Of course, it remains to be seen whether the specificity of the RFI translates over into clearer and more detailed guidance, but this question from the RFI suggests that the agencies are thinking that it might:
To what extent would additional clarifications or further guidance be helpful to banks with respect to bank-fintech arrangements? If so, please explain. In what specific areas would additional clarification or further guidance be most helpful?
Now, let’s review some of the other questions from the RFI and consider what they might mean for BaaS and bank-fintech partnerships in the future.
We will organize them into a few different buckets.
(Editor’s note – you will see the bloody fingerprints of Synapse and Evolve all over these questions. It’s obvious that the Synapse/Evolve meltdown was the precipitating factor for this RFI. However, the RFI also touches on many areas outside of Synapse/Evolve.)
Intermediate Platform Providers
This is the term that the agencies use to describe BaaS middleware platforms like Synapse, Increase, Unit, Synctera, Treasury Prime, Helix, Infinite, and Atelio.
And thanks largely to Synapse, these companies are squarely in the agencies’ sights, as this question demonstrates:
Describe the range of practices regarding the use of an intermediate platform provider. Describe how the use of an intermediate platform provider may amplify or mitigate risk, and to what extent, if any, intermediate platform providers influence how banks handle operational, compliance, or other issues when dealing with fintech companies within the intermediate platform provider’s network.
The RFI makes clear that the agencies are worried about program management – a service provided by some intermediate platforms, in which they handle certain tasks (compliance, risk management, transaction processing, reconciliation, etc.) on behalf of the bank or fintech.
This concern is not new, which is why most of the intermediate platform providers that did offer program management have been scrambling to pivot away from that model or de-emphasize that aspect of their services.
Power Dynamics
One of the primary deficiencies in the agencies’ TPRM guidance to date has been the implicit assumption that the relationship between banks and their third-party service providers is always one in which the bank has the leverage.
This made sense in a world in which third-party service provider always meant vendor.
However, fintech companies aren’t your typical third-party service providers. For many BaaS banks, fintech has been a critical, irreplaceable source of revenue and growth. This has given fintech companies a great deal of leverage over their bank partners, leverage that they haven’t always wielded in the smartest or most responsible way (I’ll refer you back to the Mercury/Synapse/Evolve example above).
The agencies’ RFI demonstrates that they have finally grokked this. Here’s a quote that Andrew Grant, Partner, Runway LLP, pointed out to me:
These facets of bank-fintech arrangements may create heightened or novel risks for banks relative to the risks associated with more traditional third-party vendor relationships.
In the RFI, the agencies ask about the impact of these dynamics on contract negotiation and due diligence processes:
What impact, if any, does the size and negotiating power of the bank or the fintech company have on [contract negotiation and due diligence]? What impact, if any, does the fintech company’s or intermediary platform provider’s degree of control of operational functions have on [contract negotiation and due diligence]? What impact, if any, does bank liquidity or revenues concentration represented by any particular fintech company, intermediary platform provider, or business line have on [contract negotiation and due diligence]?
They ask about the business models that underpin these arrangements:
Describe the range of practices regarding how revenues and costs resulting from these arrangements are allocated between the bank and fintech company.
They even ask, somewhat philosophically, who owns the customer:
How do the parties to bank-fintech arrangements determine the end user’s status as a customer of the bank, the fintech company, or both, including for purposes of compliance with applicable laws and regulations, and each party’s responsibility in complying with contractual requirements?
They also do a wonderful job outlining their concern about the impact that poor or imbalanced contract negotiations can have on the division of operational responsibilities between banks and their fintech partners and the resulting impact on providers’ accountability when something breaks:
Contractual accountability for different aspects of the end-user relationship may be allocated among the parties to a bank-fintech arrangement. However, banks remain responsible for compliance with applicable law. Failure to conduct sufficient due diligence, ongoing monitoring, and oversight of the bank-fintech arrangement may complicate the bank’s ability to ensure such compliance and to identify risk. In addition, contractual division of labor may complicate the bank’s ability to establish clear lines of accountability, implement effective risk and compliance management strategies, and address and remediate issues as they arise, especially where novel arrangements place certain traditional banking activities outside of the bank.
