Banks that offer banking-as-a-service to fintechs be warned: Regulators continue to critique these programs. In the most recent example, the FDIC announced consent orders Friday against Sutton Bank in Attica, Ohio and Piermont Bank in New York City.
Other banks that have been slapped with similar consent orders in recent months include
In these orders, regulators tell the banks they need to step up their oversight and monitoring of their fintech partners, and insist their boards must be involved. When the fintechs take on new customers, it's the bank's responsibility to make sure they aren't criminals, terrorists or money launderers. As the fintechs process transactions, the banks have to monitor them to make sure they meet all Bank Secrecy Act, anti-money-laundering and countering financial terrorism rules.
All this fintech babysitting is a tall order, especially for a small bank. Sutton Bank has $2.2 billion of assets. It works with large fintechs like Square, Robinhood and Upgrade and is the bank behind many prepaid card programs. The bank did not respond to a request for comment. Piermont Bank has $578 million of assets. Its fintech partners include Wagestream, Tuvoli and Buildertrend.
"Every bank that touches BaaS is getting an enforcement action," said Wendy Cai-Lee, founder and CEO of Piermont Bank, in an interview. "I don't think anyone is not getting one at this point."
Some in the industry see this as an example of regulatory overreach.
"It absolutely looks and feels like innovation within the banking system is being disproportionately targeted by regulators who at times seem like they are trying to make a point rather than helping to build the future of financial services," said Phil Goldfeder, CEO of the American Fintech Council. "To ensure that a competitive financial services market exists, regulators need to find ways to encourage responsible innovation instead of stymieing it through disparate regulatory treatment."
Others believe the stepped-up scrutiny of bank-fintech partnerships stems from some banks' practice of
"Middleware BaaS platforms and connectors led banks down a path of false assurances and the banks that chose to outsource their risk will continue to be at risk of regulatory scrutiny," said Matthew Smith, president of Bankers Helping Bankers.
Piermont Bank has always been mindful of its compliance responsibility, Cai-Lee said. About half of the bank's employees are in risk management.
"We have championed the idea that it's our insurance, it's our charter," she said. "We have to have that direct relationship."
In fact, the bank has been hurt by this compliance-first mindset, she said.
"Early on, fintechs didn't want to work with us, because they figured Piermont required so much control," Cai-Lee said. "We weren't able to grow faster because we said [to potential fintech partners], I need my own contract with you and you need to send me your customer complaint log."
But even though the bank has been conservative in its approach, it's no longer sufficient for this changing regulatory environment, she said.
What's in the consent orders
The FDIC's consent order against Sutton focuses on anti-money laundering and countering the financing of terrorism.
For example, within 180 days, Sutton's board must develop and implement a revised written anti-money laundering program that complies with the Bank Secrecy Act and money laundering rules, and share this with the FDIC. The revised program must include stronger assessment and oversight of fintech partners, and the bank has to document, track, and report on its adherence with the program to the board.
Within ninety days, the board must improve its supervision and direction of the anti-money laundering program and address any deficiencies and weaknesses identified in the last exam.
The FDIC said the bank must have at least one BSA officer who reports to the board and set up a board committee to ensure compliance with the consent order.
Sutton also has to create an inventory of third-party relationships and designate program managers responsible for customer identification programs, transaction monitoring, independent testing and reporting suspicious activity for each. It's been told to provide due diligence and ongoing compliance monitoring of third parties.
It also has to develop and implement a revised training program for directors and staff on BSA regulations, and especially on mitigating risks associated with prepaid card activities.
Within sixty days, the bank has to come up with a plan to review all prepaid card customers beginning from July 1, 2020, to ensure that all required customer information has been obtained and the bank knows the true identity of these customers.
A panel at CBA Live explored the contract provisions banks need to consider before embarking on new banking-as-a-service relationships and what catches their eyes in consent orders from banking regulators.
The FDIC's consent order on Piermont Bank touched on many of the same areas as the one given to Sutton. The agency told Piermont to increase board oversight of compliance programs for fintech partners. The bank was also told to conduct internal audits and improve risk management of third-party programs. It has to conduct a review of all data and systems used in its fintech partnerships and of all third-party risk and monitor its fintech partners' compliance with bank laws.
FDIC told the bank to set up internal controls for monitoring anti-money laundering rule compliance, to conduct tests of its Bank Secrecy Act compliance, appoint an AML officer and conduct more anti-money laundering training among board and staff. Like Sutton, it has to review all transactions since September 2022 to make sure any suspicious activity was reported. It also has to review all Electronic Funds Transfer Act disputes since August 2020.
The path forward
The way Goldfeder sees it, both regulators and banks have to adjust to the recent boom in banking as a service.
"Banks are responsible for their partners and the innovation they embrace and need to maintain the gold standard of compliance," he said. "But they also require clarity and appropriate rules of the road from regulators." Regulators need to provide clear supervisory expectations and understand the actual risks associated with a given product or service, he said.
Piermont Bank has made several improvements to the compliance controls in its banking-as-a-service programs in the year since the FDIC exam took place, Cai-Lee said.
For instance, it now has direct access to its fintech partners' onboarding software and conducts quality control audits. It has consolidated the platforms it was using to monitor transactions for suspicious activity, fraud and money laundering into one platform for consistency. Quarterly BSA training is now mandatory for Piermont and its fintech partners' employees, and if anyone doesn't take it, Piermont gets an automated alert.
Cai-Lee said she's going to keep working through all the FDIC's demands and keep offering banking as a service.
"This is who we are, it's a core pillar business," she said. "I'm not giving up. I'm not walking away."
