Sullivan & Cromwell Discusses Banking Agencies’ Request for Information About Bank Relationships with Fintechs

On July 25, 2024, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (together, the “Agencies”) issued a request for information (the “RFI”)[1] regarding arrangements between banks and financial technology (fintech) companies. The RFI reflects the Agencies’ recent focus on risks associated with “banking as a service” (“BaaS”), “embedded finance” and other arrangements through which banks make available deposit, payment or lending products that are marketed, distributed or otherwise provided by fintechs to consumer or business end users. The RFI describes arrangements that the Agencies have observed and associated risks for banks, and requests comments on 27 questions addressing numerous aspects of these arrangements.

Alongside the RFI, the Agencies published a joint statement (the “Joint Statement”) addressing a subset of bank-fintech relationships—those that facilitate the provision by fintechs of bank deposit products.[2] The Joint Statement describes risks these arrangements may generate and sets out, with reference to existing regulations and guidance, effective practices to manage those risks.

Both the RFI and Joint Statement expressly state that they do not establish new requirements or supervisory expectations. Comments on the RFI will be due 60 days after publication in the Federal Register.

DISCUSSION

The Agencies expressly recognize in the RFI and Joint Statement that banks may derive benefits from relationships with fintechs. These relationships “may enable banks to leverage newer technology and offer innovative products or services,” may provide banks with “the ability to quickly and more cost effectively deploy products or services into the market” and may give banks “access to new or expanded markets, revenue sources, and customers.”[3] The Agencies, according to both the RFI and Joint Statement, “support responsible innovation and support banks in pursuing bank-fintech arrangements in a manner consistent with safe and sound practices and applicable laws and regulations.”[4] Nevertheless, the focus of the releases—as described further in the following sections of this Memorandum—is on the risks that these arrangements may pose to banks and the need for banks effectively to manage those risks.

The Agencies’ focus on these concerns likely reflects events that have demonstrated risks that may arise for banks and end users and, in turn, the FDIC’s ability to manage bank failures. The release of the RFI and Joint Statement follows public statements related to the recent bankruptcy of Synapse Financial Technologies, Inc. (“Synapse”).[5] Synapse acted as a “middleware” or “intermediate platform” provider, not directly serving end users but providing technological, operational, information and other services to enable various fintechs and banks to connect their systems and platforms. After Synapse declared bankruptcy in April 2024, a substantial shortfall in funds was identified, with fintechs that relied on Synapse owing their customers between $65 and $96 million more than what the applicable banks recorded as being owed to the fintechs.[6]

The RFI and Joint Statement follow various other actions the Agencies have taken in recent years to address risks they have identified with respect to bank-fintech arrangements. The Agencies have pursued enforcement actions against banks related to fintech relationships. Individual consent orders have required banks to make enhancements to their systems and processes, including with respect to third-party risk management, Bank Secrecy Act/anti-money laundering (“BSA/AML”) compliance, consumer compliance, operational risks, liquidity and credit risks, internal audit and governance. The Agencies have also updated their guidance on bank risk management of third-party relationships, emphasizing that the guidance applies to bank-fintech arrangements, including those that involve “new or novel structures or arrangements,”[7] and have established supervisory programs that are intended to address, among other things, bank-fintech relationships.[8] Additionally, the FDIC has identified cases where fintechs have suggested that FDIC deposit insurance was available when it may not have been or where the fintechs were not sufficiently clear that, in the context of a bank-fintech arrangement involving deposit-taking, FDIC deposit insurance covers the failure of the bank, not the fintech.[9]

The Agencies state that the RFI is intended to enable them to increase their understanding of these arrangements, “including with respect to roles, risks, costs, and revenue,” and their implications on “banks’ risk management, safety and soundness, and compliance with applicable laws and regulations.”[10] To that end, the RFI includes numerous questions regarding bank-fintech arrangements, including the structures of these arrangements, associated benefits and risks, risk-management practices that have been put in place and potential effects on financial inclusion, financial stability, innovation and competition. However, the Agencies do not include any questions on what considerations lead banks to enter into the fintech arrangements described by the RFI and Joint Statement, and whether regulatory considerations, including any rules or supervisory expectations of the Agencies, have had a role in pushing banks toward implementing these arrangements, rather than developing products internally.

