Amid recent scrutiny and enforcement activity in the banking-as-a-service (BaaS) space, federal regulators have issued a joint statement reiterating the importance of banks’ oversight of certain third-party relationships through sound risk management practices.
The July 25, 2024 joint statement by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency follows more general third-party risk management guidance the agencies updated in 2023 and a handbook the agencies released earlier this year to assist community banks in implementing such guidance. Like the 2023 guidance, the joint statement reiterates that a bank’s reliance on third parties does not diminish its responsibility to comply with applicable laws and regulations, and it highlights that banks often face increased risks that need to be mitigated when partnering with third parties.
While the agencies note that the joint statement does not alter existing legal or regulatory requirements or establish new supervisory expectations, it examines specific forms of BaaS relationships in more detail than prior guidance, identifying certain categories of risk and circumstances that the agencies have observed in the space and that have been the subject of recent public enforcement actions against banks. The regulators also issued a request for information (RFI) to gather insight into the nature and implications of these relationships and effective risk management practices.
The 2023 guidance largely restates previously published third-party risk management principles and applies to virtually any third-party relationship that a bank enters into (including referral arrangements and certain types of the bank’s own customer relationships). The joint statement, on the other hand, focuses on arrangements between banks and third parties to deliver bank deposit products and services. According to the joint statement, these third parties “sometimes include non-bank companies, such as, but not limited to, certain financial technology (or fintech) companies.” The RFI expands on this concept (including in connection with lending and payments services) to explore a stated interest in whether “enhancements to existing supervisory guidance may be helpful in addressing risks associated with these arrangements.” In this sense, the agencies articulate a new regulatory concept of BaaS and possible heightened supervisory expectations that may apply to it.
The RFI contrasts these bank-fintech arrangements with those involving “a core bank service provider or other third-party providers,” which the agencies suggest may “help or hinder” such arrangements. Both the joint statement and RFI seem to distinguish these arrangements from traditional core or similar providers based on (1) their complexity, including the involvement of multiple subcontractors or other intermediaries (including “middleware” firms); (2) the prevalence of a direct relationship between these providers and the relevant “end users” of the products and services; and (3) the degree of the bank’s reliance on fintech partners not only for engaging in direct customer communications but also for performing compliance functions. A major theme of the joint statement is that these factors can combine to outpace the ability of a bank to appropriately manage the risks such an arrangement poses to its customers and to its overall safety and soundness.
Although the joint statement expresses support for responsible innovation and banks’ engaging in BaaS relationships that are conducted in a safe and sound manner, the regulators focus on a number of areas where new risks may emerge or existing risks may be amplified, some of which have surfaced in recent enforcement actions and BaaS market dynamics. As general themes, the regulators highlight:
- Operational and compliance risks that may develop when significant bank operations are performed in whole or in part by third parties, when there’s a lack of access to key records maintained by third parties, or when there’s a reliance on third parties to perform bank compliance functions.
- Risks relating to growth, including misaligned incentives between a bank and the third party, operational capabilities that lag rapid growth resulting from BaaS arrangements, financial risks from rapidly increasing funding concentrations, and the potential inability to manage emerging liquidity risks when a significant proportion of a bank’s deposits or revenues are associated with a third party.
- End user confusion and misrepresentation relating to the availability of FDIC deposit insurance coverage, including potentially misleading statements and marketing from nonbank third parties.
The joint statement and RFI exhibit an understanding of and specific interest in particular details of these arrangements that will be familiar to many who have developed or helped to document them, including:
- Account Titling and Associated Recordkeeping. The RFI includes a request for feedback on deposit account titling and recordkeeping practices, and it recognizes that the bank’s “core deposit ledger may only include omnibus [end user] accounts,” often titled as “for the benefit of” or “FBO” accounts. The agencies question what controls exist to ensure the accurate exchange of information between banks and fintechs about these accounts and note the possibility that a bank’s lack of sufficient access to such information could lead to delays in end users’ access to deposits and associated legal and compliance risks.
- Determining the Bank’s “Customer” for Regulatory Purposes. The technology or user experience layering associated with BaaS arrangements can lead to ambiguity in the application of existing laws and regulations that depend on whether the fintech, its end users, or both are “customers” of the bank. The RFI specifically refers to this issue in the context of customer identification program obligations under the Bank Secrecy Act and privacy-related obligations under Regulation P. Of particular importance to nonbank fintechs, a designation of an end user as a customer of both the bank and the fintech or solely as a customer of the fintech also potentially impacts the fintech’s independent regulatory obligations, especially under state and federal money transmission licensing and registration requirements.
