In this episode, Chris Willis and Jesse Silverman discuss the crucial steps fintech firms need to take to establish and maintain successful partnerships with banks.
In this episode of The Consumer Finance Podcast, Chris Willis is joined by colleague Jesse Silverman. They discuss the crucial steps fintech firms need to take to establish and maintain successful partnerships with banks. Silverman, with his unique background as a state regulator, CFPB staff member, and fintech executive, provides insights into the preparation, due diligence, and onboarding processes. He emphasizes the importance of understanding the bank's compliance requirements, having clear policies and procedures, and ensuring a robust information security system. Silverman also discusses the benefits and challenges of using a Banking as a Service (BaaS) partner. The episode provides valuable advice for fintech companies looking to navigate the complexities of partnering with banks in a highly regulated industry.
The Consumer Finance Podcast: Navigating Fintech-Bank Partnerships: Preparation, Due Diligence, and Onboarding
Host: Chris Willis
Guest: Jesse Silverman
Date Aired: May 2, 2024
Chris Willis:
Welcome to The Consumer Finance Podcast. I'm Chris Willis, the Co-Leader of Troutman Pepper's Consumer Financial Services Regulatory Practice. Today, we're going to be talking about how FinTech firms can find and keep bank partners. Before we get into that topic, let me remind you to visit and subscribe to our blogs, TroutmanPepperFinancialServices.com and ConsumerFinancialServicesLawMonitor.com. Don't forget about our other podcasts, we have lots of great ones. We have the FCRA Focus, all about credit reporting. We have The Crypto Exchange, about all things crypto. We have Unauthorized Access, which is our privacy and data security podcast, and we have Payments Pros, which is all about the payments industry. All of those podcasts are available on all popular podcast platforms.
Speaking of those platforms, if you like this podcast, let us know. Leave us a review on your podcast platform of choice and let us know how we're doing. If you enjoy reading and listening to our thought leadership content here at Troutman Pepper, don't forget to check out our handy mobile app. It's available for both iOS and Android, and it has all of our blogs, all of our alerts and thought leadership pieces. It has listening access to all of our podcasts, all in the mobile app, and it even has a handy directory of all of our financial services lawyers and a calendar showing you what upcoming events we'll be attending and speaking at. Just look for Troutman Pepper in your app store, download it, and give it a try.
Now as I said, today we're going to be talking about how FinTech firms can find and keep their bank partners. It's especially a timely topic now, because the banks who do FinTech partnerships have some very significant regulatory pressures and expectations on them that they need to meet, and FinTechs have to understand that.
Now, joining me to tell you about that today is my colleague, Jesse Silverman. Jesse is a great source of information about this, because of some of the incredible experience he's had in the consumer financial services world. Jesse, first of all, welcome to the podcast.
Jesse Silverman:
Thank you for having me. Looking forward to it.
Chris Willis:
Do you mind just for a second, giving the audience a little bit of a biographical sketch of yourself, so they can understand the perspective from which you're going to be talking about this topic today?
Jesse Silverman:
Absolutely. I've got a little bit of a different background from many, because I was a state regulator for several years, working on enforcement matters and supervision matters, predominantly on non-bank stuff, but mortgages was heavy. I then, when the CFPB opened, I then moved down to DC and helped staff one of the early staff in enforcement, helped build that out, did a lot of deep work with supervision at the CFPB. When they decided to staff the regional offices with more than just supervision, they expanded it to enforcement as well, moved up to New York, where I there worked with our colleague, James Kim.
After that, I joke that I'm one of the only people in America who got the startup bug working for the federal government. Helping to start up the CFPB was some of the most entertaining and fantastic period of my career. I realized I love the startup. I then went out to Silicon Valley, worked for several FinTechs for the last 10 years. Have seen the FinTech world change dramatically over the last decade. Most relevant to this particular topic, I have gone through due diligence with countless bank partners. I have been actual partnered with several banks. I have gone through this. I have watched that world change dramatically over the last 10 years.