The Agencies also do not describe what they may do with the information they receive in response to the RFI. Given their focus on this topic, the Agencies may consider undertaking rulemaking, issuing new supervisory guidance or taking other actions relating to bank-fintech relationships generally or particular types or aspects of them.

Furthermore, the FDIC put on its agenda for a July 30 board meeting a notice of proposed rulemaking on brokered deposit restrictions.[11] If a fintech is a “deposit broker,” as defined in the FDIC’s regulations, related deposits will be “brokered deposits” subject to restrictions if a bank ceases to be well capitalized under the applicable Agency’s prompt corrective action framework and included in regulatory filings.[12] Depending on the context of the proposal that the FDIC will consider, it could have a significant impact on many fintech-related deposits.

SUMMARY OF THE RFI

The RFI includes three parts: (1) a description of common bank-fintech arrangements that the Agencies have observed, (2) a non-exhaustive list of risks that the Agencies have observed in respect of these arrangements and (3) as described above, an extensive list of questions about them.

The description of bank-fintech partnerships describes the variety of products and services they may involve, giving as examples deposits offered by a fintech and held at a bank, payment services offered by a fintech and facilitated by a bank, loans solicited by a fintech and facilitated and funded by a bank, and middleware providers that allow banks and third parties to interact with one another. The RFI also highlights differences in how these arrangements may be established and structured, and how responsibilities are allocated between a bank and a fintech, including with respect to recordkeeping, data access, compliance management, transaction monitoring and customer complaint handling. The RFI describes complexities that may arise from these relationships, including those relating to reconciliations, BSA/AML compliance and use of middleware providers.

With respect to risks, the RFI states that bank-fintech arrangements present “the full spectrum of risks facing banks, including, but not limited to, third-party, credit, liquidity, compliance, and operational risk.”[13] These risks, according to the RFI, may be “heightened” in numerous instances including where a fintech distributes a banking product or service to an end user or where a fintech or middleware provider (or a subcontractor on which the fintech or middleware provider relies) is responsible for a wide range of “key functions.”[14] The RFI then describes the following five specific risks that the Agencies view as “illustrative of certain select concerns”:[15]

  • Accountability: Although contractual arrangements between banks and fintechs may allocate tasks and responsibilities, “banks remain responsible for compliance with applicable law.”[16] A bank may have diminished ability to satisfy this responsibility if it does not “conduct sufficient due diligence, ongoing monitoring, and oversight,” or if it is unable, including as a result of contractual limitations, to “establish clear lines of accountability, implement effective risk and compliance management strategies, and address and remediate issues as they arise . . . .”[17]
  • End-user confusion: Efforts by fintechs “to provide a seamless end-user experience,” along with statements in marketing and other materials, may make it difficult for end users to know if and when they are dealing with a bank or a fintech.[18] Confusion by end users may lead to misunderstandings as to the scope of FDIC deposit insurance. Banks may also find it more difficult to meet consumer protection obligations if a fintech has responsibility for addressing customer complaints.
  • Rapid growth: Entering into a relationship with a fintech may lead to rapid growth in a bank’s deposits or transaction volumes. A bank’s risk and compliance management systems, management and employee expertise, transaction monitoring capacity, technological infrastructure or funds management may be inadequate to address the resulting risks and complexities.
  • Concentration and liquidity management: A bank’s business may become highly concentrated in one or more fintech arrangements. This concentration could increase credit risk exposures associated with the arrangement and liquidity risks that may result if the bank does not have adequate contingency planning or exit strategies in the event the arrangement is terminated or reduced.
  • Use of ownership of data and customer information: Bank-fintech relationships may rely on “new, innovative and potentially untested uses of data,” for example, basing credit underwriting on nontraditional data.[19] Doing so may raise challenges for ensuring accuracy and minimizing biases and pose operational difficulties, such as for systems or credit risk modeling. Moreover, a bank’s agreement with a fintech may restrict the bank’s access to data, potentially limiting the bank’s ability to satisfy compliance obligations. Regulatory requirements may also prevent a bank from sharing certain customer data with a fintech.[20]

SUMMARY OF THE JOINT STATEMENT

Unlike the RFI, which addresses a broad range of bank-fintech arrangements, the Joint Statement focuses only on arrangements that involve the provision of bank deposits. However, like the RFI, the Joint Statement describes a variety of risks that the Agencies have observed in connection with these specific types of arrangements. The observed risks overlap in significant part with those discussed in the RFI, and include operational and compliance risks, risks related to growth and risks arising from end-user confusion or misrepresentations of FDIC deposit insurance coverage.

