Chris Willis and his guests discuss the complexities and potential pitfalls of bank-fintech partnerships.
In this episode of The Consumer Finance Podcast, Chris Willis discusses the complexities and potential pitfalls of bank-fintech partnerships. Joined by colleagues Alexandra Steinberg Barrage, Matthew Bornfreund, and Jesse Silverman, the conversation delves into the structure of banking-as-a-service (BaaS) relationships, regulatory pressures, and key friction points such as BSA/AML compliance and ledgering. The team offers practical solutions for both banks and fintechs to ensure successful collaborations, emphasizing the importance of clear roles, responsibilities, and robust compliance measures. This episode is essential listening for anyone involved in or considering a bank-fintech partnership.
The Consumer Finance Podcast: Navigating Bank-Fintech Partnerships: Avoiding Common Pitfalls
Host: Chris Willis
Guests: Alexandra Steinberg Barrage, Matt Bornfreund, and Jesse Silverman
Date Aired: June 27, 2024
Chris Willis:
Welcome to The Consumer Finance Podcast. I'm Chris Willis, the Co-Leader of Troutman Pepper's Consumer Financial Services Regulatory Practice. Today, we're going to be talking about issues that can cause bank fintech partnerships to go off the rails and how to avoid them.
Before we jump into that topic, let me remind you to visit and subscribe to our blogs, TroutmanPepperFinancialServices.com and ConsumerFinancialServicesLawMonitor.com. Don't forget about our other podcasts, we have lots of them. We have the FCRA Focus, all about credit reporting, our crypto podcast called The Crypto Exchange, Unauthorized Access, which is our privacy and data security podcast, Payments Pros, all about the payments industry, and our latest newest podcast, Moving Metal, which is about the auto-finance industry. All of those are available on all popular podcast platforms.
Speaking of those platforms, if you like this podcast, let us know. Leave us a review on your podcast platform of choice and let us know how we're doing. If you enjoy reading our blogs and listening to our podcast, check out our handy mobile app. It's a great way to access both of those. It’s available for both iOS and Android, just search for Troutman Pepper in your App Store and give it a try.
Now, today as I said, we're going to be talking about the common issues that can cause bank fintech partnerships to go off the rails and have an unpleasant friction between the bank and the fintech partner. Joining me to talk about that topic are three of my colleagues. We have Alex Barrage, and Matt Bornfreund, and Jesse Silverman, all of whom you've heard on the podcast before. Alex, Matt, Jesse, welcome back to the podcast. Thanks for being here.
Jesse Silverman:
Thanks for having us.
Chris Willis:
A lot of these friction points have come to the fore recently in the context of banking as a service relationships, between fintechs and their sponsor banks. I think before we get into a discussion of where the tension points can be, it probably makes sense to explain the structure of the relationship in a banking as a service environment. Who's doing what, who are the parties and why it's important. Would one of you like to take the lead in explaining that to our audience and to me?
Alexandra Steinberg Barrage:
Sure. Let me take a stab at it. Basically, this model of bank fintech partnerships, it's not a new model. It's been around for, I don't know, the better part of 10 years, maybe 10-plus years. Basically, the fundamental premise of the model is banks provide certain core banking activities. They take deposits, they make loans, they have access to payment rails. Non-banks do not do that. However, non-banks have really well-developed technology, stacks, APIs that make a lot of the delivery of those services to end-users, or to customers a lot more efficient, a lot more user-friendly.
Over the years, these partnerships have evolved. They started simply, I think, in terms of just upgrading software and Matt can talk a little bit more about that, to today, relationships that are structured in a number of different ways. There are co-brand service relationships. There are relationships where the fintechs only deal directly with the customer, or there are relationships where the customer deals directly with the fintech and the bank and variations of that. There are different products. They could be peer-to-peer payment products, or debit card products, or BNPL products.
At the end of the day, these arrangements have been around. Sometimes they involve a party in the middle, which we call a middleware, which has gotten a lot of recent attention. I think for me, one of the most interesting parts of the structure is that each party has a different set of roles and responsibilities and different compliance obligations that come along with that. As a very high-level point, it's those kinds of asymmetries in the compliance obligations of those parties that I think has given rise to so many of the regulatory enforcement frameworks that we've seen, or regulatory enforcement orders that we've seen really over the past two, two and a half years. Matt or Jesse?
