Fintech partner banks facing 'volatile mix' of supervisory scrutiny

AB-FEDERAL-RESERVE-WASHINGTON-102822
The Federal Reserve Board of Governors has created a new supervisory team specifically to oversee novel activities.
Stefani Reynolds/Bloomberg

Federal regulators have taken a sharper look at bank partnerships with financial technology firms in recent months, a shift that has resulted in a surge in publicly disclosed enforcement activity.

Through the first quarter of the year, actions against fintech partner banks have accounted for 35% of publicized enforcement measures from the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller, according to the consultancy Klaros Group. This is an uptick from 26% during the previous quarter, and 10% in the first quarter of 2023. 

The jump in enforcement actions against firms engaging in so-called banking-as-a-service, or BaaS, business models corresponds with the adoption of a new joint guidance from the Fed, FDIC and OCC for evaluating third-party risks, which was codified last June. The following quarter, the share of fintech partner bank enforcement actions doubled from 9% to 18%, according to Klaros. The uptick in BaaS-related enforcement comes amid a doubling of total enforcement actions against banks over the same period. 

"It's undeniable that there's more enforcement activity happening related to BaaS," said David Sewell, a partner with the law firm Freshfields Bruckhaus Deringer. "You are seeing the fruits of the enhanced supervisory posture towards that space."

The question moving forward is whether this recent string of activity is a momentary adjustment as agencies ensure their expectations are taken into account, or a permanent shift in regulators' attitude toward BaaS models. 

Along with crafting new expectations for fintech partnerships, Washington regulators are also putting together specialized supervision teams to explore these activities more comprehensively. Last year, the OCC launched an Office of Financial Technology to "adapt to a rapidly changing banking landscape," and the Fed established a similar group called the Novel Activities Supervision Program, which tracks fintech partnerships, engagement with crypto assets and other emerging strategies in banking.

These fintech-specific developments come at a time when the agencies are changing their approach to supervision across the board with an eye toward escalating issues identified in banks more quickly and more forcefully. The effort is being undertaken in response to last year's failure of Silicon Valley Bank, which had numerous unaddressed citations — known as matters requiring attention — at the time of its collapse. 

The FDIC has already amended its procedures and now directs its supervisors to elevate issues if they are unresolved for more than one examination cycle. A Government Accountability Office report issued last month called for the Fed to adopt a similar approach.

Gregory Lyons, a partner at the law firm Debevoise & Plimpton, said the confluence of these various developments will result in significant supervisory pressure on fintech partner banks, most of which are small community banks leaning on the arrangements to offset declines in other business opportunities.

"You have a general concern from regulators about fintechs, you have these new divisions within agencies focused solely on fintech activities and risks, and then more generally you have an exam environment in which things are going to get elevated quickly," Lyons said. "This is a fairly volatile mix for banks relying heavily on fintech partnerships."

Measuring supervisory activity and determining its root causes are both fraught exercises, said Jonah Crane, a partner with Klaros. Public actions make up just a fraction of the overall enforcement landscape, which is itself a small portion of the correspondence between banks and their supervisors. Public enforcement actions are also intentionally vague in their description of violations, as a way of safeguarding confidential supervisory information.

Still, Crane said recent disclosures exemplify the areas of greatest concern for regulators: money laundering and general third-party risk management. He noted that the main threat supervisors seem to be guarding against is banks outsourcing their risk management and compliance obligations to lightly regulated tech companies.

"For every banking product in the marketplace, there's a long check list of laws and regulations that need to be followed," Crane said. "Those need to be clearly spelled out, and they still need to be done to bank standards when banks rely on third parties to handle those roles and responsibilities. That seems to be the crux of the issue."

In official policy documents and speeches from officials, the agencies have described their approach to fintech oversight as risk-sensitive and principles-based. They emphasize the importance of banks knowing the types of activities in which their fintech partners engage as well as the mechanisms in place within them to manage risks.

"The OCC expects banks to appropriately manage their risks and regularly describes its supervisory expectations," an OCC spokesperson said. "The OCC has been transparent with its regulated institutions and published joint guidance last June to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies."

The Fed declined to comment and the FDIC did not provide a comment before publication.

