Bankers are mining consent orders for clues to managing BaaS

A lawyer, a consultant and in-house counsel for a bank all have advice for financial institutions engaging with fintechs in banking-as-a-service relationships.

"You have two unrelated parties that are sharing customers," Jessica Dury, leading counsel for The Bancorp Bank in Sioux Falls, South Dakota, said at the Consumer Bankers Association annual conference this week. "You both impact each other."

The rush to offer banking as a service, or BaaS, has slowed over the past year and a half as banks examine their reasoning and risk appetite for entering these relationships. Complicating matters is that guidance from regulators is coming more by way of enforcement than by clear rulemaking. 

Reviewing consent orders is key to navigating this space, all three panelists agreed in a session about managing current and emerging risks in BaaS.

"They are basically a roadmap on what to do right because they require the bank to change," said Janet Hale, who co-leads the consumer financial services practice group at FTI Consulting. She notes most BaaS-related consent orders critique banks' compliance management systems; board oversight and staffing are also common themes.

The Bancorp Bank, which has $7.7 billion of assets and is one of the original financial institutions to provide underlying services to nonbank entities, follows this practice. 

"We read every consent order that comes out and map what's going on," said Dury. "What did [the agency] tell them to do, and are we already doing that? Or is that something we need to go ahead and reinforce?" 

She expects the bank's partners to do the same. 

"Fintech may not be as sophisticated as the bank but they should be interested and have an understanding," she said. "When these consent orders come out we have a discussion [with our partners] about how that impacts us. It's reassuring when they know what's going on."

A common theme she has seen arise more in state-level enforcement actions rather than federal enforcement is the question of whether banks understand that the fintech's customers are also their customers, and that they are responsible for ensuring customer disputes and customer service are handled correctly. 

Regulation and compliance

Banking-as-a-service banks: 'There is a reckoning'

Financial institutions' fintech partnerships are facing higher levels of scrutiny. More consistent and direct monitoring of their partners can put them in a better position.

By Miriam Cross

February 7

There are also more forward-looking steps banks can take to nip certain issues in the bud.

"The first thing to think about with a fintech relationship is, how does it interplay with the bank's goals in general?" said Dury. "You don't want a scenario where you are targeting an entirely different market," or extending products through a fintech partner such as credit cards when the bank itself does not offer this. 

"With fintech, everything moves faster," she said. "If they come to you and say we want to do a prepaid card, ask them what they're thinking about next. Ask them what special feature they want on that prepaid card, because that's how they catch the market."

It's important that fintechs be willing to meet the bank's compliance standards, even if this is not part of their culture, said Hale, and that banks explore fourth-party risk, or the vendors the fintech partner's vendors use. For instance, "do you know how they are conducting marketing and advertising?" she said. 

She suggests banks ask fintechs about the training programs they offer their own staff, including on fair lending, Regulation E and Regulation Z, and obtain documentation that it happened.

"If your training program isn't documented, it doesn't exist," she said.

Another learning gleaned from reading consent orders: It's essential to hold onto data from previous fintech relationships, such as denied or withdrawn loan applications from that fintech's customers. 

"If a consent order comes in and a regulator states you need to do a review of all your applications from 2021, you need to have that data," said Hale.

When it comes to contracts, specific provisions are key, said Dury, from ensuring NACHA details are in there if the fintech offers ACH to what happens to existing data if or when a relationship terminates. 

"No more being vague," she said. "Make sure it is clear who is responsible for what. Who will service the client? Who will be the processor? Who will handle your Regulation E disputes or Regulation Z billing errors?" 

Fintechs must be clear on contract terms as well. Susan Seaman, partner at Husch Blackwell, recalls one fintech client asking her if there was a legal restriction on a referral program it wanted to offer. She concluded that the answer was no, but she pointed out that the company needed to look at its program agreement with its sponsor bank. 

"It's like a mini regulatory regime," she said.

Seaman also stressed the importance of thinking about the end before the beginning — in other words, devising an orderly termination plan if the relationship between the bank and fintech were to break down, such as the timelines these parties are required to follow under Regulation E, Regulation Z or the Truth in Savings Act to close or transition accounts or significantly change terms.

While quarterly monitoring of fintech partners was once sufficient, that's no longer the case, said Hale. 

"The best practice is a weekly call, compliance to compliance," she said. "I've seen some situations where the compliance so-called checklist or testing is handled by the business, and they may not fully grasp the regulatory requirements for monitoring and testing."