As you noted at the beginning of this, it's a particularly relevant topic now, because it is an area that is in, I don't know, if I'm being gracious, I would say, it's undergoing significant change. It's maturing. But there is a lot going on. These are vital relationships for many of these FinTechs. These relationships, these are ones, if you get wrong, your business goes to zero, right? You need that bank partner. If there is a partnership that is worthy of your time and effort, this is it as a FinTech.
Chris Willis:
Yeah, absolutely. Just listening to you talk about your background just helps me convey to the audience how happy we are that Jesse's joined our team here at Troutman Pepper, which he did very recently. I think you're going to hear through the course of this episode just how insightful he can be with respect to these things. Jesse, let's jump into it.
Let's say that I'm a FinTech company and I'm looking to engage in a bank partnership for either a banking as a service, or maybe some lending product. What are the essential preparations that I need to make before I even approach a bank to talk about a partnership? What do I do to get ready?
Jesse Silverman:
Yeah. It's a great question. It's funny. I was reading something on LinkedIn actually just yesterday, two days ago, Jonah Crane over at the Klaros Group, he had a post about flexibility. FinTechs are often looking for flexibility from their bank partners. He, and parenthetically, I, just think that that's absolutely the wrong approach. You want a bank partner that has certainty, not flexibility.
I want everyone to think through that lens, because I have seen that for the last several years. There were lots of FinTechs who were looking for bank partners that would be flexible with them. Obviously, I understand that drive. Everyone wants more flexibility, but it doesn't lead to good practices over time. With some of the, in particular, with some of the best sponsor bank consent orders, we're starting to see that, guess what? The regulators don't like that flexibility that much either. They would like to see certainty and they would like to see paths. I wanted to start the discussion with that framework. Be careful what you wish for. You really want to have certainty, not flexibility, even though it's more difficult upfront to get started.
With that, I think some of the key documents that you really have to have on day one, a large part of this is conveying to that sponsor bank partner that you, FinTech, you might be early stage, you might have six people, you might have 60 people. All right, you're selling yourselves just as much as that business. You have to portray yourselves as having the expertise to engage in a highly regulated industry, under that bank's name, or using that bank services. You have to show up and be ready. With that updated financial models, right? That might seem obvious, but you got to update it for the bank.
Obviously, it's going to be relevant for the bank to understand the scale. It's also going to be relevant for the pricing. Just show that you're prepared and show up with an updated financial model. For later stage companies, that's pretty obvious. They've all got financial models. But for those early-stage companies, they might not have a detailed financial model yet. Certainly, one that's going to have volume. The bank is going to want to see that, and they're going to want to see just for pricing, too. That's a very easy place to start.
You also, and this is a generic term, your policies and procedures. You have to have policies and procedures for many of the things that you're going to do in a regulated financial services industry. What those policies and procedures are, they vary a little bit if you're a payments, or if you're predominantly focused on lending. The key though is you have to have them, obviously.
Maybe you got them from your lawyers off the shelf. Maybe you got them from compliance consultants off the shelf. God forbid, maybe you went online and just got them online off the shelf. There's lots of places to start. Some are better than others. But they've got to be tailored for your actual business. The sponsor banks, they're going to read them. Their compliance team is going to look at them. They're not going to pick through them with a fine-tooth comb, but they've got to be tailored for your actual business. That's the first key.
The second key is you have to have someone who can adequately speak to them. That person has to fundamentally know what those policies are. They've got to be able to describe how they're going to enforce those policies internally. How often do you do internal audits? Do you have internal audits? What cadence do you do them? What does it cover? Are you a high risk in this area? Are you doing offshore payments? You're going to have to have a different focus than if you're lending in one state. It really has to be tailored to your particular business.
It's not hard, but that's the low hanging fruit. If you don't get that right, bank partners are going to say, “No, thank you.” Even more so now today. In those policies and procedures, too, I think one of the more important ones and one of the more challenging ones, if you're going to be doing KYC, AML transaction monitoring, you have to have someone who is designated authority in your company to do that. They have to be prepared to speak about their authority. They have to be prepared to speak at length about their program, and they need to be able to prepare to speak about, are you using third-party vendors? What are you using to satisfy your requirements?
