On July 25, 2024, the U.S. prudential bank regulators released a Joint Statement on Banks’ Arrangements With Third Parties To Deliver Bank Deposit Products and Services (Joint Statement),1 along with a request for information on bank-fintech arrangements (RFI) issued on July 31, 2024.2 These releases are the latest development in a trend of increased prudential and consumer protection scrutiny of deposit account practices and third-party relationship oversight. They also follow a significant increase in enforcement actions targeting banks’ relationships with fintech firms.
The Joint Statement and the RFI were issued by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation (FDIC) and cover a wide range of topics, including technology systems, regulatory compliance functions, payment processing, customer service, and complaint and dispute resolution. The RFI solicits input on the nature of bank-fintech arrangements, including their benefits and risks, effective risk management practices and whether there is a need for greater supervisory guidance related to such arrangements.
Below we describe the risks and risk mitigation strategies described in the Joint Statement and certain areas of focus in the RFI, and summarize key takeaways for banks.
Elevated Risks Associated With Third-Party Arrangements
The Joint Statement highlights several “elevated risks” when using third-party arrangements, categorized as (i) “operational and compliance” risks, (ii) “growth” risks and (iii) “end-user confusion and misrepresentation of deposit insurance coverage.”3
Operational and compliance risks arise when banks hand over substantial control of key functions to a third party, according to the regulators. The Joint Statement cautions that, when substantially relying on third parties, there is a risk to “the integrity of the bank’s deposit function” stemming from “fragmented operations.”4 Furthermore, when a bank relies on a third party for activities such as maintaining the transaction system of record or performing compliance functions, the bank may be exposed to (i) risks from delays in providing information to consumers and (ii) risks regarding compliance with regulatory obligations. Such compliance obligations in the deposit context include requirements under the Electronic Fund Transfer Act and Regulation E to investigate and resolve certain payment disputes and under the Truth in Savings Act and Regulation DD to provide specified disclosures regarding consumer deposit accounts.5 Notably, the Joint Statement indicates that reliance on a third party to maintain deposit information can, in some circumstances, “lead to delays in end users’ access to their deposits,” which may be a reference to a recent highly publicized bankruptcy of a fintech middleware provider that reportedly has resulted in significant delays in customers accessing their funds held at depository institutions.
Other operational and compliance risks can arise when a bank does not have direct contractual relationships with a fintech partner’s contractors, when the bank does not have experience with new technologies or methods used by the third party, and from weaknesses in the bank’s auditing of the third-party relationship.
Growth risks can arise when the fintech or other third party is incentivized to promote growth in a manner that is not aligned with the bank’s regulatory obligations, including where operational and compliance risk management processes do not keep pace with rapid growth. Other growth risks include rapid increases in funding concentrations caused by business generated through third parties. Also, when a third party generates a significant share of a bank’s deposits, the bank may face liquidity risks that make the bank reluctant to terminate the third-party relationship. Furthermore, rapid balance sheet growth resulting from third-party arrangements may result in growth without the maintenance of commensurate capital.6
Risks of end-user confusion and misrepresentation of deposit insurance coverage can result when fintech companies directly solicit consumers for deposits: The Joint Statement warns that consumers may not understand that deposit insurance does not protect against losses resulting from the failure of the third party.7 In addition, the Joint Statement identifies potential risks of false advertising under 12 C.F.R. Part 328, Subpart B (False Advertising Rule), should there be omissions of material information regarding (i) the applicability of deposit insurance (which applies to the failure of insured depository institutions, as opposed to nonbank firms) or (ii) the requirements that must be satisfied to obtain pass-through deposit insurance coverage.8 This guidance aligns with the FDIC’s increased focus on false advertising of deposit insurance, including the FDIC’s revisions to the False Advertising Rule in December 2023,9 and several recent public letters to fintech companies asserting violations of the False Advertising Rule.10
Risk Management and Governance Practices
The Joint Statement reiterates and expands upon the existing guidance on effective third-party risk management practices,11 including in the following areas:
- Governance and third-party risk management. The Joint Statement indicates that banks can manage risk through policies and procedures governing organizational structures, lines of reporting, expertise and staffing, internal controls and audit functions. Furthermore, the Joint Statement maintains that banks can conduct risk assessments to assess controls for mitigating risk relating to specific third-party arrangements. The Joint Statement also notes that banks can engage in due diligence of third-party relationships, set appropriate contractual relationships (in addition to assessing situations where the bank does not have a direct contractual relationship) and establish monitoring routines to identify risks.12
- Managing operational and compliance implications. Banks can manage risk through maintaining a clear understanding of management information systems, including obligations and contractual reporting requirements, according to the guidance. Additionally, the Joint Statement affirms that a bank can develop and maintain risk-based contingency plans to address potential disruption or failure of a third party, including contractual provisions that facilitate the banks’ contingency plans. The Joint Statement also observes that banks can implement internal controls to mitigate risks in deposit functions, including dual control and separation of duties, data verification and issue resolution procedures. For effective compliance management of third-party relationships, banks should establish policies, procedures, oversight and controls to comply with consumer protection laws and regulations.13
- Anti-money laundering (AML)/countering the financing of terrorism (CFT)/sanctions compliance. The Joint Statement specifies that banks can manage risk through adequate policies, procedures, oversight and controls to meet AML/CFT requirements — such as monitoring for and reporting suspicious activity, customer identification programs and customer due diligence — and through compliance with sanctions regulations.14
- Managing growth, liquidity and capital implications. Banks can manage risk through establishing appropriate concentration limits, diversification strategies, liquidity risk management strategies and exit strategies and through maintaining adequate capital, according to the guidance. Furthermore, the Joint Statement notes that banks can perform analyses to determine whether parties are defined as deposit brokers and thereafter appropriately report brokered deposits.15
- Addressing misrepresentations of deposit insurance coverage. The guidance indicates that banks can manage risk through establishing policies and procedures for deposit-related arrangements with third parties to ensure compliance with regulations that prohibit misrepresentation of deposit insurance. The Joint Statement also affirms that institutions can implement policies and procedures, including provisions related to monitoring and evaluating activities, that facilitate access to deposit-related services or products.16
Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses
In the RFI, the prudential regulators seek information on three broad categories of bank-fintech arrangements, including (i) deposit-taking, (ii) payments (including card issuance and digital wallet capabilities) and (iii) lending activities. In addition, the RFI observes and seeks comments on the growth of bank-fintech arrangements relying on an intermediate technology platform to facilitate relationships between banks and other fintech companies and the implications of such relationships. Comments on the RFI are due September 30, 2024, although several trade groups have requested a 30-day extension to the deadline for comments.17
Consistent with the Joint Statement, the RFI identifies risk implications arising from bank-fintech relationships, including those relating to managing accountability between the bank and fintech partner, mitigating potential end-user confusion, managing rapid growth, developing robust concentration and managing liquidity risks. In a departure from the Joint Statement, the RFI also describes and seeks comments on the risks arising from use and ownership of data and customer information in the context of a bank-fintech relationships, including risks related to compliance with laws and regulations, operational challenges, and the ownership, use and nature of that data.