Matthew Bornfreund:
Actually, yeah, that's a good place where I could jump in, is this difference of obligation. Because the bank that's involved in these relationships is the one that has a direct supervisory relationship and obligation to a regulator, usually either the Fed, the FDIC, the OCC. The earliest kinds of fintech arrangements that we saw were basic things, like integrating payments processing into a webpage, or finding a way to better market a lending product.
Those kinds of third-party fintech type relationships do have some degree of compliance obligation for the bank, but it's pretty easy for banks to manage those kinds of things, where all they really have to do is check to see how this fintech is, representing the bank's name, or how they're providing marketing materials. Those fintech relationships have gotten much more complicated. They've gone through a series of changes, and I'm going to pass it to Jesse in a moment to give some more color on this, but it started as a white label is a big thing that happened, probably around six to seven years ago, where a fintech company wanted to present as if they were themselves offering the financial services, but what they're really doing is in the background just selling the bank's products and services, selling deposit accounts, selling loans, and just doing it under their own name. I think Jesse has a lot more experience with that part of it.
Jesse Silverman:
I think the evolution of BaaS is one of the most fascinating aspects of this story. If you look at the earlier iterations of BaaS, they really presented themselves as a one-stop shop for anyone to offer consumer financial services. If you are a retailer, if you had any large customer base, BaaS could plug in, connect you with an actual chartered financial institution, and they represented that they would carry the heavy load. By that, I mean, they would manage KYC. They would manage AML, BSA requirements. They would contract with the bank. They really presented themselves as a one-stop shop.
It always seemed a little challenged, because they were taking on a heavy lift, partnering with companies that didn't necessarily, they weren't financial institutions themselves. It was ripe for a problem. I think what we saw was there was a lot of ambiguity between those middleware providers and the banks as to who truly owned what parts of these regulatory responsibilities.
As we're seeing through several of the FDIC consent orders, that ambiguity has come back to really harm lots of those banks, who had tried to offload some of their responsibilities to the middleware. Now, just fast forwarding to, I would say, the last handful of months, I think the BaaS providers, just as in middleware, have really changed their approach to the market, they no longer present themselves as everybody. They're not engaging quite as many in tri-party agreements, where the institution, or the fintech and the bank and they are equal parties to this arrangement.
Now, they're just trying to be a real proper platform to connect the fintechs and the banks much, much narrower focus, much, much more rational, because the contracts need to be between the fintechs and the banks, because that's where the obligations lie.
Matthew Bornfreund:
Yeah. As far as Jesse, you say there's some ambiguity as to who had the regulatory obligations. The regulators never really saw any ambiguity here, right? The regulators always thought that it was the banks that were ultimately responsible.
Jesse Silverman:
They're making that clear right now with a series of consent orders to say, “Just in case anyone was unsure, these are your responsibilities, financial institution.” No ambiguity anymore.
Chris Willis:
Yeah. Well, in the animating force behind the conversation we're about to have, about potential friction points between banks and fintech partners, is that very regulatory pressure that you all are speaking of, that series of consent orders, the regulatory expectations, and, yeah, that's really the driver behind the story that we're about to tell, I think. Having identified the structure of the relationship and this period of heightened regulatory expectations, let's get into talking about some of the things that can cause a bank fintech partnership to get off the rails, as our podcast title suggests.
It seems like, the first and most obvious one has to do with Bank Secrecy Act, or any money laundering issues. What can happen there? What lessons have we learned and what are the friction points there that can cause something to get off on the wrong foot?
Jesse Silverman:
I think that one's to you first, Alexandra.
Alexandra Steinberg Barrage:
Sure. Well, within BSA/AML, there's quite a lot of compliance obligation on just behalf of the bank. Banks typically have to deal with things like, CIP, or Customer Identification Programs. They have to have customer due diligence in place. They have to monitor, they do transactions monitoring as part of their regulation, or regulatory obligations. They also have to deal with AML, CFT risk, dealing with their financing of terrorism.