- Data Use and Ownership. The 2023 guidance identified data use and ownership as a risk consideration for banks, but the joint statement and RFI explore this issue in greater detail, including the degree to which the use of innovative data inputs and formats (such as for underwriting purposes) poses risks to banks. Other potential risks cited by the agencies in this regard include increased exposure to fraud and data security incidents based on the parties’ systems integration, as well as the use or access restrictions that the fintech may attempt to impose on data generated as part of a BaaS arrangement that the fintech regards as its proprietary information. Regulatory attention to this issue by these agencies could overlap with existing and possible future rulemaking by the Consumer Financial Protection Bureau, which is not a party to the joint statement or RFI, on open banking or digital wallets. The RFI specifically identifies larger firms (which, according to the RFI, are sometimes referred to as “Big Tech”) with multiuse technology platforms as among the types of “fintech” companies having bank partnerships on which the agencies are focused for purposes of their analysis.
- Allocation of Responsibility. As with data rights, the 2023 guidance and prior regulatory pronouncements generally emphasize the importance of clear contractual and operational allocation of responsibility any time a bank partners with a third party to conduct activities, while the RFI and joint statement explore this issue in some depth, including the potential for gaps or delays to occur that could cause a bank to violate applicable law. In addition, the agencies observe that a bank’s lack of meaningful negotiating power relative to the fintech partner or the bank’s heavy reliance on revenue or liquidity from the fintech partner could impede the bank staff’s ability to effectively oversee and challenge critical aspects of the fintech’s performance. This consideration also implicates the role of middleware providers or other intermediaries engaged by a bank’s fintech partner whose contractual or other legal obligations to the bank may not be clear. These obligations may arise, if at all, through pass-through or other provisions of the bank-fintech agreement by which the bank seeks to rely on the fintech partner to enforce the bank’s expectations and to exercise appropriate monitoring and oversight of the middleware providers or other intermediaries.
- FDIC Insurance Disclosures and Customer Confusion. The RFI and guidance identify the risk of end user confusion around the availability and terms of FDIC deposit insurance as a key risk of fintech partnerships that involve deposits. Citing aspects of advertising rules that the FDIC recently revised, including with respect to pass-through insurance disclosure requirements, the regulators indicate that bank-fintech arrangements pose unique risks in this regard given the tendency for end users to have a direct relationship with and visibility to a bank’s fintech partner, who the end user may view as its primary provider.
- Brokered Deposit Treatment. The agencies did not address directly the issue of brokered deposits in the 2023 guidance, but it is a focus of both the RFI and the joint statement. The joint statement encourages institutions to conduct appropriate analyses to determine whether parties involved in the placement of deposits meet the definition of a deposit broker and whether deposits placed through a program require reporting as brokered deposits. Within days of the publication of the RFI and joint statement, the FDIC published proposed changes to aspects of the substantial overhaul to brokered deposit rules finalized by the agency in 2020, including their “primary purpose” exceptions. In this proposal, the FDIC specifically notes that certain operational and liquidity problems it has observed since 2020 (including in connection with high-profile bank and nonbank insolvency events) can be attributed, in part, to rapid growth based on banks’ reliance on middleware fintech companies and the volatility of some bank-fintech deposit placement programs.
The joint statement references the 2023 guidance along with various other previous advisories and policy statements on bank safety and soundness expectations relating to managing third-party risk and the importance of board and senior management oversight. It also highlights examples of effective risk management practices, providing banks with an opportunity to review and potentially refresh their existing risk management practices and governance mechanisms to align with those in the joint statement. It may also be productive for fintechs to assess whether their own operational and compliance processes can support the regulatory expectations to which their partner banks are subject. According to the agencies, effective risk management practices include:
- Comprehensive governance and third-party risk management practices, including risk assessments tailored to the specific features of each third-party arrangement, with appropriate due diligence and contracts that clearly delineate the roles and responsibilities of each party.
- Systems and controls to manage operational and compliance implications, including risk-based contingency plans or exit strategies to address the disruption or business failure of the third party that could affect end-user access to funds, and ensuring effective complaint management and resolution.
- Adequate structures to ensure bank compliance with applicable Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) rules and sanctions requirements.
- Management of growth, liquidity, and capital implications, including contingency funding plans in the event of unexpected customer withdrawals.
- Adoption of policies and procedures to prevent the misrepresentation of deposit insurance coverage.
As the BaaS market continues to develop, both banks and fintechs should consider contributing to the regulatory dialogue through responses to the RFI. Responses are due on September 30, 2024.
The RFI could lead to a number of regulatory initiatives designed to increase the requirements associated with BaaS arrangements or even expand the agencies’ ability to supervise nonbank fintech firms directly, such as under existing Bank Service Company Act authority. In the meantime, the joint statement and RFI provide a road map for banks and fintechs in the BaaS space that outlines corresponding risk management expectations of the prudential U.S. bank regulators, and these publications can be expected to reflect and influence the way in which examiners oversee such arrangements.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.
If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.