I mean, I can tell you, having gone through so many of these sponsored bank due diligence discussions, the range of approaches by banks is still somewhat surprising. I have had due diligence sessions on my internal compliance and how we thought about it and managed it. That legitimately took three hours. I can think of one bank in particular, they had about five lawyers on. Each lawyer was a specialist in a particular area, whether it was privacy, infosec, it might have been overall compliance management. Some were KYC, AML, financial crimes, and they asked real questions. It was three hours of real in-depth, down in the weeds.
I've had other banks that asked far, far less. But if you want to be successful with your bank partner, you have to have someone who is prepared to go all the way down into the weeds on those real nitty-gritty KYC issues. Some of the other things, and this may sound simple. This is to me, one of the more important points, a proposed flow of funds diagram. That seems very basic. I can't tell you how many times we had conversations with potential sponsor bank partners. We all, in good faith, believe that we were speaking the same language. When it came time way later down the road to walk through the real particulars of the money, we discovered, and this happened more times than you would imagine, that we actually weren't speaking the same language.
You get that flow of funds on day one. Again, this could differ depending upon your particular business. But you get those flow of funds on day one. You'll be amazed at how much that helps to clarify the discussion between the bank and the FinTech. It's one of these things where I made the mistake several times before, frankly, before I learned. I thought we were all talking the same language. Basic, up-to-date org chart. Again, you are trying to sell the experience. This bank, you're going to be taking on some of the functions that they are required to do, maybe, depending upon your contract. They want to know that you've got the expertise, the gravitas, the experience to perform. Frankly, you're just going to pass the smell test.
When their regulator comes in to look at them and their program, you or your team going to raise red flags, because of a lack of experience for that bank. As you put that org chart together, remember, that's really what you're trying to do is just convince them, you are a group of seasoned professionals who know what they're doing. Then there is what I say, used to be about 1% of my job when I was in-house and then quickly, became about 30% or 40% of my job, which is infosec and privacy.
You have to be prepared, and you have to have someone who is prepared to discuss your infosec. I would say, 10 years ago, that conversation was, do you have an infosec policy? Yes, I have an infosec policy. Okay, that's sufficient. Now, they want to walk through that infosec. They're going to maybe even hire third-party external consultants to test your infosec. You have to be prepared to do that for real, not just high-level conversation.
In a perfect world, you've got your SOC 2, Type 2 audit already. In a less perfect world, you've got your SOC 2, Type 1. In a less perfect world, you have a plan to obtain your SOC 2, Type 2. Somewhere in there, you have to be prepared to answer all of those questions. If you have your SOC 2 Type 2, those answers are much easier, much, much easier. If you have nothing, be prepared to spend hours going through your infosec.
Chris Willis:
Jesse, that sounds like a great set of initial activities for a FinTech aspiring to a bank partnership, and it sounds like a lot, but then again, that just underlines how important it is to get that work done in advance of that initial approach to a bank. There's one other aspect that I'd want to ask you about, and that is using potentially a banking as a service partner, between the FinTech and the bank, can you talk to the audience about some of the benefits and some of the challenges of doing that, and what are the considerations that you might want to consider in terms of whether to do that or not?
Jesse Silverman:
Yeah. That's a great question. It's a very timely question. There are some material shakeups going on in the BaaS, banking as a service, universe right now. To me, the biggest benefit on this is just speed to market, right? You can go, here's a BaaS, they sit in the middle between the FinTechs and the sponsor banks. They have already established the APIs, the data flows with the bank. You're basically plugging into a BaaS, a service provider in the middle, while the bank is on the other side.
The number one benefit is speed to market, right? You can get your program up and running much faster, because that BaaS has already built out, what I call the highway, the information highway between the fintech and the bank. The other material benefit, and this is really where I see BaaS as a real game changer is redundancy.
