Regulators Take a More Hands-On Approach to Bank-Fintech Relationships

In our November 2024 article we discussed the threat that increased regulatory skepticism on fintech poses to banking innovation. In light of that skepticism, banks must consider how the federal banking agencies are rethinking these third-party relationships. While the advent of middleware providers altered the direct banking as a service (BaaS) relationship between banks and fintechs, the May collapse of Synapse Technologies highlighted various model deficiencies after consumers lost access to funds, drawing the ire of regulators and lawmakers.

Though regulatory and enforcement actions by the federal banking agencies in recent years have signaled ongoing concern over BaaS models, Synapse’s collapse served as a wake-up call to banks that continued to believe that fintech engagement can be conducted as a turnkey activity, resulting in a flow of easy fee income.

Federal agencies’ response to the Synapse collapse — regulatory and supervisory guidance addressing risks posed by third parties that arrange the provision of deposit products and services, new enforcement actions against BaaS-focused banks that lacked appropriate oversight and significant rulemakings — have effectively halted most banks’ laissez faire approach to these relationships. Now, a new framework for bank-fintech relationships has emerged that requires substantial bank involvement.

In July, federal banking regulators issued a joint statement highlighting potential risks in bank-fintech relationships, along with a request for information (RFI) on these arrangements’ benefits, risks, and risk management practices. The statement and RFI demonstrated the agencies’ heightened focus on bank-fintech arrangements, in particular banks’ oversight and risk management. While neither issuance imposed new regulatory requirements, they signaled that further guidance on risk management practices would be forthcoming and that enforcement actions against banks’ failing to meet regulatory expectations may continue.

The agencies have relied on enforcement actions to target banks that failed to manage risks associated with fintech partnerships. Those actions imposed significant operational restrictions and, in some cases, required business model changes. Frequent areas of focus included corporate governance, third-party risk management and anti-money laundering issues. Each of these issues is critical to a bank’s oversight of fintech partnerships and serves as a road map of areas to focus on for all banks engaging in BaaS. Through their actions, federal regulators sent two clear messages:

• Regulators do not believe that they need new prescriptive rules to ensure banks maintain appropriate oversight on the operations of their fintech counterparties.
• Regulators are willing to act when bank-fintech partnerships do not satisfy their expectations.

Rulemakings
Rulemakings are a slower process due to notice and comment requirements under the Administrative Procedure Act. Nonetheless, following Synapse, the Federal Deposit Insurance Corporation has proposed significant regulations that, if adopted, would significantly impact bank-fintech relationships.

Brokered Deposits
In July, the FDIC proposed a rule to revise its brokered deposits framework, which was overhauled in 2020. The proposal seeks to roll back the more-flexible approach adopted in 2020. It would eliminate key exemptions to the classification of deposits as brokered — which banks and their fintech partners have relied on — causing banks to pay higher deposit insurance premiums and disrupting the economics of fintech relationships.

Custodial Account Recordkeeping
In September, the FDIC proposed a rule that would apply to almost any bank-fintech arrangement that uses custodial deposit accounts to provide customers with transactional features, known as For Benefit Of (FBO) accounts. These accounts are prevalent in bank-fintech partnerships and allow a bank to hold one omnibus account for a fintech, which then keeps the records of the beneficial owners whose funds are held in the bank. If adopted, the rule would require a bank to:

• Maintain records that show the beneficial owners of those deposits, including the balance attributable to each beneficial owner (end-user, fintech customer, etc.) and the ownership category in which the deposited funds are held.
• Implement written policies, procedures, and internal controls, including daily reconciliations against the beneficial ownership records.
• Require an executive officer of the bank to annually certify to the FDIC and the bank’s primary federal regulator that these reconciliations are being conducted.

What’s Next?
Enhanced scrutiny of bank-fintech relationships can be expected to continue after the change of administration, as the collapse of Synapse demonstrated the need for stronger oversight by banks of third-party providers. While the new administration likely will seek more targeted rules rather than broad, ambiguous and sweeping guidance, banks will need to continue to devote significant compliance resources to oversee and monitor their fintech relationships.