Some policy specialists say the expectation that the buck stops with the bank when it comes to risk management and compliance should not come as a surprise to anyone in BaaS space, pointing to both last year's guidance and long-running practices by supervisors. The Fed, FDIC and OCC outlined many of their areas of concern in 2021 through jointly proposed guidelines for managing third-party risks. 

James Kim, a partner with the law firm Troutman Pepper, likens the recent surge in activity to supervisors clearing out low hanging fruit. He notes that the rapid expansion of BaaS arrangements in recent years — aided by intermediary groups that pair fintechs with banks, typically of the smaller community variety — has brought with it many groups that were not well suited for dealing with its regulatory requirements. 

"Several years ago, there were real barriers for fintechs to partner with banks because of the cost, time and energy it took to negotiate agreements and pass the onboarding due diligence," Kim said. "Some of the enforcement activity we're seeing today is likely the consequence of certain banks, fintechs and intermediaries jumping into the space without fully understanding and addressing the compliance obligations that come with it."

Others say the standards set last year are too broad to be applied uniformly across all BaaS business models, which can vary significantly from one arrangement to another. 

Jess Cheng, a partner with the law firm Wilson Sonsini who represents many fintech groups, said regulators need to provide more detailed expectations for how banks can engage in the space safely. 

"In light of these enforcement actions, there seems to be a real time lag between what has been going on in terms of ramped up supervisory scrutiny and the issuing of tools to help smaller banks comply with and understand how they can meet those expectations," Cheng said. "That is badly needed."

In a statement to American Banker, Michael Emancipator, senior vice president and senior regulatory counsel for the Independent Community Bankers of America, a trade group that represents small banks, said the recent uptick in enforcement actions has been concerning, "especially in the absence of any new regulation, policy, or guidance that explains this heightened scrutiny."

Emancipator acknowledged the guidance that was finalized last year, but noted that the framework was largely unchanged from the 2021 proposal and gave no indication that substantial supervisory activity was warranted.

"If there has been a shift in agency policy that is now manifesting through enforcement actions, ICBA encourages the banking agencies to issue a notice of proposed rulemaking, which more explicitly explains the policy shift and how banks can appropriately operate under the new policy," he said. "Absent that additional guidance and an opportunity to comment, we're seeing a new breed of 'regulation through enforcement,' which is obviously suboptimal."

Among specialists in the space, there is optimism that the Fed's Novel Activities Supervision Program will be able to address some of these outstanding questions and provide the guidance banks need to operate in the space safely and effectively. 

"I expect more clarity going forward both in the enforcement action context but also if they adopt exam manuals and a whole exam process," Crane said. "I remain glass half-full about how the novel activities programs are going to impact the space. It's a pretty strong signal that agencies aren't just trying to kill this activity. They wouldn't establish whole new supervisory programs and teams if that's what you're trying to accomplish."

The program will operate alongside existing supervision teams, with the Washington-based specialist group accompanying local examiners to explore specific issues related to emerging business practices. Crane said until more formal exam policies are laid out, the scope of the enhanced supervision conducted by these specialists remains to be seen.

"In theory, that enhanced supervision should apply only to novel activity," he said. "There is an open question as to whether, in practice, the whole bank will be held to something of a higher standard."

Lyons said the layering on of supervision from a Washington-based entity, such as the Novel Activities Supervision Program, eats into the discretion of local examiners. It also inevitably leads to the identification of favored practices.

"When these types of groups get involved in supervision, it tends to lead to more comparisons of how one bank approaches issues versus another," Lyons said. "It's not formally a horizontal review, but it's that type of principle, in which the supervisors identify certain practices they like more than others."

Lyons added that escalation policies, such as the one implemented by the FDIC, also take away examiner discretion and could create a situation where one type of deficiency — such as third-party risk management — can quickly transform into a different one with more significant consequences. 

"If issues run over more than one exam cycle, they can go from purely being a third-party risk management issue, to also being a management issue for not monitoring a pressing risk well enough," he said. "Management is typically considered the most significant of the six components of [regulators' banking soundness rating system] CAMELS for purposes of determining the composite rating, for example."

For reprint and licensing requests for this article, click here.
Regulation and compliance Federal Reserve OCC FDIC Fintech Technology
MORE FROM AMERICAN BANKER