What to Consider as Regulators Scrutinize Bank-Fintech Partnerships
Fintech partnerships, specifically banking as service arrangements, are changing the risk profile at community banks and require heightened risk management from executives and the board.
Banking as a service has evolved from the niche domain of certain community banks to a business line facilitated by software. The growth of the industry, and its concentration among small banks, has attracted the attention of the Office of the Comptroller of the Currency, and its Acting Comptroller Michael Hsu. Experts say that community banks should respond by increasing their due diligence and strengthening their risk management oversight, practices and processes ahead of potentially more scrutiny from regulators.
“The growth of the fintech industry, of [banking as a service] and of big tech forays into payments and lending is changing banking, and its risk profile, in profound ways,” Hsu said in prepared remarks at a conference hosted by The Clearing House and the Bank Policy Institute in New York City in September.
Banking as a service leverages an institution’s charter so a nonbank partner can offer banking products or services to customers. It creates a series of layers: A bank services a fintech, who offers products to a business or individual. And increasingly, the connection between the fintech and the bank is facilitated, partially or completely, by software that is in the middle of the fintech and bank relationship, called middleware.
One company that makes such an operating system is Treasury Prime, where Sheetal Parikh works as associate general counsel and vice president of compliance solutions.
“We’ve learned how to become more efficient; we have a lot of these banks with antiquated technology systems and cores that can’t necessarily get fintech companies or customers to market as quickly as maybe they could,” says Parikh.
While software and operating systems can make the onboarding and connections easier between the parties, it doesn’t ease the regulatory burden on banks when it comes to vendor due diligence and customer protections. A bank can delegate different aspects and tasks within risk management and fraud detection and prevention, but it can’t outsource the responsibility.
“The banks that do it [banking as a service] well have constant engagement with their fintechs,” says Meg Tahyar, co-head of Davis Polk’s financial institutions practice and a member of its fintech team. “You need someone at the end to hold the bag – and that’s always the bank. So the bank always needs to have visibility and awareness functions.”
Even with middleware, running a rigorously managed, risk-based BaaS program in a safe and sound manner is “operationally challenging” and “a gritty process,” says Clayton Mitchell, Crowe LLP’s managing principal of fintech. The challenge for banks adding this business line is having a “disciplined disruption” approach: approaching these partnerships in an incremental, disciplined way while preparing to bolster the bank’s risk management capabilities.
This can be a big ask for community institutions – and Hsu pointed out that banking as a service partnerships are concentrated among small banks; in his speech, he mentioned an internal OCC analysis that found “least 10 OCC-regulated banks that have BaaS partnerships with nearly 50 fintechs.” The found similar stats at banks regulated by the Federal Reserve and FDIC; most of the banks with multiple BaaS partnerships have less than $10 billion in assets, with a fifth having less than $1 billion.
Tahyar says she doesn’t believe Hsu is “anti-banking as a service” and he seems to understand that community banks need these partnerships to innovate and grow. But he has a “sense of concern and urgency” between fintech partnerships today and parallels he sees with the 2007 financial crisis and Great Recession, when increasing complexity and a shadow banking system helped create a crisis.
“He understands what’s happening in the digital world, but he’s ringing a bell, saying ‘Let’s not walk into this blindly,’” she says. “It’s quite clear that [the OCC] is going to be doing a deep dive in examinations on fintech partnerships.”
To start addressing these vulnerabilities and prepare for heightened regulatory scrutiny, banks interested in BaaS partnerships should make sure the bank’s compliance teams are aligned with its teams pushing for innovation or growth. That means alignment with risk appetite, the approach to risk and compliance and the level of engagement with fintech partners, says Parikh at Treasury Prime. The bank should also think about how it will manage data governance and IT control issues when it comes to information generated from the partnership. And in discussions with prospective partners, bank executives should discuss the roles and responsibilities of the parties, how the partnership will monitor fraud or other potential criminal activity, how the two will handle customer complaints. The two should make contingency plans if the fintech shuts down. Parikh says that the bank doesn’t have to perform the compliance functions itself – especially in customer-facing functions. But the bank needs strong oversight processes.
OCC-regulated banks engaged in fintech partnerships should expect more questions from the regulator. Hsu said the agency is beginning to divide and classify different arrangements into cohorts based on their risk profiles and attributes. Fintech partnerships can come in a variety of shapes and forms; grouping them will help examiners have a clearer focus on the risks these arrangements create and the related expectations to manage it.
What is clear is that regulators believe banking as a service, and fintech partnerships more broadly, will have a large impact on the banking industry – both in its transformation and its potential risk. Hsu’s speech and the agency’s adjustments indicate that regulatory expectations are formalizing and increasing.
“There is still very much a silver lining to this space,” says Parikh. “It’s not going anywhere. Risk isn’t all bad, but you have to understand it and have controls in place.”