There is a lot in the AML Bank Secrecy Act framework that banks are responsible for. Sometimes what banks do is they work with third parties, or their fintech partners to offload some of that responsibility. Oftentimes, to Jesse's point, there isn't total clarity about rules and responsibilities there. Sometimes third parties will file what are called SARs, Suspicious Activity Reporting, on behalf of the financial institution bank. Then there are all these minimum requirements that banks have around internal controls, having BSA officer, having appropriate training. The list goes on and on.
I think where a lot of the regulators have placed their attention is firstly, on the board oversight of the broader AML program and the sub programs within that, whether it be training, or whether having the appropriate personnel deal with these issues. That's been a theme across, I'm going to say, 10 or 15 consent orders just over the past two years. If there's one recurring concern across these partnerships, it's been BSA, AML, and making sure the appropriate risk management and procedures and policies are in place at the banks. That's one that we've seen quite a lot of.
Matthew Bornfreund:
Yeah. Let me add some color to what Alex was saying. Alex mentioned about the obligations they have to the customers. One of the key problems that actually comes up often is identifying whose customers are the users. That question that often is not clear at the outset of the relationship between the fintech and the bank. It matters, because depending upon the type of relationship, banks are not typically required under the BSA/AML rules to look through to their own customers’ customers. But if the relationship between the fintech and the bank is not a customer relationship and it's a service provider relationship, then the end users are customers of the bank. That means the bank has to treat them as they would treat any of their other customers and the kinds of due diligence they do.
Identifying where the customer actually sits is one of the key problems that needs to be addressed at the outset of the relationship, and can certainly go off the rails if you don't figure that out up front. The other question is something Alex brought up is what can be offloaded. Banks are allowed to subcontract out, or assign out certain processes as part of the BSA/AML program, but what banks can't do is truly offload the responsibility, the ultimate obligation, to ensure that BSA/AML procedures are conducted appropriately.
What we found is that a lot of banks gave the rule book to the fintech and said, “Fintech, you must follow all of these rules in order to comply with BSA/AML.” Then we're not adequately checking to make sure that the fintech did in fact do all of those things. For BSA/AML, the bank can't simply say, “Oh. Well, that wasn’t our job. We assign that responsibility to the fintech.” The regulators will tell you that it's always the bank’s responsibility, no matter who's actually doing the processing on a day-to-day basis.
Jesse Silverman:
I just wanted to come at this from the other perspective, which is having been in-house GC at several fintechs, I have often been tasked with leading our BSA/AML, the process, and I'll say on behalf of the bank, right, because it's ultimately the bank's responsibility. I came across a very, very wide array of approaches on behalf of the banks. There were banks that they asked for my policy and procedures. I provided it to them. They said, okay. That was the last thing that we heard about.
There were other banks who got down into the weeds. They actually very clearly read our internal policies and procedures. They recommended/demanded changes to those policies and procedures. They wanted to know about appropriate staffing. They wanted to know how staffing was tied to volume. They wanted to, if you were going to have 5% to 7% hits on your KYC, you're going to need a certain number of staff. There was a very wide range of bank approaches to offloading. Again, that word sounds bad, but having your fintech partner conduct your responsibilities.
I think that what we've seen through these orders is there's a right way to do it. That is not only can you have your partner do it, you have to actually be checking to make sure that they're doing it. This sounds obvious from a third-party risk management. I've always said, I've advised people, philosophically, those fintechs out there, if they're doing KYC and they're doing AML on your behalf, it's better to philosophically think of them as another unit of your financial institution. They're not just some random third party. If they do things and they say things, ultimately, those problems are going to come back to you and the FDIC has made that clear. It's better to think of them just from a compliance perspective as another branch. How would you conduct third party risk management on another one of your divisions? What would your CMS be? Just as a philosophical matter. I think that we're seeing the FDIC expects that as well.
Chris Willis:
Okay, so we've identified a problem, that is BSA/AML compliance. But we're not just problem lawyers. We're solution lawyers, too. I'd love to ask the three of you, we know this regulatory pressure is here. We know it's something that can get messed up. What is the solution to it, both on the bank side and the fintech side? Jesse, you were starting to talk about what the solution is on the bank side, but I'd love to get all three of you with just a quick take on how do you resolve this problem to make sure the relationship doesn't go off the rails, either from the bank standpoint, or from the fintech standpoint.
