Technology is playing an increasingly central role in banks’ strategic plans. Now more than ever, banks rely on technology to deliver products and services, improve processes and the customer experience, acquire new customers and grow.
When it comes to new technology, banks essentially have four options: build it, license it, partner with a third party or buy it. Traditionally, only the largest banks had the resources and inclination to build technology in house; however, some smaller banks are now dedicating resources to developing technology themselves.
Much more commonly, banks obtain technology solutions from their core processors or other vendors. Over the last several years, there has been a proliferation of banks partnering with fintech companies to deploy their technology, or for banks to provide banking services to a customer-facing fintech company. As banks become more tech-centric, more are likely to explore acquiring fintech companies or fintech business lines. Each approach carries with it unique advantages, disadvantages, risks and legal and regulatory considerations.
The federal bank regulatory agencies have been especially active in recent years in the bank/fintech partnership space. In July 2021, the agencies published proposed updated interagency guidance on managing risks associated with third-party relationships, which includes guidance on relationships with fintech companies. Later in 2021, they released a guide intended to help community banks conduct appropriate due diligence and assess risks when considering relationships with fintech companies, and the Federal Reserve Board published a white paper on how community banks can access innovation by partnering with third-party fintech companies. Prior to that, the Federal Deposit Insurance Corp. published a guide intended for fintech companies interested in partnering with banks. These pronouncements indicate that while the agencies are generally supportive of banks innovating via fintech partnerships, their expectations for how banks conduct those relationships are increasing.
As technology and the business of banking become more intertwined, banks need to remain mindful not only of regulatory guidance on these partnerships specifically, but on the full spectrum of laws and regulations that are implicated — sometimes unintentionally — by these relationships. For example, partnership models that involve banks receiving deposits through a relationship with a fintech company could implicate the brokered deposit rules, which the FDIC updated in 2020 to account for how banks use technology to gather deposits.
As another example, partnership models that involve a fintech company offering new lending products funded by the bank, or the bank lending outside of its traditional market area, can raise fair lending and Community Reinvestment Act considerations, and potentially expose the bank to a heightened risk of regulatory enforcement action. Banks must keep in mind that when offering a banking product through a fintech partnership, regulators view that product as a product of the bank, which the bank must offer and oversee in accordance with applicable law and bank regulatory guidance.
What’s Next
Although bank/fintech partnerships have been around for some time, the amount of recent regulatory activity in this area suggests the agencies believe that many more of these partnerships, involving many more banks, will develop.
As the partnership model matures, more banks may become interested in developing closer ties with their fintech partner, including by investing cash in their fintech partner. Banks may be motivated to explore an investment to make its relationship with a fintech partner stickier, allow the bank to financially share in the fintech partner’s growth or enhance the bank’s attractiveness as a prospective partner to other fintech companies.
Banks considering investing in a fintech company or a venture capital fintech fund must understand not only the regulatory expectations associated with fintech partnerships generally, but also the legal authority under which the bank or its holding company would make and hold the investment.
As some banks start to look and operate more like technology companies, more may explore acquisitions of entire fintech companies or fintech business lines or assets. In addition to the many business and legal issues associated with any M&A transaction, banks considering such an acquisition have to be especially focused on due diligence of the target fintech company, integration of the target into the bank’s regulatory environment and ensuring that the target’s activities are permissible for the bank to engage in following the transaction.
Banks need innovative technology to succeed in today’s fiercely competitive financial services marketplace. Some will build it themselves, others will hire technology vendors or partner with fintech companies to deploy it and some will obtain it through acquisition. As banking and fintech evolve together, banks must understand and pay careful attention to the advantages and disadvantages, and legal and regulatory aspects, of each of these approaches.
First, have a whistleblower policy/program in place, now, so that if/when a claim arises, the board is prepared to handle it effectively, appropriately and lawfully. All employees should be trained on the policy and encouraged to report up the chain, pursuant to the policy, any corporate misconduct they discover. It is far better in the end if the bank self-discovers and remedies the problem, than if the government does it for you. Second, work hard to maintain the confidentiality of the whistleblower. Maintaining confidentiality, and even anonymity, helps to ensure no retaliatory action is taken against the reporting employee. At all costs, avoid retaliation. Finally, conduct an independent internal investigation, and do so with the understanding that the reported misconduct could lead to criminal and/or civil litigation. Engage your legal counsel early in the process to ensure preservation of evidence and legal privileges.
