U.S. Banking Agencies Enhance Focus on Bank-Fintech Arrangements

On July 25, 2024, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (collectively, the Agencies) issued a reminder to banks of potential risks associated with third-party deposit arrangements¹ and an accompanying request for information on bank-fintech arrangements.² The Joint Statement sets forth a litany of risks and risk management examples, but the agencies assert that it does not alter existing legal or regulatory requirements or establish new supervisory expectations. Learning from their experience with Operation Chokepoint,³ the Agencies also reiterate: “Banks are neither prohibited nor discouraged from providing banking services to customers of any specific class or type, as permitted by law or regulation.”⁴ The accompanying request for information (RFI) solicits information related to bank-fintech relationships to better understand risks and risk management associated with these arrangements and likely represents an initial step in more restrictive oversight. Banks and fintechs that see benefits from these arrangements and believe risks can be appropriately managed should consider commenting on the RFI by the due date of September 30, 2024.

Joint Statement on Bank Arrangements With Third Parties to Deliver Deposit Products

The Joint Statement focuses on risks in arrangements whereby banks work with third parties to make deposit products and related payment services available to consumers and businesses (end users) and highlights steps banks should be taking to manage those risks. Although affected third parties are not limited to fintechs (e.g., broker-dealer deposit sweep programs may also be affected), fintech relationships are the primary focus of the release. In these arrangements, banks will partner with a fintech to offer deposit products or payment services, like a checking or savings account or ACH, card, or wire payments. In many of these arrangements, banks rely on the third party to market and distribute the product and/or service and to maintain account and transaction records. The bank may or may not have a direct relationship with the end user. While the Agencies emphasize that the cataloguing of risks and risk management tools is a restatement of existing guidance, the very fact that the guidance is being consolidated and restated indicates that banks should expect heightened attention to these matters in upcoming exams.

Potential Risks

The Joint Statement divides the risks associated with third-party deposit service relationships into three primary categories: (1) operational and compliance risks, (2) growth risks, and (3) end-user confusion and misrepresentation of deposit insurance coverage risks. With respect to operational and compliance risks, the Agencies note that much of the risk comes from the degree to which the bank outsources functions to the third party without proper supervision. Part of the difficulty with splitting obligations for deposit products between bank and fintech is that operations may become fragmented among multiple parties, potentially making it difficult to identify which party is responsible for each aspect of the product. This is particularly true in relationships that rely on subcontractors or middleware providers with which the bank does not have a direct contract. Although Agency guidance has long cautioned banks on risk management in relation to subcontracting, the proliferation of complex processing models in the fintech space is bringing renewed attention to how associated contracts allocate risk and responsibility for various compliance and safety and soundness objectives between the parties, particularly where the third party may itself be exposed to others in this regard.

Furthermore, if a fintech maintains control of critical account records, the Agencies emphasize that the bank may not have access to the information it needs to comply with its obligations under consumer protection and other laws, such as the requirement to investigate and resolve certain payment disputes pursuant to Regulation E, the requirement to provide certain disclosures pursuant to Regulation DD, or requirements to perform appropriate customer diligence and monitoring under anti-money laundering requirements.

With respect to growth, the Joint Statement notes that the primary risk stems from the rapid growth of these partnerships and the bank’s ability to monitor changes in its funding concentrations, liquidity risk, and capital levels in response. The Agencies assert that the proliferation of bank-fintech arrangements has resulted in rapid growth, which sometimes puts strain on the bank or fintech’s ability to manage the product. In particular, likely in response to recent failures in the fintech space, the Agencies emphasize exposure to compliance, liquidity, capital risks, and the ability of banks to service a fintech’s end users if the fintech maintains critical deposit and payment records.

The final category of risk is customer confusion and misrepresentation of deposit insurance coverage. The Agencies caution that customers may not understand the respective roles of the bank and fintech and, in particular, what obligations are protected by federal deposit insurance and what risks to funds access are created by the intermediary role of the fintech. This has already been an area of focus for the Agencies, including in FDIC enforcement actions, as FDIC insurance coverage rules related to misrepresentation of insurance coverage were recently revised.

