Overview

Reprinted with permission from Law360.

Oenophiles may be familiar with the "struggling vine" theory — that grapes grown in adverse conditions produce better wine than those grown in ideal ones.

2023 was a year of struggle for bank-fintech partnership participants — but not necessarily one of "better" results. Many middleware providers, banks and partners suffered very public losses.

Oversimplifying these setbacks, many pundits have been quick to forecast doom for banking-as-a-service, or BaaS, players and the bank-fintech ecosystem as a whole.

Naysayers, however, ignore the vital role that partnerships play for banks, their partners and the future of financial services.

The turmoil of last year should not only serve as a warning to the unwary, but also a guide for how banks and partners can better manage the inherent risks partnerships present.

Those that can incorporate the lessons learned over the last twelve months will be best positioned to thrive in 2024.

2023: A Year in Review

It was not a banner year for BaaS. Many early BaaS banks — that partner with fintech and other companies to provide financial products directly to the nonbank's customers — experienced some form of regulatory enforcement action.

In April, the Federal Deposit Insurance Corporation issued a consent order against Cross River Bank, alleging noncompliance with fair lending laws and inadequate oversight of its fintech partners.

Most recently, in November, the FDIC entered into a consent order with First Fed Bank.

The order stemmed from the bank and its partner Quin Ventures' alleged violations of various consumer protection laws, including the Truth in Lending Act, the Real Estate Settlement Procedures Act and the Electronic Fund Transfer Act.

The order noted concerns about the bank partner's implied claims that credit products with nonoptional debt cancellation features were unemployment insurance, and its misrepresentation of fees and benefits of the products offered via the partnership.

Similar to the Cross River consent order, First Fed was ordered to, among other things: (1) implement comprehensive risk assessment and third-party due diligence procedures; (2) review and approve all partner marketing; (3) implement processes for customer complaints; (4) review the policies of third-party service providers; and (5) conduct ongoing, semiannual partner reviews.

In addition to bank-specific consent orders, banking regulators issued more targeted, detailed guidance aimed at bank-fintech partnerships throughout the year.

On June 6, the FDIC, the Office of the Comptroller of the Currency and the Board of Governors of the Federal Reserve System issued their long-awaited interagency guidance on third-party relationship risk management.[1]

The interagency guidance stressed that not all relationships pose the same risks and called for banks to implement a tailored approach to life-cycle management — from diligence through termination.

Then, in August, the Fed announced its creation of a Novel Activities Supervision Program[2], which was designed to provide additional oversight over certain bank activities, including BaaS, and products involving digital assets.

Other developments unrelated to BaaS or specific bank-fintech partnerships have also had a marked impact on the partnership ecosystem. A number of banks failed in 2023, including Silicon Valley Bank's well-publicized demise, which led many businesses to reevaluate their banking partners for partnerships, and even for traditional banking services.

Consequently, businesses have begun to perform diligence on their banks, diversify their banking partners, and demand sweep networks and other products of their bank partners.

Rising interest rates, coupled with funders' increasing reticence, will likely result in the failure of more companies — including fintechs engaged in bank partnerships.

When partnerships end, bad feelings often linger, and disputes soon follow. Indeed, the demises of certain bank-fintech partnerships are already being litigated.

In sum, despite their promise, BaaS and bank partnerships are more perilous now than in the past.

Lessons Learned

Both banks and their partners — existing and prospective — should take note of the aforementioned guidance and developments and implement best practices that many in the industry already observe.

Among other areas, banks would be wise to consider the below.

Prospective partners may require deliberate due diligence.

Banks should carefully consider the novel financial, technical, operational, compliance and other risks that their partners present.

While a bank's vendor management program is often a good starting point, prospective partners may require additional diligence.

For example, if a partner is relatively new, they may lack the ability to provide audited financial statements, SOC-2 audits or the like.

When traditional approaches are unavailable, banks need to adapt their strategies, not abandon them.

Engage with your regulators, don't avoid them.

The first time your regulators learn of your partners should not be during your examination.