Alexandra Steinberg Barrage:
I think you need to do several things. First, you need to read the most recent orders. The evolve order is what I think of as an omnibus order. It pretty much includes the kitchen sink on all the different types of risks that this particular bank faced. I think you should treat that order as a blueprint for your own organization and expect that your partner bank, or multiple partner banks will be coming to you if they haven't already, and asking you what your policies and procedures are for XYZ. Taking a close look at that, either because their regulator is requiring it, or because it's just a smart way to do business in a regulatory environment where there's tremendous amounts of pressure. That's the fintech side. Use it as a blueprint and be ready for that. Make sure you have the right people helping you with that on the outside and on the inside.
I think from the bank side, the one thing I would add to what Jesse said was that you need to be thinking about vendor risk. You need to be thinking about the possibility of your fintech in the worst case, going out of business. What data does that fintech hold? What data are you dependent on that fintech for? Is that fintech ledgering, or providing some ledgering service, or some reconciliation on accounts that you are dependent on? Should you be dependent on that? Should you be outsourcing that? Those are some really basic bank 101 type functions and procedures that all parties in this relationship ought to take a much closer look at.
Matthew Bornfreund:
Alex, that's a good point. One thing I would add, you and I have talked about this with some of our clients, is if you're in the fintech position, you want to be the best fintech that your bank partners are working with, because your bank partners are going to be under a lot of pressure from the types of enforcement actions that we saw to get it right. You just described all the ways to get it right. They might also be under pressure to reduce their overall footprint within the fintech space.
To the extent, if you're a fintech, you can be the best one for your partners. You have the best chance of making it through if your partners are looking to trim off some of the worst performing.
Jesse Silverman:
Yeah. I wholly agree with that. It's funny, we were talking about that earlier and there's definitely a flight to quality right now. There is a diminishing number of banks that are participating in the fintech BaaS ecosphere. Because of that, they're demanding much better expertise on the part of those fintechs if they're going to partner in that way.
I just wanted to follow up a little bit about what can those fintechs do to prepare. Alexandra’s 100% correct that they should expect their bank partners will be knocking on their door and asking about all of the things that we've seen in the evolve order, which to her point, is it's an omnibus order. It is pretty much everything a compliance management system can address.
I think another very, very important takeaway, if I were sitting on the other side and when clients ask me, I'd be testing. It's one thing to say, I've got the policies, I've got the procedures. What I would be doing right now is spending a lot of time on testing my own internal systems, testing my own policies and procedures, and documenting the hell out of all of that testing, so that when those bank partners come calling and they assuredly will come calling, because the regulators are going to be asking them. As we know, all the good stuff rolls downhill. Once that obligation passes from the regulator to the sponsor bank, it's going to roll right down to that fintech. I would want to be prepared with not just here in my policies and procedures, this is what I'm doing. Let me show you the evidence of what I'm doing.
Here is our testing for KYC AML transaction monitoring. Here is some sampling that we've done. Hey, look, if you really want to go the next level, have that be independent testing. For some of those, your bank partner probably requires you to do annual testing, and it might be annual transaction monitoring. It depends on what the nature of the relationship is. If they're requiring you to already have annual independent testing, go do it now. Go have this done now. That is going to put you in the best light when those sponsor banks, to Matt's point, are looking to cull the herd. That's going to bring you above the top. You're going to look like a real adult professional organization.
Chris Willis:
Okay. We've talked about BSA and AML. Let's identify another potential friction point that I feel like, is on everybody's mind because of the recent Synapse bankruptcy. That is ledgering and reconciliation. Alex, do you mind just telling the audience, first of all, what is that? And why is it important and what can go wrong with respect to it?
Alexandra Steinberg Barrage:
Yeah. Fundamentally, ledgering refers to a bank's understanding of what accounts hold what for their owners, the depositors. That sounds like a very simple concept, right? That is what banks have to do extremely well. Of course, there are moments in the day where there are things like, chargebacks, and there are other actions that could potentially implicate what that ledger looks like. There could be a check that hasn't cleared. There are all these other things that get essentially, settled up by the end of the day.