After addressing risks from these relationships, the Joint Statement includes a detailed list of “effective risk management practices that a bank may consider when managing third-party arrangements.”[21] Although the list is expressly not “complete,” it describes appropriate practices banks should adopt in respect of governance and third-party management, management of operational and compliance implications of these arrangements, BSA/AML and sanctions compliance, management of growth, liquidity and capital implications, and prevention of misrepresentations as to deposit insurance coverage.[22] The Joint Statement derives these practices from “various existing resources, including guidance,” and an extensive list of relevant resources, including links to the underlying materials, is included with the Joint Statement.[23]

ENDNOTES

[1]           Office of the Comptroller of the Currency, Bd. of Governors of the Fed. Reserve Sys., Fed. Deposit Ins. Corp., Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses (July 25, 2024), available athttps://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20240725c2.pdf.pdf.

[2]           Bd. of Governors of the Fed. Reserve Sys., Fed. Deposit Ins. Corp., Office of the Comptroller of the Currency, Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services (July 25, 2024), available at https://www.federalreserve.gov/‌newsevents/pressreleases/files/bcreg20240725c1.pdf.

[3]           RFI at 9-10.

[4]           Id. at 7; see Joint Statement at 1.

[5]           See, e.g., Acting Comptroller of the Currency Michael Hsu, Remarks Before the Exchequer Club: Size, Complexity, and Polarization in Banking (July 17, 2024), available at https://occ.gov/news-issuances/speeches/2024/pub-speech-2024-79.pdf.

[6]           See Chapter 11 Trustee’s Fifth Status Report at 2-4, In re Synapse Fin. Techs., Inc., No. 1:24-bk-10646-MB (C.D. Cal.), ECF No. 320.

[7]           Bd. of Governors of the Fed. Reserve Sys., Fed. Deposit Ins. Corp., Office of the Comptroller of the Currency, Interagency Guidance on Third-Party Relationships: Risk Management, Final Interagency Guidance, 88 Fed. Reg. 37,920, 37,923 (June 9, 2023).

[8]           See Bd. of Governors of the Fed. Reserve Sys., Div. of Supervision and Regulation, SR 23-7, Creation of Novel Activities Supervision Program (Aug. 8, 2023), available at https://www.federalreserve.gov/supervisionreg/srletters/SR2307.htm; see also Office of the Comptroller of the Currency, News Release 2023-31, OCC Establishes Office of Financial Technology (Mar. 30, 2023), available at https://www.occ.gov/news-issuances/news-releases/2023/nr-occ-2023-31.html.

[9]           See, e.g., Fed. Deposit Ins. Corp., Press Release, FDIC Issues Cease and Desist Letters to Five Companies For Making Crypto-Related False or Misleading Representations about Deposit Insurance (Aug. 19, 2022), available athttps://www.fdic.gov/news/press-releases/2022/pr22060.html?source=govdelivery&utm_medium=email&utm_source=govdelivery.

[10]         RFI at 10.

[11]         Fed. Deposit Ins. Corp., July 30, 2024 – Sunshine Act Meeting Notice (July 24, 2024), available athttps://www.fdic.gov/news/board-matters/2024/july-30-2024-sunshine-act-meeting-notice.

[12]         See 12 C.F.R. § 337.6.

[13]         RFI at 17.

[14]         Id.

[15]         Id. at 18.

[16]         Id.

[17]         Id.; see id. at 19-20.

[18]         Id. at 20.

[19]         Id. at 24.

[20]         See 15 U.S.C. § 6801 et seq.; 12 C.F.R. pt. 30, app. B (OCC); 12 C.F.R. pt. 208, app. D-2 (Federal Reserve); 12 C.F.R. pt. 364, app. B (FDIC); 12 C.F.R. pt. 1016.

[21]         Joint Statement at 5.

[22]         Id.; see id. at 5-8.

[23]         Id. at 5. The list of relevant resources is included on pages 9-11 of the Joint Statement.

This post comes to us from Sullivan & Cromwell LLP. It is based on the firm’s memorandum, “Federal Banking Agencies Request Information About Bank Relationships with Fintechs,” dated July 29, 2024, and available here.