If you're a payment processor, and all of a sudden, your bank goes down, or your bank goes under, and you only have one bank partner, your business goes to zero, right? It goes to zero quickly. There are, as I said earlier on, this is the most important relationship you've got as a fintech. It is one of the few partnerships, where if it goes bad, your business goes to zero. One of the material benefits of BaaS is that it allows you to have redundancy, because that BaaS provider sitting in the middle might have two, three, four sponsor bank partners on the other side.
I will say, as most of the people who are listening to this have probably seen the consent orders that have come out with several of the banks that work with BaaS sponsors. So, just generally, the Feds have found, FDIC has found inadequate staffing, inadequate risk control, inadequate KYC. It's clear that the regulators want these banks to do more. It's no longer acceptable to just come on as a FinTech, partner with a BaaS in the middle, and then have no contact with the bank. It's pretty clear that the relationship between the banks and the FinTechs must be direct.
They have to have direct conversations. They've got to directly negotiate the agreements. It's not okay to just rely on, for either side, either the bank, or the fintech to just rely on the BaaS provider in the middle. The biggest challenge, and where I've seen some of the biggest failings is who owns the compliance responsibilities? Is the fintech going to be performing KYC? Is the BaaS going to be performing KYC? In the unlikely circumstances, is the bank going to be performing the KYC on the customers? That right there is, if I have seen one area where there have been routine problems, it has been a lack of clarity over who owns what responsibilities. If you're starting out there today, or you're working with one now, I would hash that out the sooner, the better.
This gets back to what I was saying earlier, you don't really – it may feel, if you're a FinTech, it may feel like you want to bank with flexibility, you don't. You want to bank with certainty. They know who handles what roles. It's well defined. There is operational resilience in those systems. That to me is the key metrics of why you would choose a BaaS in between. You're going to get to market faster, and you're going to have potentially redundancy. That redundancy is a game changer, because if you're going direct, there's lots of benefits to a FinTech going direct to a bank, but it takes a lot of resources and time.
If you're going to have redundancy, you have to do that with more than one bank. It's a challenge, especially if you're an early stage FinTech, you've got limited resources, and you may just be saying, “You know what? I'm going to gamble. One bank, what are the chances of my bank going down, having a problem? I'm going to live with that risk.” Maybe that's okay for an early-stage startup. You might make that risk assessment. At some point, you need more than one bank, and that's just the rule of life for any choke point, where your business goes to zero.
Chris Willis:
Yeah, it makes sense. Now that we've talked to the audience about how a FinTech would prepare for a bank partnership, let's go to the stage where let's say, that's been successful, and now they're undergoing due diligence and onboarding with the bank partner. We've gotten to the next happy part of the life cycle. What should a FinTech company know about and prepare to do in connection with those due diligence and onboarding processes with a bank?
Jesse Silverman: You have to ask these questions, you have to understand the requirements, but then you also have to recognize, what are the power dynamics in those relationships? You want to understand that, too. One of the key is, when you first have that conversation, first of all, do as many conversations as you can on the phone, direct, not through email. It is so important. But understand, what's the timeline for that bank's process? Is that bank, do they expect to turn this around in seven days? Do they expect to turn it around in 47 days? What's their internal process? Do they have to go through a risk committee to bring you onboard? If so, how often does that risk committee meets? What's the approval process? What are the expected timelines?
There's quite often a mismatch between what a FinTech thinks is a “long time,” and what a bank thinks is a long time. Understanding that just saves so much headache down the road. Try and understand the timeline immediately. Then you're going to want to dig into what does the bank's CMS look like for your program? What does the compliance management system look like for your program? What data do they want to see? How often do they want to see that data? Then to that same question I mentioned earlier, who owns exactly what parts of the compliance management system, the regulatory compliance? These are very, very complicated thing, complicated aspects of the business. The sooner you get that out, the better off everyone is going to be.
Like I said, some of this I chuckled to myself, because this is learning from my own mistakes. I can't tell you how many bank partnership conversations I had, where I didn't address these on day one. Then on day 47, I asked the question and I realized, what they expected wasn't viable. What they expected wasn't possible. What we expected of them wasn't actually what they did. I have burned so much time and so much energy making these mistakes by not asking these questions on day one.