Banks should handle possible whistleblower complaints very seriously. Regulatory agencies have shown a more severe response to banks over the last few years and whistleblower complaints can reinforce a perception, however inaccurate, that some banks do not have a proactive approach to compliance issues generally. Banks should have procedures for dealing with such claims and allow employees to air their concerns without fear of reprisal. Some may wonder whether this approach may encourage the raising of false claims, but at least banks would have an opportunity to triage employee concerns and demonstrate that they take those concerns seriously.
Bank boards should authorize their audit committees to handle complaints concerning securities law violations. An audit committee’s charter should make clear that the committee may retain appropriate advisors to investigate such complaints. The board should also ensure that management promulgates guidance for internal reporting on violations. Employees should be encouraged to report violations to appropriate representatives of the compliance, internal audit or legal staff. Recipients of complaints about violations should be instructed to forward them to the chairperson of the audit committee. Upon receipt of a complaint, the chairperson should ensure that it is investigated thoroughly. If no violation is found, the complainant should be so informed within 120 days after the complaint was made. If a securities violation is found, the bank should decide whether to report the violation to the Securities and Exchange Commission. A report to the SEC should be made within 120 days after the complaint was made.
Both public and private banks have potential exposure to Dodd-Frank and Sarbanes-Oxley whistleblower claims. Therefore, a bank should have proper compliance and anti-retaliation policies in place (reviewed regularly) setting forth behavioral expectations, encouraging reporting, and establishing protocols for handling reports. The bank should also designate a team to investigate and respond to reports. All employees should be thoroughly trained regarding these policies and, in particular, managers should be trained to identify when an employee is reporting and the need to escalate the report within the organization, as many employees do not use “hotlines” or Internet-based reporting mechanisms. Most important, the bank’s senior leadership must lead by example. Senior leadership needs to sincerely and repeatedly promote the virtues of the bank’s compliance, ethics and code of conduct policies. Reporting questionable conduct, no matter how insignificant, must be genuinely encouraged. And finally, senior leaders must demonstrate integrity in all that they do.
Whistleblower complaints need to be treated seriously. Avoid the temptation to view all whistleblowers as disgruntled employees who are asserting claims against innocent individuals to further their own selfish goals. Failure to promptly address a legitimate complaint will only exacerbate the problem. Regulators look favorably on companies that take prompt action and see them as having strong and effective management. The opposite is true for companies that are unresponsive or hostile to employees’ concerns. Plus, treating whistleblower complaints seriously sends the message that employees will be treated fairly and sets a tone at the top that should foster stronger ethical behavior within the company. The board needs policies and procedures for investigating whistleblower complaints and coordinating corrective action and must communicate them to employees. Doing so will create the conditions necessary for the effective management of whistleblowing.
It is my belief that the criminal prosecutions at the larger banks are intended to have a preventative effect on smaller or regional banks. The idea is that if they can go after the big guys then they certainly can go after those of us that are smaller as well. But, smaller organizations should use it as a marketing strategy to show the differences between the large banks and more community or smaller banks who are not engaged in the types of activities that draw scrutiny.
The danger is that smaller banks may conclude that the Department of Justice (DOJ) would consider criminal penalties for only the largest, and possibly non-US banks. In reality, it is very possible that under the right circumstances, the DOJ could seek a criminal conviction of a smaller bank. For example, if a bank has committed [anti-money laundering] violations on several occasions, DOJ might want to make an example for similar institutions. It’s happened at least once before, although with different facts. Moreover, the possible systemic repercussions of such a prosecution could be perceived as relatively minor. There have been complaints that DOJ has not brought enough criminal cases following the financial crisis, so widening the net to include smaller entities may be perceived as a credible response to those criticisms.
