WASHINGTON — Synapse Financial's bankruptcy and related regulatory actions against its partner bank are expected to sharpen bank regulators' focus on managing risks associated with third parties, potentially cooling the banking-as-a-service model and fintech-bank partnerships more broadly.
Synapse — a fintech middleware provider that connected licensed banks with non-bank entities looking to offer banking services —
The Federal Reserve Friday
"As a leading Banking-as-a-Service provider and member of the American Fintech Council, we advocate for modernizing regulatory guidelines to ensure safe and affordable financial services," the spokesperson said.
Todd Baker, managing principal at Broadmoor Consulting and a lecturer at Columbia University, says Synapse's business model — being a middleman between fintechs and banks — is one that regulators are viewing with renewed skepticism. He says Synapse' trouble is going to create more difficulties for banks looking to fintechs to boost their capabilities and reach.
"Examiners are people," he said. "It's going to reinforce whatever concerns they have about the space in general. So they're going to be tough examinations, there's no doubt about it."
The Synapse bankruptcy sits at the intersection of two supervisory issues that bank regulators have focused on in the last few years: Third party risk management and misrepresentations of FDIC insurance. The federal bank regulators have all set up special groups to more consistently examine banks that are providing partner banking services to fintechs. The agencies also issued guidance on fintech partners
Jonah Crane, a partner at consultancy Klaros Group, expects regulators to issue more specific guidance to address BaaS.
"Much of this guidance is general — not specific to fintech partnerships. The enforcement actions have provided some additional clarity regarding regulatory expectations, but the map is far from complete," he noted. "I would expect specialized exam manuals in the coming years to provide more specific guidance and set clearer expectations regarding how to implement third-party risk management for these specific kinds of partnerships."
The banking-as-a-service model, in particular, has
In addition to the consent order issued against Evolve on Friday, other banks targeted by these enforcement actions include
"We should expect more of those, because as they go through the list of partner banks, they tend to find the same problems, especially with the smaller ones," Baker said. "There's going to be no letup in the supervisory pressure on partner banks to make sure that fintechs they work with are essentially operating at a bank level of compliance standard."
Most fintech partner banks are small, usually under $10 billion in assets. Part of the reason for this is a clause in Dodd-Frank — the so-called
While generally smaller firms, fintech partner banks can handle large volumes of third-party transactions, making them more systemically significant than their asset size might suggest. Baker argues this creates a blindspot for regulators, who usually rank systemic riskiness with regard to a firm's asset size.
"They typically look at risk based on the size of the bank, the asset size of the bank, and all of these banks are quite small in asset size," Baker said. [However,] they are processing large volumes of third party transactions, which make them significantly more material to the overall banking system than their assets suggest."
Almost exactly a year ago, the
Baker estimates there are about 120 fintech partner banks, but that the cost of enforcement actions will almost surely reduce this number.
"To the extent that all of the compliance obligations of the traditional bank that pushed onto the fintech and its partner bank, those costs are essentially going to end up on the books of the fintech, because partner banks are going to charge more for what they're doing, given the compliance burden that's been put on them," he said. "So some of the fintech cost advantages are going to go away, we'll also likely see very heavy consolidation of the fintech banks, and you'll see a smaller number of banks who truly specialize in this and focus on the compliance side."
Crane argues banks who want to be in this business should be truly committed to it, and prepared to operate it at scale, given rising costs of compliance.
"The Evolve order also suggests banks should be holding extra capital to account for the elevated operational risks of these partnerships[,] that will raise the cost even more," he said. "Sponsoring one or two programs will not make sense when you consider the oversight 'infrastructure' that needs to be in place."
Michael Emancipator, senior vice president and senior regulatory counsel of the Independent Community Bankers of America, argues bank regulators have more authority and tools at their disposal than they generally use. Under the Bank Services Company Act, he says they can directly regulate and examine bank-partner fintechs as if the services or products were being offered by the bank itself. He says regulators should focus on some of the risks to banking unique to the BaaS model.
"While the agencies certainly ramped up the number and rate of enforcement actions on BaaS banks over the past year or so, the vast majority of the enforcement has focused on AML/BSA issues, or general governance or strategic planning lapses," he said. "The seriousness of those types of deficiencies should not be discounted, but it does present the appearance that the agencies were more focused on demonstrating increased scrutiny of BaaS banks on any issue, rather than on issues that are unique to BaaS banking."
Baker agreed regulators have untapped authority, but he says he sees regulators focusing mostly on mitigating risks in the supervision process as opposed to enforcement.
"Based on their own view that they have authority to look at service providers, they probably should have looked more quickly," he said. "But I'm fairly confident now that this kind of situation is not likely to be repeated soon, given the increased focus that the bank regulators have on all of these relationships and the clear warning signal that the Synapse situation puts out to partner banks and consumers."
At the same time, the FDIC has tried to crack down on the way that fintech and crypto companies represent the extent to which consumers' deposits are protected by deposit insurance through their banking partners. Often, these kinds of arrangements — where a fintech company takes a deposit from a consumer and has a relationship with a banking-as-a-service institution — operate through an "For Benefit Of," or FBO account. Fintechs are supposed to take the consumer's deposit and open a bank account in their name, thus insuring the customer's deposits up to $250,000.
But sometimes the relationship between a fintech firm and their partner bank with respect to deposit insurance isn't clear to the consumer, and the presence of nonbank partners like Synapse can make those relationships even more complicated.
"Most fintech relationships are direct — that is to say, the fintech has a direct relationship with the partner bank [and] generally doesn't involve the level of complexity that you saw in Synapse," Baker said. "The complexity, the structure and the operational incompetence of the company, you know, caused very severe problems for customers." Baker said Fintechs will also have a harder time convincing banks to work with them.
Those consent orders include firms
"It is especially important in light of the growth of nonbank crypto firms and fintechs and their relationships with banks," acting Comptroller Michael Hsu, who sits on the FDIC's board, said at a meeting two years ago when the issue was discussed. "The potential for consumer confusion about the status of cash held at these firms is high and this final rule will help provide clarity."
Chopra said at the time that the bureau's enforcement memorandum clarifies that entities misusing the name or logo of the FDIC are violating the Consumer Financial Protection Act, putting enforcement in the CFPB's purview, regardless of whether that misuse was done knowingly or not.
"Many people are continuing to learn with respect to crypto assets that something might not actually be stable, and they may actually have a view that it's equivalent to a deposit in an FDIC insured account," he said. "And it's not."