Last week we covered what the Federal Reserve, OCC, and FDIC's latest guidance on third-party relationship management means for US banks. The guidance has also been highly-anticipated by fintechs, who will need to step up to meet updated requirements across all of their bank partners.
Here we dive into how fintechs should position themselves in response, with insights from leaders on what the guidance means specifically for fintechs in areas like open banking, lending, and Banking-as-a-Service. It's also worth calling out which issues are not addressed by the new guidance, and where to look for answers on some of the biggest questions on fintech regulation that are still left open.
Finally, we'll summarize the takeaways for banks and their fintech partners going forward.
Have insights/questions about the new guidance? We'd love your thoughts! Join the discussion in TWIF's Slack community: 🧵 Thread in #compliance_and_regulation.
What the guidance means for fintechs
The high-level takeaway for fintechs is that baseline diligence requirements are likely to heighten– per Andreas Westgaard, Director at Klaros Group, an advisory and investment firm focused on the future of financial services:
On the fintech side, I would expect a higher bar moving forward from their current or prospective bank partners - particularly in the areas of anti-money laundering, consumer compliance, and operational/business resiliency.
Three actions Andreas recommends fintechs take in the near-term:
Treat the guidance like a checklist.Contrary to what the guidance preamble says, fintechs should revisit the due diligence package they currently provide bank partners in light of the guidance's recommendations.
Make sure policies and procedures align with the guidance. Notably, descriptions of partner roles & responsibilities should clearly articulate who is doing what between fintechs and their bank partners.
Consider additional monitoring or testing.Fintechs should proactively identify oversight gaps before the banks– or their regulators– come knocking.
These suggestions apply to virtually all fintech-bank partnerships, albeit to varying degrees– fintechs who've been calling for greater clarity on regulatory issues within their specific segments might not be fully satisfied by what the guidance has to offer. We gathered reactions from fintech leaders & experts in light of the regulatory atmospheres within open banking, lending, and Banking-as-a-Service.
Open banking
As those of you who’ve been on the fintech side of a bank diligence process will know, it's a resource-intensive project usually entailing months of meetings, paperwork– and a non-zero amount of personal grit.
Multiply that process by about 9,604x institutions and you have the potential work it would take for data aggregators like Plaid* and Yodlee to access data from every bank and credit union in the US. The regulators acknowledged comments that this "may unintentionally result in outsized burdens on banking organizations", but still rolled back their previous carveout for data aggregators, blurring guidance on how fintechs are supposed to access data from users’ bank accounts (and uphold consumers' right to access their financial data under Dodd-Frank Act Section 1033 in the process).
On the path forward, Plaid’s Head of Policy John Pitts details:
The agencies’ specific revocation of guidance on the unique relationship between banks and data access platforms means that all eyes are on the CFPB and its 1033 rule to define that relationship so that consumers' access to digital finance, and the apps they'd use to make payments, manage spending, invest and save, is free from interference.
Lending
A major point that's being contested in lending is which regulations apply to loans that are offered by, or reassigned to, fintechs.
Fintechs often partner with banks to issue loans, then purchase the liabilities from the banks' books while maintaining the bank as the "true lender". The “true lender” piece is critical here because unlike other lenders, national banks can offer loans outside of their home states without having to comply with other states’ usury laws (i.e. the laws governing interest rate caps in those states).
Regulators don't love the fact that fintechs can use national banks' exemption from other states' usury laws to grant loans at higher interest rates than other states would otherwise allow fintechs to offer. This begs two questions:
When a fintech and bank partner to issue loans, who is considered the "true lender"?
If a bank is the true lender but subsequently sells a loan to a fintech, does the loan lose the bank's usury law exemptions in other states?
The answers here are still outstanding, but could be very very disruptive for fintech lenders. The repeal of the True Lender Rule in 2021 opens fintechs up to the possibility of being considered "true lenders", which could invalidate the loans fintechs have issued wherever they doesn't have the proper state lending licenses. This would also lower the interest rates fintechs could offer, which would be a blow to margins– as well as to the secondary markets fintechs rely on to access liquidity from credit investors. To top it all off, fintechs could become subject to penalties for non-compliance with any of the above.
States obviously want to enforce their own rules on loans issued in their constituencies: California is taking up the true lender issue in a case against OppFi, and Colorado just passed a bill to opt out of federal usury law exemptions for out-of-state banks. For their part, federal regulators are maintaining that loans sold by banks can still be collected on at their original interest rates, but it seems like true lender decisions will rest with the courts for the foreseeable future.