Nothing. There’s a rush to say that holding gigantic institutions criminally accountable means that smaller institutions will be next. But that doesn’t apply here, where you have criminal sanctions for conduct that occurred back in 2006 to 2007. Nothing changes this past conduct —the sanctions are aimed at punishment instead of other common goals (like deterrence, incapacitation, rehabilitation, or restitution). The lesson is more subtle: In the big banks’ bad conduct, licensed professionals knew what was going on but didn’t stop it. Absent collusion by the people entrusted to serve as gatekeepers to the financial system, the mortgage-backed securities could not have made their way into the mainstream and contributed to the market crash. So the easiest way to avoid criminal accountability is to maintain the integrity and independence of your gatekeepers. That’s what the big banks failed to do—and why they were held criminally accountable.
Attorney General [Eric] Holder famously asserted that while a corporation could be prosecuted just as any other “person,” prosecutors should consider the “collateral consequences” on “innocent third parties” including the “corporation’s officers, directors, employees, and shareholders.” Criminal prosecutions of large banks have potentially huge collateral consequences. These collateral consequences are not as pronounced with regard to a smaller bank, but nevertheless will (and perhaps should) cause the prosecutor to think twice. On the other hand, it is also easier for a prosecutor to prove criminal intent in a smaller institution, which is less layered and siloed.
A slow reaction to a problem can result in more than just a bad day in the office. The biggest headline was not the recall. The media focused on the fact that General Motors knew about the problem long before the recall and failed to react resulting in lawsuits, congressional hearings and calls for boycotts, all of which have negatively impacted the automaker’s reputation and bottom line. Bankers should take notice of such missteps in responding to potential cyber-attacks launched at their institutions. It is not enough to simply have security measures in place. Directors also need to ensure that their institutions have proper response policies to react quickly to minimize potential damage to customers and to take corrective measures to address the cyber-attacks head on. Failing to respond in a timely manner can result in more than just a few angry customers and can expose the banks to regulatory and legal penalties.
It appears there was little enterprise risk management stressed and in place at General Motors. The General Motors situation has taught us the need to encourage/require employees at any level of a bank hierarchy immediately to report problems so that material issues can be handled and solved by executive management with reports, if necessary going to the full board. Bank employees must not hide material issues. When discovered, the issues may lead to very embarrassing situations for the bank and its parent.
GM probably learned a few lessons from the experience of the banking industry and was more prepared to navigate the horror of becoming a public whipping boy. When something has gone terribly wrong inside a large organization, it’s terribly important to get on top of the facts as soon as possible. And that’s not easy. To avoid embarrassment and compounding the problem, you have to resist the temptation to speak before you have assembled the facts. Measure your statements carefully, and support them with facts identified by an investigation by an outside firm and reported to the board or committee of the board charged with overseeing the investigation. [CEO] Mary Barra deserves serious praise for her authentic brand of leadership in the midst of a corporate crisis.
The GM ignition switch debacle is nothing new and merely underscores a series of well-known precepts that directors should internalize as official bank policy. Playing ostrich never works. Problems must be faced, not ignored in the hope they will disappear. Cover-ups never work either. The underlying problem always comes to light, and the consequences in terms of reputation risk, regulatory risk, and legal risk end up being exacerbated, and any judgments and penalties enhanced. When an issue is identified by any employee, including even the lowest level employee, steps must be taken by management promptly to investigate the issue and, if it is significant, bring it to the board’s attention and implement a strategy to address it. The board should have a crisis management policy in place for handling really serious issues; this will entail assembling a team of specialists to handle the public relations, compliance, security, IT, and legal components of the problem, including where necessary, an internal investigation.
I would have to say that the biggest impact, at least from the perspective of community banks, has been the cloud of regulatory uncertainty that the CFPB has cast over those institutions, and the resulting impact on their bottom line. While community banks are not directly regulated by the CFPB, they are still subject to much of the same rulemaking by the agency as are the big money center banks. Even where community banks are specifically exempted from CFPB regulation, those regulations nonetheless tend to serve as standards or competitive baselines for smaller institutions. It is difficult, as a result, to anticipate the infrastructure and resources needed to stay ahead of the regulatory curve. As a result, community banks are forced to beef up their compliance departments, or outsource oversight of those responsibilities, creating disproportionately higher overhead for such banks as compared to larger institutions.
