT Program meets the following minimum requirements:

• Is commensurate with the bank’s money laundering/terrorist financing (ML/TF), and other illicit financial activity risk profile (ML/TF Risk Profile);
• Addresses the deficiencies and weaknesses identified in the Report of Examination;
• Includes the appropriate assessment and oversight, both initial and on-going, of any entity or party that has entered into a business relationship or arrangement with the bank (Third Party) wherein any AML/CFT regulatory requirement or obligation of the bank is outsourced to the Third Party with satisfactory documentation of such assessment and oversight;
• Includes procedures for monitoring the performance of, and the bank’s adherence to, the AML/CFT Program with processes for documenting, tracking, and reporting on such performance and adherence to the Board;
• Includes procedures for periodically reviewing and revising the AML/CFT Program to ensure that it is reasonably designed to monitor the bank’s BSA compliance; and
• Satisfies the requirements of the consent order.

The bank must take the following actions to correct deficiencies and violations of laws related to AML/CFT and Customer Identification Program (CIP):

• Review its AML/CFT resources and ensure staffing and systems are adequate based on the “Bank’s size and growth plans, complexity and organizational structure, geographic locations, customers, products and services offered, systems, the AML/CFT Risk Assessment, the Money Laundering/Terrorist Financing Risk Profile, and the deficiencies and weaknesses identified in the 2023 Report;”
• Revise its policies, procedures, processes, and systems for the identification, monitoring, and reporting of suspicious activity;
• Develop and implements a comprehensive AML/CFT training program;
• Revise its policies and procedures for third party risk management;
• Require Prepaid Third-Party Program Managers to collect all required CIP information, including the full first name of customers at account opening, and test for compliance during the CIP testing process;
• Require Prepaid Third-Party Program Managers to develop procedures for responding to circumstances in which the bank cannot verify the identity of a customer, including timely resolution of identified deficiencies and outline circumstances and timeframes in which accounts must be closed when deficiencies are identified; and
• Perform a 4-year lookback to ensure CIP information has been obtained and verified.

Read full report: https://www.consumerfinancemonitor.com/2024/04/09/recent-fdic-consent-orders-show-increased-regulation-scrutiny-of-bank-relationships-with-fintech-partners/