The proliferation of Fintech startups in the lending industry has given rise in recent years to a variety of collaborative partnerships between Fintech companies and traditional banking institutions. This collaboration paradigm shift from disruption to partnership poses unique regulatory challenges for banks and financial regulators alike. This practice note outlines the banking regulations applicable to the Bank-Fintech partnership model, as well as the regulatory considerations and implications emerging from this new business model.
Online marketplace lending is one of the fastest-growing segments of the financial services industry. Leveraging alternative business models and digital innovation, Fintech companies are radically redefining the lending and payments sectors at a faster pace than ever before. While most banks rely on conventional underwriting models to make credit decisions, Fintech lenders use sophisticated, automated algorithms and aggregated, alternative data to evaluate a borrower’s creditworthiness. Fueled by the influx of Fintech companies and their innovative advancements in the lending and payments industries, analysts indicate that an estimated $4.7 trillion of financial services revenues will be displaced by this new breed of non-bank lending within the next three years.
Proving to be a disruptive force in the payments sector, Fintech companies are altering the payments landscape by replacing legacy bank payment systems—the hallmark of traditional banking—with innovative, cutting-edge technologies such as mobile wallets, digital currency, and cryptocurrency transactions. These advancements in payment technologies are driven by the growing capabilities of digitally driven Fintech companies and are gaining traction. Fintech companies have ushered in a new era of payment solutions that is outpacing and outmaneuvering the traditional banking industry.
Equally compelling, Fintech companies are helping banks improve their security protocols by implementing biometric authentication and identification in the digital lending process. Biometric technology is the use of physical characteristics—or biometric identifiers such as fingerprints and iris scans—to protect and authenticate customer identity. Fintech companies offer banks unparalleled biometric solutions to provide stronger data protection and a more secure and convenient means of authenticating identification. Industry experts predict that biometrics will be the predominant source of customer authentication across all major banking channels in the near term.
As marketplace lending continues to evolve and expand, banks are increasingly partnering with Fintech companies to leverage their digital innovation and technological expertise. Referred to as the “rent-a-charter” or “rent-a-bank” arrangement in the lending space, Fintech firms primarily rely on the partnership model to benefit from the bank’s established customer base, increased access to capital and liquidity, and federal preemption of state lender licensing and usury laws.
Under the National Bank Act (NBA), national banks and their affiliated non-bank companies may generally charge the lawful interest rate of their home state, regardless of the state usury laws of the consumer’s home state. National banks are also generally exempt from state licensing requirements. Fintech lenders partnering with a national bank may, therefore, make loans above state usury limits and avoid state licensing requirements. This is especially appealing for the growing number of Fintech installment lenders who offer high-interest, short-term micro loans across several states.
In other areas of financial services, banks are looking to position themselves at the center of this new digital era by collaborating with Fintech companies through venture capital investments and sponsorship of Fintech incubator programs. Regardless of the partnership model, a growing number of traditional financial institutions are moving towards the partnership model to benefit from the creativity, innovation, and flexibility offered by non-bank Fintech players in the industry.
In response to the growing number of Fintech companies and Bank-Fintech partnerships, federal regulators began developing the regulatory framework for the marketplace lending industry in 2016. While still in the nascent stages of development, regulators are placing an emphasis on the need for robust vendor oversight and ongoing risk management in connection with this new partnership model. The Federal Reserve Board (FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB) each have issued regulatory guidance governing the bank’s selection and management of third parties, such as Fintech companies. A summary of key regulatory considerations governing the Bank-Fintech partnership model is provided below.
Third-Party Risk Management
Financial institutions are required to maintain a robust risk-management program to monitor and control the risks associated with third-party relationships. The FRB, the FDIC, and the OCC each have statutory authority to supervise third-party service providers that contract with their regulated financial institutions. The CFPB may also exercise direct supervisory and enforcement authority over third-party service providers of consumer financial products and services.
Persons or entities providing material services to a bank in connection with a financial service or product are subject to regulatory oversight. Fintech companies provide material services to banks such payment processing, loan underwriting, loan servicing, and funding and, as such, are subject to the bank’s risk-management procedures for the selection and monitoring of third-party service providers.
An effective risk-management program includes analytical processes to identify, measure, manage, monitor, and control the bank’s exposure to third-party risk throughout the life cycle of the relationship.