The CFPB’s biggest impact has not been through any regulations it has enacted, nor has it been through its own enforcement of consumer protection laws. No, its biggest impact has been indirect—by heightening the emphasis on consumer protection and leading to a dramatic increase in civil money penalty (CMP) actions by federal bank regulators for alleged unfair or deceptive acts or practices (UDAP). In 2013, the FDIC imposed CMPs against banks 89 times, 16 of which were for alleged UDAP violations. At 18 percent of all bank CMP actions, this is a near doubling from 2012 and three times the percentage in 2011. Expect these percentages to keep growing. Once bank regulators have identified an industry “problem,” they do not change course until the next flood, financial crash or other newsworthy event redirects their attention. And the CFPB has barely begun its own enforcement actions under the new unfair, deceptive, or abusive acts or practices law.
The question of whether a bank should settle when hit with a lawsuit in connection with an M&A deal, and if so when, depends heavily on the circumstances. The reality is, however, that these shareholder class action suits are essentially a given in any transaction involving a publicly traded seller. In nearly all cases, regardless of the circumstances, the plaintiffs’ lawyers will assert, first, that the directors breached their fiduciary duties in connection with the sales process that was followed and in accepting the deal terms that were agreed and, two, that the disclosure in the proxy statement issued in connection with the shareholder meeting to approve the transaction is deficient. A well advised board will be aware of this reality and plan accordingly. As a practical matter, these suits rarely are an impediment to a transaction and should certainly not dissuade a board from pursuing a transaction that is in the best interests of the shareholders.
Like so many questions the answer lies in the particular facts and circumstances. But the automatic inclination to settle these strike suits has dissipated somewhat as management, and more importantly judges, have shown less patience with these types of suits, and as a consequence, awarded increasingly nominal amounts of attorney fees, if any at all. This cottage industry of the plaintiffs’ bar grew up in the era of large bank mergers where these types of suits and settlement amounts were viewed simply as mere nuisances. As the transactional activity has moved to the smaller bank market, so have the plaintiffs lawyers. But these suits have also taken on greater meaning for middle market transactions. The CEO of a bank that intends to engage in multiple acquisitions should seriously consider contesting the first strike suit to send the signal to the plaintiffs’ bar that this bank will not be easy prey.
While these actions ostensibly seek monetary relief, such as an increase in the merger consideration, most of them ultimately settle on terms that call for some additional disclosures to the shareholders in advance of the vote on the transaction, and, of course, an attorney’s fee award for the plaintiffs’ lawyers. There are two primary reasons for these settlements. First, the risk, however small, of having a large transaction enjoined or otherwise disrupted is often seen as outweighing the relatively minimal nature of the settlement relief. Second, a settlement is not without its benefits, as, once approved by the court, the settling defendants can obtain a full and complete release of any claims that were or could have been brought by the shareholders in connection with the merger transaction.
The decision to settle depends, in part, on the nature and size of the deal. Why settle an unmeritorious lawsuit? The threat of delaying a merger transaction can kill the deal, so settling by agreeing to provide some additional disclosures, paying the plaintiffs’ attorneys’ fees and making a token payment to shareholders often makes sense. Acquirers often factor this so-called merger tax into their purchase price considerations to assure that the transaction gets completed. Be careful, though—paying the merger tax can result in higher future directors and officers (D&O) insurance premiums, or larger retentions under those policies. On the other hand, some acquirers in states with favorable business judgment statutes and a reasonable judiciary are fighting unmeritorious lawsuits. Those challenges show an impressive win-loss ratio for boards. Also encouraging is that some courts have dismissed the suits outright or refused to approve settlements and the attorneys’ fees provided in them.
