Blue Ridge Bank recently entered into a written agreement with the OCC (available here), highlighting the regulator’s concerns with the bank’s banking-as-a-service (“BaaS”) business model. Then, just a few days ago, Acting Comptroller Hsu warned that bank-fintech partnerships could pose severe problems or systemic risk, portending increased scrutiny of such relationships.
These recent developments are neither unprecedented nor unexpected. Our prior Barack Ferrazzano Client Alerts and articles have tracked the evolution of regulatory attitudes towards partnerships over the last few years (linked below).
These developments, moreover, are not a deterrent. They are a roadmap, showing how banks can do partnerships properly. To that end, it is important to understand the OCC Agreement, its context, and what banks should do to avoid incurring unwanted regulatory scrutiny.
1. Bank Secrecy Act Compliance:
- What the OCC Agreement Says. Blue Ridge Bank must “adhere to an effective Bank Secrecy Act Risk Assessment Program”, conduct audits of its program, retain sufficient compliance personnel, and obtain beneficial owner information for all bank customers.
- The Context. Frequently, fintech partnerships involve the use of “for benefit of” (“FBO”) accounts or similar structures whereby the fintech partner—not the bank—performs the required customer due diligence.
- What this Means for your Bank. Not all prospective partners have the same experience, controls, or BSA acumen as your bank. Approving your partner’s diligence program is just one step toward ensuring that the bank is familiar—and comfortable with—the fintech and its customers. Conducting diligence on the fintech’s compliance staff, conducting regular audits, and routinely communicating regarding customer onboarding procedures and controls are essential.
2. Information Technology Control Program:
- What the OCC Agreement Says. The bank shall “implement and adhere" to an acceptable written program to effectively assess and manage the bank’s information technology activities.
- The Context. Increased data privacy regulations and information security threats necessitate more detailed planning and preparation. It is not uncommon for banks to have hundreds of partners or vendors and the bank’s fintech partners each may rely on numerous vendors, as well. A vulnerability in your partner’s vendor’s vendor isn’t just an issue for that business, it’s an issue for the bank.
- What this Means for your Bank. The bank should have appropriate disaster recovery, information security, and business continuity plans, and so should its partners. In addition, by including your own IT personnel in the partner diligence process, the bank can better apprise its partner’s operations and address potential issues before they become problems.
3. Board Responsibilities:
- What the OCC Agreement Says. The board must “authorize, direct, and adopt corrective actions” on behalf of the bank.
- The Context. Blue Ridge was the subject of an April 2021 letter from the Student Borrower Protection Center, and other advocacy groups, to the OCC concerning the bank’s income share lending through a fintech partner. Reports also suggest that the income share lending was also an obstacle to the bank obtaining regulatory approval for a potential merger. New technologies mean new risks. New, untested financial products often garner disproportionate regulatory scrutiny.
- What this Means for your Bank. When a bank evaluates a new product, it must first understand the underlying technology and attendant risks. Educating key stakeholders, including both your board and your regulators, as to the risks and the bank’s approach to mitigate them are fundamental steps to take before a partnership is commenced.
In sum, BaaS and fintech partnerships are a potentially lucrative opportunity for many institutions. Banks interested in pursuing these opportunities must be prepared to undergo extensive due diligence of their partners, dedicate sufficient internal staff and resources to managing the relationship once formed, and commit to routine audits of its partners’ security, customers, and operations.
Past Client Alerts
Client Alert: Banking Crypto: Obtaining Regulatory Permission
Client Alert: FinTech Partnerships Under the Regulatory Microscope
- Client Alert: Digital Wallet Issues & How Banks Can Help
Client Alert: FDIC Publishes Conducting Business with Banks: A Guide for FinTechs & Third Parties
- Client Alert: Offering Banking-as-a-Service?
- Client Alert: New FDIC Guidance on Technology Service Provider (TSP) Contracts
- Client Alert: FinTech Regulatory Update - Bank & FinTech Agreements
- Client Alert: Working with a FinTech? – 5 Things to Know
- Client Alert Update: FinTech & Bank Partnerships
We Can Help You
Barack Ferrazzano Financial Institutions Group attorneys have helped launch numerous partnerships between banks and FinTechs. Please contact us if you are interested in discussing any potential FinTech partnership, software, or vendor.