BankThink

Regulators are coming for fintechs and the banks that power them

Recently, Blue Ridge Bank in Charlottesville, Virginia, disclosed that its regulator imposed an enforcement action requiring corrective measures that reflect serious and widespread risk management and compliance failures with significant implications for the bank's fintech partner banking relationships.

FDIC And OCC Chiefs Testify Before Senate Banking Committee
In a recent speech, Michael Hsu of the OCC flagged bank-fintech partnerships as a critical priority for the agency.

The market had been anticipating some type of enforcement action against Blue Ridge after regulatory issues seemed to derail a proposed merger with another bank and rumors spread of disruption among its fintech partners. On the face of it, a limited action by one regulator against a single bank with only $2.7 billion of assets should be worth barely a passing notice. But this regulatory action is the tip of the iceberg. Intense regulatory scrutiny is coming for fintechs and the bank partners on which they rely. However, not all fintechs or their bank partners are yet truly prepared to meet this higher level of regulatory scrutiny.

Over the past 15 years, fintechs (more precisely, nonbank providers of financial services) have grown dramatically in both number and size, fed by unprecedented venture investment and, candidly, the weaknesses and lack of agility of incumbent banks. According to the consulting firm Oliver Wyman, incumbents' share of value in financial services collapsed from 90% in 2011 to 65% this year (even after the correction in fintech valuations). Nonbank fintechs have built large and impactful businesses. For instance, Affirm and Chime reportedly each have 13 million customers, more than U.S. Bank (No. 5 by assets), PNC (No. 6) and Truist (No. 7). PayPal alone has more than 300 million customers.

The special legal powers available only to banks mean that even the largest nonbank fintechs must rely on bank partners to deliver financial services to their many customers. Only banks can offer insured deposits, access the Federal Reserve's payment system and card rails, lend effectively across state borders, etc. Hence, the need for partnerships among fintechs and banks. The Durbin amendment, which severely restricts debit interchange revenue once banks top $10 billion of assets, means that smaller community banks are best suited to be partners to deposit-oriented fintechs. Large banks are also typically less inclined to jeopardize their national brand by partnering with direct-to-consumer fintechs, preferring instead to compete head-on.

In putting those fintech/community bank partnerships together, short-term incentives for fintechs and their bank partners have been in part perverse: Many fintechs were looking for the fastest and easiest "yes" from a bank partner (which almost never correlates with high-quality compliance and risk management), while some small banks sought to maximize returns by minimizing upfront investment (which could leave them without adequate risk management, staffing or technology to manage fintech partnerships). The significant time and costs inherent in setting up a fintech-bank partnership caused many fintechs — even very large ones — to rely on a single bank partner. Excessive reliance on a single partner is always a risk. When a fintech with millions of customers becomes large relative to the resources of the bank partner, the risk of reliance on a single partner is magnified.

Despite these perverse incentives, not all fintechs or bank partners have been sloppy on compliance and risk management, but many appear to have been. Not all fintechs are overly reliant on a single bank partner, but many are. And not all fintechs or their bank partners are ill prepared for an unexpected termination of their relationships, but many appear to be.

As a rule, regulatory scrutiny typically lags developments in the market, but recent evidence demonstrates it is now ramping up quickly: the Blue Ridge enforcement action; FDIC cease-and-desist orders in August targeting misleading statements by fintechs about deposit insurance; widespread market noise about disruptions arising from supervisory examinations at many other bank partners; and a recent speech by acting Comptroller of the Currency Michael Hsu flagging bank-fintech relationships as a critical priority for his agency. Taken together, this should be seen as an urgent call to action for fintechs and their bank partners alike.

In the long run, more intense regulatory scrutiny will be a positive. High standards for compliance and risk management will contribute to a more transparent, fairer and more resilient ecosystem. And partnering with fintechs offers community banks a critical potential life line as they continue to struggle for survival and success in a challenging competitive market.

But in the short run, the potential for widespread disruption is both very real and imminent. Imagine a fintech serving millions of customers and reliant on a single small bank partner that is forced by its supervisors to terminate its support of that fintech. Replacing a bank partner takes time. What happens to those millions of customers if the fintech loses access to a bank partner, even briefly?

Similarly, how would a small community bank handle the customers and accounts of its fintech partner should the fintech shut down abruptly? In today's challenging fundraising market, this is not a hypothetical. For example, consumers carrying what they think is a fintech debit card that's really issued by an underlying partner bank could wake up one morning to a rude surprise. Who do they call?  And the bank partner can be left to pick up the pieces if it failed to prepare for such a scenario.

In the future, partner banks should expect a significant increase in the intensity of regulatory oversight. They should intensify scrutiny of fintech relationships and undertake a sober and objective assessment of their management of the risks associated with fintech relationships. Leaving problems for regulators to find is a recipe for disaster. They should revisit business continuity planning for fintech partners with a focus on how customers would be served in the wake of an unanticipated shutdown.

Fintechs must prepare, urgently, for much more intense regulatory oversight of their partners and thus, indirectly, of their businesses. They should reassess their own compliance and risk management programs. They should evaluate whether they are overly reliant on a single bank partner; and invest to add additional bank partners and diversify risk where merited. If the oversight they receive from their bank partners isn't already rigorous, they should expect stepped-up pressure and start looking for additional or replacement partners. If a bank partner is already facing regulatory headwinds, it can expect them to get worse. 

Regulators should make sure teams are fully informed about the evolution of the market and continue efforts to coordinate and systematize oversight of banks partnered with fintechs. Rather than pressuring all bank partners equally, they should add to the incentives for existing and future bank partners to provide this critical function in a high-quality manner by focusing on the weaker players and sharing lessons learned.

Wishing away the challenges that are looming is a perilous choice. Instead fintechs and their bank partners need to prepare to face a much more challenging environment. The consumers and small businesses that rely on them deserve nothing less.

For reprint and licensing requests for this article, click here.
Regulation and compliance Fintech Risk management
MORE FROM AMERICAN BANKER