End-User Confusion
Given the very public plight of Synapse’s end users, it was a sure bet that the agencies were going to make end-user confusion a central topic in this RFI.
And indeed they did:
The fintech company’s efforts to provide a seamless end-user experience could make it difficult for end users to know in what capacity they are dealing with the bank or the fintech company. In some cases, marketing materials or other statements by the fintech company or bank may exacerbate end-user confusion. For example, end users may not be well-informed regarding the type of account relationship that the end user is establishing through the fintech and may not understand that Federal deposit insurance does not protect them from a nonbank fintech company’s failure.
One interesting question from the RFI that caught my eye, was this one focused on initial and ongoing disclosures to end users about the nature of the relationship between the bank and the fintech:
Describe the range of practices regarding disclosures (e.g., initial, annual, or ongoing) to end users about the involvement of bank-fintech arrangements in the delivery of banking products and service.
Perhaps, in the future, it won’t be enough to say, “Chime is a financial technology company, not a bank. Banking services provided by The Bancorp Bank, N.A. or Stride Bank, N.A.; Members FDIC” on your homepage and call it a day.
Planning for the Worst Case
The agencies also stressed the importance of operational resilience and contingency planning in worst-case scenarios like …
Your middleware platform going bankrupt, and you realizing you have an unresolved reconciliation nightmare on your hands:
In the context of bank-fintech arrangements, how are deposit accounts usually titled? Describe the range of practices reconciling bank deposit account records with the fintechs’ records. Generally, what party holds and maintains the account records?
Or you suffering a data breach that exposes the personal information of more than 7 million people:
Describe the range of practices regarding planning for when a fintech company or intermediate platform provider exits an arrangement, faces a stress event, or experiences a significant operational disruption, such as a cyber-attack.
Obviously, these are just hypotheticals, but it’s nice to see the agencies thinking ahead here!
The Risks of Rapid Growth
Finally, the RFI makes a point to emphasize the risks that can be introduced when a fintech partnership (or partnerships) lead to rapid growth:
A bank may experience rapid growth as a result of engaging in a bank-fintech arrangement, especially in the case of a community bank. Various risks can emerge from rapid growth and the bank’s changing risk profile, including risks that may threaten the bank’s safety and soundness or its ability to comply with applicable laws and regulations.15 These risks may arise from challenges such as appropriately scaling risk and compliance management systems, operational complexities, significant deposit growth, and insufficient capital to support the rapid growth, among other things.
Specifically, the agencies see the potential challenges created by rapid growth in deposits:
Rapid deposit growth related to a bank-fintech arrangement can also pose risks related to funds management. For example, a bank may need to invest an influx of short-term deposits that greatly exceed amounts the bank has traditionally managed. To the extent that deposits are used to fund growth in longer-term or higher-risk fixed-rate assets, including loans and securities, the bank may be exposed to greater liquidity, interest rate, or credit risk, especially when such investments are concentrated, or the risks are otherwise correlated.
And payments:
Bank-fintech arrangements may also pose operational complexities, which may lead to increased risk. For example, potentially significant increases in the volume of payment processing may give rise to increased transaction monitoring alerts. In addition, depending on the integration of the bank’s information technology systems with those of the fintech company, security vulnerabilities and other sources of operational disruption may arise, increasing the likelihood of data breaches, privacy incidents, service interruptions, and fraud. In some cases, banks do not have or are unable to develop the infrastructure to adequately address these complexities, and instead rely on manual workarounds, which could lead to operational breakdowns that may implicate various other risks, including compliance and legal risks.
Interestingly, lending-related bank-fintech arrangements seem to be less of a concern for the agencies (though they do definitely talk about lending-specific challenges like concentration risk).