Key components of an effective risk management program include:
- Risk assessment
- Due diligence
- Written contracts that outline the rights and responsibilities of all parties
- Ongoing monitoring
- Contingency plans for terminating the relationship
- Oversight and accountability
- Documentation and reporting
- Independent reviews
Prior to partnering with a Fintech company, banks are required to perform a risk assessment to ensure that the proposed relationship is consistent with its strategic planning and overall business strategy. This entails an analysis of the benefits, costs, legal aspects, and potential risks associated with the proposed partnership. Specifically, banks must analyze and understand the nature of the following risks in the context of any proposed relationship with a Fintech company:
- Reputation risk
- Strategic risk (e.g., adverse business decisions)
- Operational risk (e.g., loss resulting from inadequate or failed internal processes, people, systems, or external events)
- Compliance risk
- Transaction risk (e.g., failure to perform as expected adversely impacting customers or the bank)
- Credit risk
Depending on the vendor agreement, other considerations may include liquidity, interest rate, legal risks and exposure, price, and foreign currency translation risk.
Third-Party Due Diligence
The scope and depth of due diligence to be performed is commensurate with the level of risk and complexity of the third-party relationship. It should be noted that guidance issued by the OCC and FDIC provide for substantially similar qualitative and quantitative elements of vendor due diligence and third-party risk management.
Guidance published by the FRB addresses the same pillars of an appropriate service provider risk-management program as published by the OCC and FDIC.
While CFPB’s published guidance is very limited, it broadly highlights the same elements for a vendor management program as its sister federal bank regulatory agencies.
Conclusively, regulatory guidance on managing outsourced risk and third-party relationships requires the following:
- Risk assessment
- Due diligence
- Contract structuring and review
- Ongoing vendor management –and–
- Documented internal controls and processes
On June 7, 2017, the OCC issued a set of frequently asked questions (FAQs) to supplement its 2013 guidance on managing third-party risk. The FAQs specifically address bank relationships with Fintech companies and the need for banks to conduct in-depth due diligence and ongoing monitoring if the Fintech company performs services or delivers products on behalf of the bank.
The OCC provides additional guidance for banks looking to partner with start-ups and early-state Fintech companies that support the bank’s critical activities. Referencing the OCC’s 2013 guidance, critical activities can include significant bank functions (e.g., payments, clearing, settlements, and custody), significant shared services (e.g., information technology), or other activities that:
- Could cause the bank to face significant risk if a third party fails to meet expectations
- Could have significant bank-customer impact
- Require significant investment in resources to implement third-party relationships and manage risks
- Could have major impact on bank operations if the institution has to find an alternative third party or if the outsourced activities have to be brought in-house
A challenge for banks partnering with start-up and early-stage Fintech companies is that such institutions may not receive all the information they seek or deem necessary to perform the appropriate level of due diligence. In this instance, the FAQs make clear the OCC expects the bank’s board of directors and management, at a minimum, to:
- Develop appropriate alternative ways to analyze these critical third-party service providers
- Establish risk-mitigating controls
- Be prepared to address interruptions in delivery (for example, use multiple payment systems, generators for power, and multiple telecommunications lines both in and out of critical sites)
- Make risk-based decisions that these critical third-party service providers are the best service providers available to the bank despite the fact that the bank cannot acquire all the information it wants
- Retain appropriate documentation of all their efforts to obtain information and related decisions
- Ensure that contracts meet the bank’s needs
As mentioned, many Fintech lenders use sophisticated algorithms to evaluate a borrower’s creditworthiness. Most, if not all, of the loan transaction is conducted online through automated processes using predictive credit models, real-time aggregation of alternative data, and advanced payments technologies. The digital innovation developed by Fintech companies may also include proprietary systems for loan servicing and debt collection as well. Laws and regulations governing technology service providers (TSP), as well as the acquisition, use, and storage of nonpublic, private data are principally governed by guidance issued by the Federal Financial Institutions Examination Council (FFIEC), an interagency council empowered to prescribe uniform standards and principles for the federal examination of financial institutions, the comprising the federal bank regulatory agencies—the FRB, FDIC, NCUA, OCC, and CFPB.
The FFIEC’s “Supervision of Technology Service Providers” booklet (TSP Booklet) outlines the agencies’ risk-based standards and protocols related to the use and storage of sensitive customer data. It is critical for banks to ensure Fintech companies adhere to these standards through a risk-based assessment of the company’s policies, data security procedures, testing standards and results, and administrative controls and system access.
The risk assessment process should consider all business lines in which the Fintech company engages to ensure that all covered services are effectively included.
The TSP Booklet includes guidelines governing the following areas of risk:
- Business Continuity Planning
- Development and Acquisition
- Electronic Banking
- Information Security
- Outsourcing Technology Services
- Retail Payment Systems
- Supervision of Technology Service Providers
- Wholesale Payment Systems
Privacy rules govern when and how financial institutions may share nonpublic personal information about consumers with third parties not affiliated with the financial institution. In addition to data security concerns, banks should assess the Fintech partner’s compliance and operational policies and procedures for the collection and maintenance of consumer information under applicable federal privacy laws. At a minimum, the company should be required contractually to maintain sufficient safeguards to protect sensitive customer data. Pursuant to the bank’s vendor management program, the bank should periodically assess whether the Fintech company is actually safeguarding such information.