Banks typically are looking at a bunch of different inputs on any one depositors account, whether that be a chargeback, it's under all these different browsers, ACH, there are all of these systems that are frankly not interoperable that make up a bank's ledgering facility. Sometimes fintechs do some ledgering as well. Their ledgering capabilities are largely a function of their engineering teams. There's no one ledgering in a box API program that all fintechs use. It actually can get somewhat complicated, especially where fintechs offer multiple different types of products to multiple customers, or where they offer, let's say, activities, or products across multiple partner banks.
The more optionality you have and the more product diversity you have, the more inputs you potentially have, the more complicated ledgering can become. That's in a nutshell how I think about what ledgering is. Matt or Jesse, you guys want to add to that?
Matthew Bornfreund:
Sure. Well, and where the rubber meets the road and why you need to have accurate ledgers, other than just the simple answer of you need to know where your customer's money is, that sometimes banks do fail. It's something that people seem to forget about up until about 18 months ago when Silicon Valley Bank failed.
At that point, everyone realized, “Oh, wait a minute. We do actually need to know on a daily basis exactly how much money there is in each account and who the beneficial owners are,” because the FDIC wants to build a look at the account records and know who the individual customers are to see whether the individual customer's funds are insured, versus insured at just the top level for the whole company. In a lot of the fintech relationships, it has to be made clear whether the money that's being held at the bank is money that belongs to the fintech company itself, or whether that money is actually been officially owned by lots of individual owners on the other side of the equation.
If it is lots of individual owners on the other side of the equation, the question is, who would want to keep the record to identify exactly which individual owners have how much money on each day? In some of the relationships that we've looked at, it's not clear from the outset which party, the bank or the fintech, is responsible for managing that ledger on a day-to-day basis.
One of the things I always try to do to solve problems is make sure it doesn't become a problem in the first place. In the initial agreements, in the initial relationship, the parties, the fintech, and the bank need to decide very clearly who is responsible for managing those ledgers on a day-to-day basis and who is going to actually have the gold standard, the account ledger of record that the FDIC could use if necessary.
Jesse Silverman:
I think that's a fascinating question. Whose responsibility is it? Completely agreed that figuring that out ahead of time. I'm going to throw one out there, which is so obvious that I can't believe I even say it, but clearly, it needs to be said. Nobody, no fintech and no bank should be co-mingling their operating funds with consumer accounts. I'll get that one out of the way, because that one feels like the lowest of low hanging fruit, but don't do that ever. The fascinating aspect is it's not just whose responsibility is it to keep the records, right, to maintain those books and records and the account ledgering. What happens when one of those parties dies?
Because we can see right now in this particular synapse matter, well, synapses entered bankruptcy and the bankruptcy trustee is left having to basically implore AWS to continue to keep the system operating, notwithstanding the fact that they're not getting paid, because that's where the account ledgers live. That's a very, very, very bad outcome. Banks and fintechs need to plan for a universe where end of life, there is some continuity over those records, and somebody has access to those records in there. You don't want to be in a position of having to beg Amazon to continue to keep your account live so the customer records aren't lost.
Then there's one last point to me which is many of the banks and fintechs, they operate and maybe they send daily flat files to reconcile their own accounts. I don't know if that's sufficient anymore. I think some nature of real-time account – it doesn't have to be real-time read and write, it could just be real time read, but there's got to be some real-time access to those accounts.
Given what we know now about how bad things can get, I don't know how you do appropriate third-party risk management without having real time access to those account ledgers. That is where my head would be if I was a sponsor bank, or if I was a fintech. Those are the reconciliations that float to the top for me.
Chris Willis:
Okay. Well, I heard a lot of great potential solutions to that problem from all three of you. Thank you. Because again, we're solution lawyers, not problem lawyers. Are there any other areas of friction you'd like to highlight for the audience that banks and fintechs ought to be looking out for and looking for a proactive solution to?
