Banks and fintechs should perform ‘trust exercises’ amid OCC scrutiny of BaaS

It may just be that banking-as-a-service (BaaS) providers and fintechs have grown into unique and now mature collaborators that justify updated and revised requirements from regulators. Earlier this month, Acting Comptroller of the Currency Michael J. Hsu spoke at The Clearing House and Bank Policy Institute’s Annual Conference, outlining the Office of the Comptroller of the Currency’s (OCC) official guidance for maturing requirements on bank and fintech partnerships.  

The OCC’s actions may appear to impose new requirements, but if past rules can be relied on, they will likely only impose best practices throughout an industry which may force immature companies out of the space, increasing the potential strength of those remaining but subjecting the harm that might flow from their market power to the federal regulatory structure. All that to say, sometimes you just have to move up to the next weight class.

In any case, we should remember that regulators are responsible for protecting consumers who obtain and use financial services products, even when we disagree on the details. Rather than shy away from these partnerships out of fear of more regulation, banks and fintechs alike should see this as an opportunity to strengthen their relationships with each other, regulators and their customers. 

Current regulatory landscape  

Put simply, the chartered bank holds the primary responsibility and risk for compliance in bank and fintech partnerships. However, this is an actively evolving space in the regulatory landscape. It’s important to point out that the OCC is just one regulator, and because it regulates larger national banks, it doesn’t actually oversee the majority of banks in the U.S. In our estimation, the U.S. federal prudential banking regulators will be joined by the FTC and state regulators to have the most meaningful impact in this space.  Following is a summary of where some key players in this regulatory space currently stand on bank and fintech partnerships:  

OCC 

In August 2021, the OCC published a 20-page guide directing community banks to conduct due diligence on their third-party fintech partners. Alongside Hsu’s recent remarks, the OCC notably ordered Blue Ridge Bank to increase its due diligence and its oversight of third-party fintech partnerships.  

Federal Deposit Insurance Corporation (FDIC) 

Although all banks are insured by the FDIC, many partner banks are community banks or mid-size banks, which are often directly regulated by the FDIC. The FDIC has a guide of its own on how banks should oversee third-party fintech partnerships. And, as the OCC and CFPB continue to be aggressive on this issue, we expect the FDIC to follow suit.  

Consumer Financial Protection Bureau (CFPB) 

Since being confirmed in 2021, CFPB Director Rohit Chopra has been outspoken about the close eye he is keeping on nonbanks in financial services. “To the extent that big tech companies are using the treasure troves of data, there needs to be some parity with local banks and other financial institutions that are following the law,” he said shortly after being confirmed.  

Federal Trade Commission (FTC) 

The FTC, a long-time consumer-focused regulatory body, participates in federal enforcement of a variety of consumer finance laws, including the Gramm-Leach-Bliley Act (GLBA), which regulates the treatment of nonpublic personal information of consumers by financial institutions. The FTC will continue to influence public policy — especially as it relates to privacy requirements at banks — which requires banks and fintech partners to level set this federal regulatory body against state and international privacy requirements. 

State regulators 

In the U.S., the financial services industry is subject to both federal and state regulations. Historically, states have never had much of an interest in regulating bank and fintech partnerships, likely because they keep companies from obtaining state licenses and decreasing revenue opportunities for states. State regulations vary on a state-by-state basis, with many states already beginning to increase their oversight of bank-fintech partnerships. State attorneys general have recently challenged bank partnerships as “rent-a-bank” to enable fintechs to avoid complying with state laws, particularly state usury laws. For this reason, states are now aligning with current federal agency challenges to the bank partnership model. 

Future of bank, fintech partnerships 

Partner banks will face deeper questions from examiners about their critical service providers to establish that they have appropriate oversight and control over their programs offered through fintech partnerships. Banks will need to be able to establish the integrity of their own third-party vendor management systems to demonstrate their partners are, in fact, in good condition and healthy enough to provide the services the bank is contracting. Banks don’t need to be scared of this or slow down their plans to partner with fintechs. They should assess their current vendor management program and ensure that it is sufficient. It’s always better to identify a problem yourself before regulators are at your door, and partner banks will increasingly need to prove to regulators that they are performing the proper due diligence on third-party vendors.  

For fintechs that already have a deep understanding of the highly regulated financial services space, it’s business as usual. A key responsibility of fintechs in bank partnerships has always been to enable their partner bank to meet their regulatory requirements — including compliance with the BSA and KYC/AML requirements, transaction monitoring and data security — and this is more important now than ever. 

For both banks and fintechs, this means they are going to have to strengthen trust with each other.  

Building a “trust partnership” 

I’m sure many of us have been at some sort of team-building retreat where we had to do a trust fall with a team member. To a certain extent, banks are doing a trust fall into their fintech partnerships. All they can really do is clearly communicate their regulatory requirements to their fintech partners and keep a close eye on them, but they also have to trust the fintech partners will follow the regulations.  

The onus is largely on the fintech to show the bank that they can be trusted with this critical task. But trust does not mean a lack of oversight over the fintech partners and their programs. Trust means establishing a working relationship and process that both meet the banks’ regulatory and risk requirements and supports the launch and expansion of the fintech program. 

Here are some tangible ways that fintechs and partner banks can nurture a trusting relationship: 

1. Hire competent compliance people. Fintechs must level-up their knowledge of the regulatory landscape. It starts with accepting and embracing that there is a “fin” component in fintech. There’s going to be increased oversight, there should be people at the fintech that understand regulations and can defend their programs. Look for people with proven experience in this highly regulated space who know the risks associated with it; 
2. Regularly communicate. The compliance and risk teams at banks and fintechs should be meeting weekly. Keeping the lines of communication open is important, especially because regulations constantly evolve; 
3. Respond quickly. Responsiveness in fintech and bank partnerships is crucial — non-compliance can have major financial and reputational implications for partner banks, so fintechs need to treat compliance matters as a high priority; and 
4. Get on a plane! Banking is still a very in-person, face-to-face industry. Jumping on a plane and having in-person meetings (and when you can’t meet in person, hitting the dreaded video-on button on your Zoom) will go a long way to build trust. 

Looking ahead 

The OCC’s recent remarks and enforcement against Blue Ridge Bank are just the tip of the iceberg. When you look at the OCC’s recent statements and couple that with an aggressive regulator like the CFPB, it’s just a matter of time until other regulators follow suit and continue tightening regulations on bank and fintech partnerships. This could trickle down to third-party infrastructure providers as well. Those providers should also be watching this space, hiring people that are equipped to navigate it and building trust partnerships with their bank and fintech partners.  

Clint Heyworth is the director of compliance at Alloy and brings almost 20 years of experience in the field to the company.