Another important one, and this is always tricky, because people, especially the bigger the bank, the more protective they are of their tech time. The sooner you can get your tech team together with their tech team and talk about what onboarding would look like, what integration look like, what's the timeline, and then really start to understand what is the data that they want to see and how will it be passed. Can you do it? Can they do it? I think there is a, maybe not a common misconception, but there is a general belief that banks are commoditized service providers. If you talk to a beginning FinTech startup, they think, “Oh, I can go to any bank and the bank will provide this service.” That's very, very, very often not the case. There are widely disparate technical capabilities amongst the banks. Even in areas that you would believe they absolutely have dialed in and buttoned up.
The sooner your tech team can talk with their tech team and really get down into the nuances, the better off everyone's going to be. Again, you want to understand the bank's compliance function. Are they going to be checking in with you weekly? Are they going to be doing it monthly? Are they going to just do it surprise audits? Are they going to be doing no audits? One of the more, not the more challenging, but I would say, one of the areas where you routinely see a mismatch of expectations is in marketing copy.
I have seen several banks, bank partners that don't ask to review marketing copy. That has always surprised me and I didn't think it was best practice. I think that if there are still banks out there not reviewing marketing of their FinTech partners, those days are probably numbered. They're going to be doing more review of that. And understanding what marketing they want to review. Frankly, trying to understand what can you get free approval for? Can you develop some stock language that everyone can agree is safe?
Then what's the timeline going to be? That is one of the areas where I've seen some of the most chafing between FinTechs and their bank partners is, okay, bank, you're doing the right thing. You want to review my marketing. You're going to review that in two weeks, right? Whereas, the FinTechs, they survive because they're faster, right? They don't have access to cheap cost of capital like deposits. Most of the FinTechs have to survive, because they're doing something better. That thing that's better is usually speed. You've got a real potential for misalignment there in the speed of bank compliance review and the FinTech’s expectations of speed. Get that sorted out immediately on day one. You will save yourself lots of challenges.
Then ask the bank the tough question. Are you guys under any regulatory requirements? Have you guys been forced to offboard any partners? Because remember, we know some of these bank consent orders that are – the vast consent orders that are out there. There's no question that there are scores more that are not public. Try and understand, are they under any constraints themselves that could impact your program, impact your program's growth? Because these are big relationships to invest in. I think that those are challenging questions. I promise you, they are going to ask you if you have any regulatory challenges, if any of your executives have been individually named. I think you should feel comfortable asking them as well.
Chris Willis:
Well, sure. Honestly, both parties need to know what the landscape looks like from the standpoint of constraints, because if you're going to be in a partnership, you're only as good as your partner and you can only do what your partner can do. That makes total sense to me.
Jesse Silverman:
Absolutely. I just feel like, I have seen this many times, the power dynamics are such that the FinTechs, they don't want to ask too many questions, because they fear it might cost them a partner. I understand that drive in the short run. In the long run, it's problematic. You got to ask the questions upfront. If you can't get to good answers upfront, the chances of you having a problem down the line are materially increased.
Chris Willis:
Yeah, no kidding. Well, Jesse, I feel like this has been a great intro to doing a FinTech partnership. I know we're going to record some more episodes about other aspects of bank FinTech relationships. We've only just started to scratch the surface, but I wanted to thank you for being on the podcast today and sharing all these insights with our listeners, with of course, the promise of more to come in the future. Of course, thanks to our audience for listening today as well.
Don't forget to visit and subscribe to our blogs, TroutmanPepperFinancialServices.com and ConsumerFinancialServicesLawMonitor.com. While you're at it, why not head over to our website at Troutman.com and add yourself to our consumer financial services email list? That way, we can send you invitations to our industry-only webinars, as well as copies of the alerts and advisories that we like to send out. Don't forget about our handy mobile app. It's available for both iOS and Android. Just look for Troutman Pepper in your app store. Of course, stay tuned for a great new episode of this podcast every Thursday afternoon. Thank you all for listening.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.