Risk Management and Governance Considerations

The Joint Statement also identifies existing bank obligations for monitoring these risks associated with bank-fintech partnerships. In particular, banks must have strong diligence and oversight procedures to properly monitor their fintech partners. For many obligations, like the obligation to conduct suspicious activity monitoring, do sanctions screening, and maintain deposit account records, while the bank may outsource some of these functions, the ultimate requirement for compliance falls on the bank, and the bank must closely monitor these functions when outsourced. This means that banks must create risk assessment and monitoring programs for these partnerships. The level of oversight required will bear a relationship to the role of the fintech and the complexity of the bank product offered, among other considerations. Generally, contractual provisions related to oversight and audit of the fintech and any subcontractors will be an important tool for oversight of these arrangements. In addition, banks should establish appropriate strategies to manage growth, liquidity, and capital implications of bank-fintech arrangements to help manage some of the growth risks of these bank-fintech arrangements.

With respect to customer confusion related to deposit insurance coverage, the new FDIC rules that require nonbanks to clearly disclose that they are not FDIC-insured institutions will help mitigate some of this risk, but banks must ultimately also make it clear which products have insurance and which do not. Ultimately, the Joint Statement suggests that close monitoring of bank-fintech partnerships is required for banks to continue to comply with their own legal obligations.

Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses

In conjunction with the Joint Statement, the Agencies also issued a request for information regarding bank-fintech partnerships. These types of partnerships have been a growing area of regulator interest, and the RFI seeks to gather information about these arrangements and the market for them as regulators determine how to approach these arrangements. The RFI focuses on the balance of benefits to consumers and businesses (end users) from these arrangements and risks to end users and banks as highlighted in the Joint Statement. In particular, the RFI divides bank-fintech arrangements into three categories related to (1) deposit taking activities, (2) payment activities, and (3) consumer and small business lending.

With respect to each category, the Agencies request information in three broad areas: (1) the nature of bank-fintech relationships, (2) risk and risk management, and (3) trends and financial stability. Among the more probing information requests, the Agencies seek information related to how responsibilities are divided between banks and fintechs, what information banks receive to allow them to monitor risk, and how the parties determine whether an end user is the customer of the bank or of the fintech for compliance purposes.

Notably, the Agencies explain in the RFI that even when a fintech maintains the end-user relationship — handling interactions, addressing inquiries and complaints, and providing consumer protection disclosures — “the end user may still qualify as a customer of the bank for certain regulatory purposes.”⁵ This statement suggests that trying to determine whether a consumer is a customer of the bank or the fintech is not a matter settled by the contractual terms of the arrangement. The related issue of a bank’s regulatory obligations with respect to end users with whom it may not have a direct relationship is a focus of the RFI. For example, the Agencies explain that although a bank may not have access to end-user information as a matter of its arrangement with a fintech, the need for a bank to access end-user information may arise as a matter of regulatory compliance “even where the bank lacks a direct relationship with end users or where they are not named account holders with the bank.”⁶

These statements and others by the Agencies in the RFI serve as a reminder that the Agencies still consider banks to be central parties in bank-fintech arrangements and suggest that no innovation in how bank services are provided frees a bank from risk management and compliance obligations.

Ultimately, the Joint Statement and accompanying RFI indicate that banking regulators will be more closely scrutinizing bank-fintech relationships and that more regulation and enforcement may be forthcoming.

¹ Joint Statement on Bank’s Arrangements with Third Parties to Deliver Deposit Products, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency (July 25, 2024) (Joint Statement).
² 89 Fed. Reg. 61,577 (July 31, 2024).
³ For a description of Operation Chokepoint, see FDIC Office of the Inspector General Report No. AUD-15-008, The FDIC’s Role in Operation Choke Point and Supervisory Approach to Institutions that Conducted Business with Merchants Associated with High-Risk Activities (Sept. 2015).
⁴ Joint Statement, pg. 1.
⁵ 89 Fed. Reg. 61,581 (July 31, 2024).
⁶ Id.