Jesse Silverman:
I think the other issue is marketing communications. It's very hard for a consumer to figure out what the nature of that relationship is between the fintech and the bank. Matt mentioned that earlier in that root question of whose customer is this? That's a really complicated question. If it's complicated for me, I'm going to guess, the average citizen is having an even harder time figuring out, “I'm putting my money into this fintech, which looks an awful lot like a bank to me. They say that they're not a bank. They say that they're a fintech and they have a – there's a banking institution, they’re FDIC in short. I don't know what the nature of that relationship is as a consumer.” That's a big challenge.
How to solve it for the banks and the fintechs? I do think it's pretty fact specific. We're talking about fintech as a monolith, and Alexandra mentioned this earlier, the nature of the relationships are very, very, right? They could be payment processing. They could be accessed in the payment rails. They could be the deposits. It's hard for me to give a one size fits all answer to this. The one size fits all answer I do have is I think everyone in fintech in the banking world needs to think more about how the nature of those relationships are disclosed to the end user. Because if we've seen one thing from the Synapse bankruptcy, it is a great deal of customer confusion. Frankly, confusion on the part of the federal bankruptcy judge as to why the federal regulators aren't stepping into this particular situation.
I think all of us on this call, on this podcast know why, because no bank has failed. But that part isn't clear to the average consumer. I think everyone needs to think about how to disclose those risks better based on their own business.
Chris Willis:
All right. This has been a fascinating conversation. I want to give each of you the opportunity to give a parting thought, if you'd like to, about the future of bank-fintech relationships in light of these potential friction points. Alex, let me start with you.
Alexandra Steinberg Barrage:
I don't think fintech is dead by any means. I think that banks will get smarter. I think the fintechs that will survive are the ones that take compliance very seriously, and now's the time.
Chris Willis:
Okay. Thank you, Alex. Matt, what would you like to say to the audience as we sign off?
Matthew Bornfreund:
All of the relationships between banks and fintechs are understandably complicated, but I like to look at them as several different strands. Oftentimes, the answer is whose customer is it? It's both. Whose responsibility is it? It's both. What the parties need to do is instead of looking at it in a big picture, like customer, or responsibility, they need to drill down to each individual aspect of their relationship in this product, in this service, in this activity. Are they a customer of the bank, or a customer of the fintech? In this particular activity, who's responsible for this thing? Is it the bank, or the fintech? By sorting those things out upfront, you can make the complexity a little bit easier to manage.
Chris Willis:
Okay, Jesse, how about your parting shot?
Jesse Silverman:
I'm going to stand on the shoulder of giants here, and I'm going to take Alexandra's comment one step further. Not only do I agree with her that fintech-bank partnerships are not dead, I think this is the greatest thing to happen to fintechs. I'm incredibly bullish on fintechs and fintech-bank partnerships. I think they're all going to be much better for this. It's awful that it has to happen with consumer pain and it has to happen with employee pain. But that is often the way that you learn the most is through a significant amount of pain. The only thing that would disappoint me is if people don't take that pain and learn from it and improve. But I'm pretty bullish and think that they're going to.
Chris Willis:
Thanks, Jesse. I think the parting comment I would take from this and from all of your excellent presentations on this issue is that all of these compliance and regulatory issues are ones where both the bank and the fintech need to understand that they are working together to meet regulatory expectations. If they fail to do so and they want to put the responsibility on the other party, that's leading them down a path of potential failure of the relationship, either on an individual basis, or worse yet, on a more systemic basis. I would close with the idea that banks and fintechs both need to understand that they have a shared responsibility on these issues if they want the business model to survive and prosper.
Alex, Matt, Jesse, let me thank you all for being on today's podcast. It was a great episode. Thanks, of course, to our audience for listening as well. Don't forget to visit and subscribe to our blogs, TroutmanPepperFinancialServices.com and ConsumerFinancialServicesLawMonitor.com. While you're at it, why not visit us over at troutman.com and add yourself to our consumer financial services email list. That way, you can get copies of the alerts and advisories that we send out, as well as invitations to our industry-only webinars that we put on from time to time.
Don't forget about our handy mobile app. As I said before, it's available for both iOS and Android. Just look for Troutman Pepper in your app store. Of course, stay tuned for a great new episode of this podcast every Thursday afternoon. Thank you all for listening.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.