Finally, the RFI seeks comments on certain trends relating to bank-fintech arrangements, including the impact of these arrangements on financial access, innovation, competition and financial stability.
Recent Regulatory Focus on Deposit Activities and Takeaways
The Joint Statement and the RFI highlight the intensifying focus by federal financial regulators on risks associated with third-party relationships and deposit activities. For example, on July 30, 2024, the FDIC proposed rulemaking to revise rules for brokered deposits in order to reduce safety and soundness risks to banks, promote consistent reporting of brokered deposits and reduce some operational challenges and reporting burdens (which we will discuss in a separate client alert).18
The Joint Statement and the RFI also continue a recent trend of regulators focusing on legal compliance and consumer risks associated with deposit accounts. For example, the Consumer Financial Protection Bureau (CFPB) has challenged “junk fees” on deposit accounts and banking products in enforcement actions, rulemaking and guidance, with particular emphasis on overdraft fees and nonsufficient funds fees.19 The CFPB has also asserted that fees charged by banks in connection with consumer requests for information relating to deposit accounts, such as fees for requesting account balances, obtaining check images or account documents or researching accounts, may violate Section 1034(c) of the Dodd-Frank Act.20 Furthermore, the CFPB recently brought enforcement actions and issued guidance regarding concerns about the breadth and duration of account restrictions placed on consumer deposit accounts.21
Importantly, the Joint Statement and the RFI do not represent or purport to indicate a wholesale rejection of the bank-fintech partnership model. Rather, the RFI states that “[t]he agencies support responsible innovation and banks pursuing bank-fintech arrangements in a manner consistent with safe and sound practices and applicable laws and regulations” and that “[b]ank-fintech arrangements can provide benefits.” However, prudential banking regulators are clearly focused on ensuring that banks improve their oversight and management of arrangements with fintech companies. Accordingly, banks may want to analyze the Joint Statement and the RFI and assess their institution’s practices and controls for third-party relationships and deposit functions, with particular focus on fintech relationships involving deposit account generation. For example, as recommended by the agencies, banks could conduct, internally or with the assistance of counsel and/or others, risk assessments relating to third-party oversight and deposit activities. We will continue to monitor activity in this rapidly evolving regulatory environment.
_______________
1 Board of Governors of the Federal Reserve System, “Joint Statement on Banks’ Arrangements With Third Parties To Deliver Bank Deposit Products and Services” (July 25, 2024).
2 Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses, 89 Fed. Reg. 61,577 (July 31, 2024).
3 Joint Statement at 2-4.
4 Id. at 2.
5 Id.
6 Id. at 3-4.
7 Id. at 4.
8 Id.
9 FDIC Official Signs and Advertising Requirements, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo, 89 Fed. Reg. 3504 (Jan. 18, 2024).
10 FDIC press release “FDIC Demands Three Companies Cease Making False or Misleading Representations About Deposit Insurance” (March 19, 2024); FDIC press release “FDIC Demands Five Entities Cease Making False or Misleading Representations About Deposit Insurance” (Jan. 19, 2024); FDIC press release “FDIC Demands Unbanked, Inc. Cease Making False or Misleading Representations About Deposit Insurance” (Aug. 4, 2023).
11 See, e.g., Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed. Reg. 37,920 (June 9, 2023).
12 Joint Statement at 5-6.
13 Id. at 6-7.
14 Id. at 7.
15 Id.
16 Id. at 8.
17 Letter from the American Bankers Association, et al. to the FDIC, Office of the Comptroller of the Currency and Board of Governors of the Federal Reserve System (Aug. 9, 2024).
18 FDIC, Notice of Proposed Rulemaking, Unsafe and Unsound Banking Practices: Brokered Deposits Restrictions (July 30, 2024).
19 See, e.g., CFPB, Fees for Instantaneously Declined Transactions, 89 FR 6031 (Jan. 31, 2024); CFPB, Supervisory Highlights, Issue 29, 3-6 (Winter 2023).
20 See, e.g., CFPB, Supervisory Highlights, Issue 34, 14-15 (Summer 2024); CFPB Advisory Opinion, Consumer Information Requests to Large Banks and Credit Unions, 88 FR 71279 (Oct. 16, 2023).
21 See, e.g., CFPB, Supervisory Highlights, Issue 34, 13-14.
[View source.]