How and when to approach your regulators depends on myriad factors, but the bank should start the dialogue early, and appreciate that regulators are an important stakeholder for bank partnerships.

Contracts are not one-size-fits all.

A well-crafted program agreement will respond to your partner's unique risks, anticipate and provide clarity for both parties throughout the life of the program, and allocate risk between the parties. But the precise terms that best protect the bank are rarely uniform.

Take, for example, a reserve provision. What are the potential costs each party is expected to bear? How large is the program? How many transactions?

These nuances should be reflected in the agreement.

Third- and fourth-party risks are real.

Regulators expect banks to oversee not only their direct partners, but also their partner's partners.

If a partner's onboarding vendor experiences a problem, that is ultimately the bank's problem.

Likewise, if the bank or its fintech partners utilize so-called compliance-as-a-service, or outsourced compliance vendors, the bank is still ultimately responsible.

Banks need to be prepared for when partnerships fail.

Not all partnerships will be successful.

Anticipating when a partner is in trouble is important, but it is also imperative that a bank anticipates whether and how it will wind down or transition a program when a partnership ends.

Likewise, partners seeking to offer customers financial products should consider the lessons of partnerships past.

Banks are not fungible.

Not every bank has the same strengths or provides the same products.

Too often, when looking for a bank partner, businesses default to those they know or the banks whose partnership programs are more well known. That can be a mistake.

Industry professionals and associations often have insightful feedback on which banks might be a good fit.

Understand regulation by proxy.

Many fintechs and businesses partner with a bank because the bank is licensed to perform certain activities and they are not.

However, just because the fintech is not regulated, that does not mean they can avoid regulation.

Particularly where the fintech or business is responsible for an activity for which the bank is ultimately subject to supervision, the business will need to consider the relevant rules and regulations.

Put differently, just because you are not a money transmitter, that does not mean you do not need a Bank Secrecy Act program.

Some terms are negotiable, but others are not.

Not everything is negotiable in bank partnerships. Many businesses bristle at the extensive audit and approval rights upon which banks insist.

However, if those terms are not included, the bank's regulators may direct the bank to end the partnership, and a premature termination benefits no one.

Negotiation is not always a zero-sum game.

The recent demise of the Goldman Sachs-Apple relationship is instructive here.

If the terms of your partnership are so one-sided, the partnership may be doomed from the start.

Like a relationship, partnerships need to work for both parties. Negotiate accordingly.

Communication is key.

The work does not end once the agreement is signed.

When problems arise, banks and their partners benefit from addressing these problems together. Indeed, banks can help their partners anticipate and address potential issues.

Frequent ongoing communication can prevent potential regulatory molehills from becoming mountains.

2024 and Beyond

Despite the regulatory headwinds, more community banks are eager to enter the fray, and the need for embedded finance and other financial products shows no signs of abating.

To the contrary, insiders continue to forecast exponential growth. In the near term, we should expect additional enforcement actions and more fallout from heavily scrutinized partnerships.

Hopefully, however, armed with more robust contractual, compliance and procedural protections, banks and their partners may overcome these early struggles and enjoy the fruits partnerships can yield.

About the Lawyer

Justin C. Steffen is a partner in BFKN’s Financial Institutions Group. Clients seek out Justin for help with managing and negotiating partnerships (Fintech and BaaS), payments issues (real time, wires, ACH, card networks, BIN sponsorship), digital asset matters, and other technology-focused concerns (financial privacy, artificial intelligence and machine learning, and data analytics and usage). Justin helps scores of bank and fintech clients identify and evaluate prospective partners, negotiate program management and partnership agreements, obtain regulatory approval for BaaS and other strategic endeavors, and manage ongoing partnerships. In the last few years alone, he has helped clients launch products and services including credit, debit and prepaid cards, payment processing, real-time and faster payments services, commercial and consumer loans, digital asset custody, and investment products.

Jump to Page

We use cookies on our website to improve functionality and performance, analyze website traffic, and enable social media features. By continuing to use our website, you agree to our use of cookies.