More and more, I find myself to be in [Federal Deposit Insurance Corp. Vice Chairman] Tom Hoenig’s camp. Regulations have become monstrously complex. The Basel III regulations are more than 900 pages. If the question is whether higher minimum capital ratios and liquidity requirements make sense, I would say sure, but 900 pages? Beyond the complexity, there is considerable administrative burden even for community banks. I laugh when I read what amount of time regulators say is needed to comply with new regulations. They must all be masters of Evelyn Wood’s Reading Dynamics. I needed over two weekends just to read the first 280 pages of regulation.
Basel III is good for banking in that it directs the industry back into the more conservative role of a traditional financial intermediary rather than the high growth, boom or bust mentality that was so pervasive in the industry in the early to mid-2000s. The Basel III rules, in a general sense, promote more modest risk-taking by banks. The rules also moderate growth through limiting leverage for those institutions that have more aggressive asset mixes. By doing this, the rules will help curb competition that is strictly based upon which institution is willing to take the most risk. Hopefully, these rules will lead the industry back into an environment in which the most successful institutions are the smartest, not just the most aggressive.
Yes and no. People generally accept that banks should have had more capital prior to the recent financial crisis, but Basel III has clear weaknesses. The problem lies in recognizing that overly complex rules and prohibitively high capital levels can be incompatible with increasing economic activity or at least contribute to driving borrowers to the shadow banking environment. The key is to understand the interrelationship of new requirements in addition to Basel III, both national and international, both imposed by Dodd-Frank and independently by bank regulators, to recognize that the cumulative effect of those rules may be more onerous than at first supposed.
It’s a mixed bag. Since all U.S. banks will be required to hold more capital, especially common equity, than under the existing rules, they will be more likely to absorb significant losses and thus may be less likely to fail. However, in order to raise or maintain additional common equity, banks still have to deliver attractive returns to their shareholders. The cost of additional capital, plus the compliance burden arising from more complex rules, makes it too early to tell whether banks will succeed without cutting back on the availability of credit. The Basel III rules also create disincentives for smaller U.S. banks to expand through M&A transactions instead of organic growth. That could act as a brake on consolidation and affect the competitive landscape between banks of different sizes.
The application and implementation of Basel III to community banks is unnecessary. Community banks were not the cause of the troubles leading up to the Great Recession. Then, as now, most healthy community banks have more capital than will be required in 2015. When deemed necessary for safety and soundness, troubled institutions often have increased capital ratios imposed on them by their regulators. This has not changed, nor should it. Basel III may have the undesired effect of driving more consolidation of healthy community banks because they will not be able to profitably keep up with increased regulatory compliance costs, new CFPB rules, information technology advances, along with maintaining higher capital standards. This will be our loss.
Audio recording of board minutes is antithetical to their purpose, which is to record the business transacted and accomplished at the meeting and substantiate that proper procedure was followed (i.e., notice, quorum, etc.) and not be a transcript of conversations. Perhaps most importantly, minutes are legal documents that are generally discoverable in a lawsuit no matter in what form they are maintained. Institutions need to consider whether they would want to have their audio recorded minutes played in a court room for all to hear. 
We generally recommend that, particularly for community bank holding companies, the board try and maintain only a very general summary of discussion points. The primary exception to this general principle is that where a board is making a significant shift in policy or taking a strategic action with a relatively high degree of risk, we recommend taking care to include information sufficient to demonstrate that the board has satisfied its fiduciary duties—but even in those cases, erring toward the side of omitting unnecessary detail. Examples of these situations commonly include the consideration and approval of M&A and capital markets transactions, but increasingly we have also included more thorough summaries of factors that support adoption of or changes in dividend policies, branch expansions and similar decisions.
More bank consolidation is expected in the next five years, so executives in the C-suite need to be prepared to be leaders of change. Along with the board, they need to create and implement a vision that reflects the bank’s brand and corporate culture. Recently, some banks have created a position of chief culture officer that reports directly to the CEO. That position involves much more than simply training the new people on how your systems work. Rather, the focus is on moving the bank forward as one family with one voice and one mission, and overcoming the natural tendency for an “us versus them” culture that often follows an acquisition.