The FDIC has slapped Cross River Bank in Teaneck, New Jersey, with a consent order saying it engaged in unsafe or unsound banking practices related to fair lending regulations. The order was issued in March but made public on Friday.
Cross River is a banking-as-a-service provider that makes loans through fintech lenders such as Affirm, Upstart, Rocket Loans and the former Kabbage.
The bank did not admit or deny any charges of unsafe or unsound banking practices or violations of law or regulation.
"The consent order signed by Cross River is narrow and is limited to correcting Cross River's fair lending program in the state that existed in early 2021," a bank spokeswoman said on Friday. "We are dedicated to partnering with the fintech community as part of our mission to reach long underserved communities and give all Americans access to the modern financial services they need and deserve. We have always and will continue to serve as a model for transparent, compliant, fair and responsible lending."
This FDIC action puts all banks that partner with fintechs on notice.
"It's a shot across the bow for every partner bank, especially small ones," said Todd Baker, a senior fellow at the Richman Center for Business, Law and Public Policy at Columbia University; and the managing principal of Broadmoor Consulting. "If the largest and most sophisticated partner bank can get into this much trouble, every partner bank is at risk."
Other regulators, including the Office of the Comptroller of the Currency, have also been telling banks to tighten up their oversight of their fintech partners. In a September
"He basically said, there's been a lot of activity in this 'banking as a service,'" said Maria Gotsch, president and CEO of Partnership Fund for New York City and co-founder of the FinTech Innovation Lab, in an interview. "We believe there's risk in that to the system and we're going to be putting out parameters around how we want that interaction to work. Banking as a service does not mean that you are outside of the regulatory purview and that you are not subject to the same standards regulations that we have for the large banks."
That same month, the OCC issued a consent order against Blue Ridge Bank in Martinsville, Virginia, for unsafe or unsound practices, including those relating to third-party risk management, Bank Secrecy Act and anti-money laundering risk management, suspicious activity reporting, and information technology control and risk governance.
There's a lot of overlap in what the OCC and FDIC orders cover, Gotsch said, including the technology used for underwriting, monitoring and for security and data privacy, and the need to provide regulators with information about fintech partners.
The Cross River Bank spokeswoman said the bank has already put in place many of the protections the FDIC asked for in the order.
"This order is the result of a standard review pertaining to certain aspects of our lending processes conducted two years ago," she said. "We had identified areas for improvement prior to the examination and the examination identified others. Since that time, we proactively made significant enhancements to our fair lending and other programs including investing in technology and personnel. At this time many of the enhancements have been completed or will be completed in the coming months."
The order does not identify discriminatory practices or anything that would require Cross River to compensate consumers for harm, she said. And it places no limitations on existing fintech partnerships or the credit products it offers jointly with them.
"We don't expect that the order will have any meaningful impact on our growth trajectory," she said.
This isn't the first time the FDIC has issued an enforcement action against Cross River over its fintech partnerships. In 2018, the agency announced a settlement with the bank and Freedom Financial Asset Management in San Mateo, California, a provider of consolidation loans, for unfair and deceptive practices and violations of the Truth in Lending Act and the Electronic Fund Transfer Act. The FDIC said Cross River and Freedom required borrowers to sign loan documents without knowing the terms and conditions of the loan; failed to inform borrowers that certain major creditors will not negotiate debts with Freedom Finance; misrepresented to consumers that the loans would result in the settlement of all their debts within 90 days, which was not true for nearly half of the consumers, according to the agency; and misrepresented that the consumers' creditworthiness would improve by obtaining a consolidation loan.
As the originator of these loans, Cross River was responsible for compliance with all applicable laws, the FDIC said. The regulator told the bank to implement a compliance management system that would identify, address, monitor and control consumer protection risks associated with third-party activities.
"Clearly the FDIC has lost confidence in management's commitment to fix the compliance problems with partner banking in light of this and prior violations relating to Freedom Finance," Baker said on Friday, the day the FDIC made the consent order public. "So in that regard, the action seems appropriate."
The consent order the FDIC issued Friday ordered Cross River Bank's board of directors to increase its supervision and direction of management, and its oversight and monitoring of the bank's system of internal controls, information systems, credit underwriting practices and internal audit systems related to consumer protection laws and regulations.
The board also must make sure the bank takes any actions needed to ensure compliance and monitoring of this compliance.
Cross River also must send the FDIC a list of all its credit products and fintech partners and obtain the FDIC's nonobjection before taking on any new fintech partner or credit product.
The bank must hire an independent third party to review the technology it uses to underwrite loans and assess whether the information the bank has about all credit products and models is sufficient to enable it to determine and monitor the compliance of such credit products, third parties and credit models with all applicable fair lending laws and regulations.
After Cross River obtains a nonobjection to its list of loans and fintech partners, it will have to conduct a fair lending risk assessment within 60 days. It will also have to make sure it has a well-staffed group handling fair lending compliance, and train the board and everyone in the bank involved in credit on fair lending law.
The bank has to assess the fair lending compliance of every fintech partner at least once a year and report on these assessments to the FDIC.
True Digital and TechPassport help banks assess and monitor fintech vendors and partners.
One reason for the tough action on Cross River Bank may be the fact that some of its fintech partners use AI in their lending decisions, including Upstart and Affirm. The CFPB and other regulators have emphasized that banks need to be able to explain how such decisions are made.
"That is a big issue for the regulators with respect to algorithms and artificial intelligence as those become more complicated and more of a black box," Gotsch said. "And if they can't do that, that's a problem."
Some startups that have recently gone through the Fintech Innovation Lab provide analysis and monitoring of AI-based lending systems for compliance with fair-lending laws. One is Arthur AI, whose CEO, Adam Wenchel, used to write algorithms for Capital One.
Going forward, compliance requirements and the costs for fintechs to do business with partner banks will increase and oversight will be strict, Baker said.
"Partner banks themselves will reject underfunded and under-resourced fintechs as too risky, which they had already started to do over the last few years and regulators have increased oversight," Baker said. "Fintechs who can comply with usury statutes will reconsider whether direct lending is a better alternative for them."