Key federal privacy laws include the following:
- Gramm-Leach-Bliley Act (GBLA). This law establishes requirements for financial institutions to provide privacy protections to consumers. Specifically, the GLBA requires companies offering loans or financial products notify consumers about their information-sharing practices and to safeguard sensitive nonpublic information (NPI). This law also limits when companies may disclose a consumer’s NPI, and requires opt-out notices in addition to those required under FCRA.
- Fair Credit Reporting Act (FCRA). This law requires a permissible purpose to obtain a credit report, notice by creditors who take adverse action based on credit reports, and policies and procedures to ensure the accurate reporting of consumer information to credit bureaus.
- Federal Trade Commission Act (FTC Act). This is a federal consumer protection law that prohibits unfair or deceptive practices, and has been applied to offline and online privacy and data security policies.
All banks are required to have adequate policies, procedures, and controls to help ensure that individuals and criminal enterprises are not using banks as intermediaries for identity theft, fraud, money laundering, terrorist financing, or other illegal activities. Know Your Customer (KYC) guidelines were introduced in 2011 as part of the PATRIOT Act and set forth a mandatory framework for the assessment and monitoring of customer risk. Identity verification and customer due diligence are the two key requirements of KYC compliance.
Customer identification requires that financial institutions collect specific information from their customers and verify their identities using prescribed procedures under a written Customer Identification Program (CIP). Pursuant to regulations issued jointly by the Financial Crimes Enforcement Network (FinCEN) and the federal regulators, financial institutions are required to have a risk-based program that implements reasonable procedures in the following three areas:
- Verifying the identity of any person seeking to open an account, to the extent reasonable and practicable
- Maintaining records of the information used to verify the person’s identity, including name, address, and other identifying information
- Determining whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency
Financial institutions are responsible for blocking transactions and freezing assets that involve the countries, companies, or persons that are the subject of economic sanctions imposed by the U.S. Office of Foreign Assets Control (OFAC). OFAC, an agency under the Department of the Treasury, publishes lists of these sanctioned entities. Generally, OFAC compliance procedures requires financial institutions to compare new customer and non-customer transactions against the published OFAC list.
Fintech companies that fail to implement an adequate CIP program to ensure KYC compliance do so at the risk of severe penalties and fines. However, given technological advancements in the emerging Regtech sector, banks are replacing their legacy, manual KYC-related processes with more efficient, automated, digital solutions offered by Fintech companies for customer on-boarding and due diligence. In this regard, Fintech companies have introduced new, digital capabilities to significantly improve current bank processes in the domain of KYC compliance.
Bank Secrecy Act
The Bank Secrecy Act (BSA) and its implementing Anti-Money Laundering (AML) rules require financial institutions to assist government agencies to detect and prevent money laundering. Specifically, the Act requires financial institutions to keep records of cash purchases of negotiable instruments; file reports of cash purchases of these negotiable instruments of more than $10,000 (daily aggregate amount); and to report suspicious activity reports (SARs) that might indicate money laundering, tax evasion, fraud, or other illicit activities.
Fintech companies whose business model relies on the exchange of money are subject to BSA regulations. Digital wallets, mobile payment systems, and peer-to-peer transfer systems are money services businesses (MSBs) subject to BSA reporting and compliance requirements. Additionally, marketplace lenders under the Bank-Fintech partnership model are subject to BSA/AML laws and regulations. Moreover, BSA/AML risks may be heightened for many Fintech companies given the anonymity and speed of services offered through an online, digital environment. Banks will need to evaluate whether and how a proposed collaborative partnership will affect the bank’s compliance risk profile, as well as ensure the Fintech company is properly managing their AML risks.
In response to this changing landscape, banks are finding creative ways to collaborate with Fintech companies, from direct capital investments to sponsorship of Fintech incubator programs. Being inherently digital, Fintech companies offer banks unparalleled technology solutions in the lending, servicing, payments, and data security sectors. Moreover, Fintech companies are transforming legacy bank business models through artificial intelligence, machine learning, and big data to deliver powerful insights into customer behavior and advanced analytics to improve efficiency, increase profits, and significantly improve customer experience.
This collaboration paradigm shift and emerging Bank-Fintech partnership model poses significant challenges for partner banks and regulators. As regulators are looking to devise new rules and strategies for oversight, regulatory guidance makes clear that institutions must evaluate potential risks (such as strategic, compliance, operational, and transactional) and establish risk-mitigating controls. Banks, at a minimum, should conduct comprehensive third-party due diligence commensurate with the level of risk and complexity inherent in the proposed Bank-Fintech partnership. Firms and practitioners alike should incorporate applicable regulatory guidance in establishing effective partnerships involving banks and Fintechs.
This article was published in LexisNexis® Practice Advisor Journal™