Former Lending-as-a-Service executive Roger Gu expects that fintechs lending across state lines will only see a growing number of challenges from state regulators. He points out that in response, banks are already starting to retain a greater stake in the loans (say, holding onto 5% vs. reassigning 100% of liabilities). Furthermore, higher scrutiny will make it harder for fintechs to use more exotic underwriting technology if they can’t prove that model inputs and/or outputs are not discriminatory (“AI black box”).
Banking-as-a-Service
BaaS providers likely won’t find anything surprising in the guidance, having watched probes at institutions like Blue Ridge Bank and (reportedly) Column closely for hints about what regulators expect to see from Banking-as-a-Service relationships. Tactical questions still prevail– e.g. How should banks and BaaS partners share responsibility for KYC/KYB decisions? For filing suspicious activity reports (SARs)?– but generally, the guidance is being warmly received.
Unit’s* Chief Legal Officer, Alex Acree, shares:
Part of Unit's mission is to expand financial access, and that means investing in safeguards that support a vibrant and healthy financial ecosystem. That's why we have worked closely with our bank partners to develop and implement a strong third-party risk management framework.
We welcome the new unified interagency guidance and the consistent and clear approach it takes to laying out the key principles. We look forward to further guidance and engagement to build on this foundation through the development of best practices and application of these principles to common types of bank relationships.
Of course, it’ll take some level of effort for BaaS providers to fulfill all of the new requirements bank partners will put into place. On a practical level, Trevor Tanifum, Principal at FS Vector, a strategic consulting firm specialized in financial services regulation, explains:
The release of this new guidance is a statement from regulators that they have reviewed and understood these relationships, and they are prepared to begin holding banks to these standards... Whatever regulators ask of banks via guidance, banks will ask of fintechs via contract.
Trevor outlines three major changes fintechs should expect to see as a result:
The diligence and onboarding phases of bank partnerships will be longer, as banks work to meet the heightened expectations placed on them.
The monitoring and oversight of these relationships will be more rigorous, as banks will need to pay closer attention to the ongoing activities of their fintech partners.
Finally, the cost of these partnerships will go up. Banks are unlikely to absorb the full costs of complying with this new guidance themselves– this will be reflected in banks' program fees, monthly minimums, and other commercial terms.
* Sophie's former employers.
Takeaways
While the new guidance gives banks a holistic, tactical framework for managing third-party risk, it's up to each bank and fintech partner to craft its own set of policies and procedures in response.
This is largely by design, which leaves us with these takeaways:
For banks
The bar is set higher on what banks are expected to do to vet and oversee fintech relationships.
The risk-based approach in the guidance provides flexibility, but shifts responsibility onto banks to determine appropriate risk management measures. PerAndreas Westgaard, “Since the guidance is principles-based, it often raises more questions than it answers. As a result, banks will need to think creatively and strategically about how to build or augment third party risk management programs that oversee fintech partners throughout the lifecycle of the relationships, including initial third-party due diligence, risk assessment, approval, onboarding, ongoing review and monitoring, issue management, and termination.”
Implementing this guidance might be an arduous process, particularly for smaller institutions looking to offer a diverse set of financial services. In a dissent from her colleagues, Fed Board Governor Michelle Bowman argued that the guidance creates outsize obligations, while not providing enough support for, smaller banks that lack the same resources as their larger counterparts.
Risk management is not a one-and-done process.As the guidance explains, “Maintaining a complete inventory of its third-party relationships and periodically conducting risk assessments for each third-party relationship supports a banking organization’s determination of whether risks have changed over time and to update risk management practices accordingly.”
For fintechs
Banks will be ramping up risk management requirements across all fintech partners. Fintechs should familiarize themselves with regulators’ recommendations on due diligence, monitoring, and contractual negotiations ahead of their adoption.
Fintechs will need to invest more in onboarding new bank partners. The guidance will lead to extended diligence timelines at many banks, and the overall costs associated with banks' partnership programs to increase.
Guidance on fintechs' responsibilities in specific partnership contexts is still outstanding. Banking-as-a-Service providers will continue to look to federal regulators for a better understanding of their role in the initiation and oversight of specific banking activities, while open banking platforms will lean on the CFPB to help resolve tensions between the guidance and consumers' data access rights. In lending, open questions about true lender rules will likely be answered in state courts far sooner than at the federal level.
For This Week in Fintech readers
We'd love your thoughts! Join the discussion in TWIF's Slack community.
🧵 Thread in #compliance_and_regulation is open for your insights, feedback, and questions.
Edit on 6/23/23: Colorado's proposed H.B. 1229 legislation was passed on 6/5.
