Fintech

Fintech Partner Banks Face ‘Volatile Mix’ of Supervisory Scrutiny

Published

10 months ago

on

The Federal Reserve Board of Governors has created a new oversight team specifically tasked with overseeing the new activities.

Stefanie Reynolds/Bloomberg

Federal regulators have taken a sharper look TO Banking partnerships with financial technology companies in recent months, a change that has led to a surge in publicly disclosed enforcement activities.

In the first quarter of the year, actions against fintech partner banks accounted for 35% of publicized actions implementing measures by the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller, according to consulting firm Klaros Group. That’s up from 26% in the previous quarter and 10% in the first quarter of 2023.

The increase in enforcement actions against companies engaging in so-called business banking-as-a-service, or BaaS, models corresponds to the adoption of a new joint guide by the Fed, FDIC, and OCC for third-party risk assessments, codified last June. In the following quarter, the share of enforcement actions against fintech partner banks doubled from 9% to 18%, according to Klaros. The increase in BaaS-related enforcement actions coincides with a doubling of total enforcement actions against banks over the same period.

“There’s definitely more enforcement activity going on around BaaS,” said David Sewell, a partner at law firm Freshfields Bruckhaus Deringer. “You’re seeing the fruits of the improved oversight posture in that space.”

The question is whether this recent wave of activity represents a temporary adjustment, as agencies need to ensure their expectations are taken into account, or a permanent shift in regulators’ attitudes toward BaaS models.

In addition to creating new expectations for fintech partnerships, Washington regulators are also creating specialized oversight teams to explore these activities more fully. Last year, the OCC launched an Office of Financial Technology to “adapt to a rapidly evolving banking landscape,” and the Fed established a similar group called the Novel Activities Oversight Program, which monitors fintech partnerships, engagement with cryptocurrencies, and other emerging strategies in the banking sector.

These fintech-specific developments come at a time when agencies are changing their approach to oversight generally, with an eye toward addressing growing problems identified at banks more quickly and aggressively. The effort was undertaken in response to last year’s failure of Silicon Valley Bank, which had numerous unaddressed citations, known as issues requiring attention, at the time of its collapse.

The FDIC has already changed its procedures and now directs its supervisors to raise issues if they are not resolved for more than one review cycle. A Government Accountability Office report issued last month asked the Fed to take a similar approach.

Gregory Lyons, a partner at the law firm Debevoise & Plimpton, said the confluence of these disparate developments will place significant regulatory pressure on fintech partner banks, most of which are small community banks that rely on the deals to offset declining other business opportunities.

“You have a general concern among regulators about fintech, you have these new divisions within agencies that are focused exclusively on fintech activities and risks, and then more generally you have a review environment where things are going to escalate rapidly,” Lyons said. “That’s a pretty volatile mix for banks that are very reliant on fintech partnerships.”

Measuring supervisory activity and determining its root causes are both risky exercises, said Jonah Crane, a partner at Klaros. Public actions make up only a fraction of the overall enforcement landscape, which is itself a small portion of the correspondence between banks and their supervisors. Public enforcement actions are also intentionally vague in their descriptions of violations, as a way to safeguard sensitive supervisory information.

However, Crane said the recent disclosures exemplify the areas of greatest concern for regulators: money laundering and general third-party risk management. He noted that the main threat that supervisors appear to be guarding against is banks’ outsourcing of their risk management and compliance duties to lightly regulated technology companies.

“For every banking product on the market, there’s a long list of laws and regulations that have to be followed,” Crane said. “These have to be clearly spelled out and still be executed to banking standards when banks are outsourcing those roles and responsibilities. That seems to be the crux of the matter.”

In official documents and speeches by officials, the agencies have described their approach to fintech oversight as risk-sensitive and principles-based. They emphasize the importance of banks knowing the types of activities their fintech partners are engaged in, as well as the mechanisms they have in place to manage risks.

“The OCC expects banks to appropriately manage their risks and regularly describes its supervisory expectations,” an OCC spokesperson said. “The OCC has been transparent with its regulated institutions and issued joint guidance last June to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies.”

The Fed declined to comment, and the FDIC did not comment ahead of publication.

Some policy experts say the expectation that the responsibility falls on the bank when it comes to risk management and compliance should not surprise anyone in the BaaS industry, pointing to both last year’s guidance and longstanding practices by supervisors. The Fed, FDIC, and OCC have outlined many of their areas of concern in 2021 through jointly proposed guidelines for third-party risk management.

James Kim, a partner at law firm Troutman Pepper, likens the recent surge in activity to regulators weeding out low-hanging fruit. He notes that the rapid expansion of BaaS deals in recent years, aided by intermediary groups pairing fintechs with banks, typically small ones, has brought with it many groups that weren’t well-suited to managing regulatory requirements.

“Several years ago, there were real barriers for fintechs to partner with banks because of the cost, time and energy required to negotiate deals and go through onboarding due diligence,” Kim said. “Some of the enforcement activity we’re seeing today is likely a result of some banks, fintechs and brokers jumping into the space without fully understanding and addressing the compliance obligations that come with it.”

Others argue that the standards set last year are too broad to apply uniformly to all BaaS business models, which can vary greatly from deal to deal.

Jess Cheng, a partner at the law firm Wilson Sonsini who represents several fintech groups, said regulators need to provide more detailed expectations for how banks can operate in the sector safely.

“In light of these enforcement actions, there appears to be a real lag time between what has happened in terms of increased supervisory oversight and the issuance of tools to help smaller banks comply and understand how they can meet those expectations,” Cheng said. “There is a dire need.”

In a statement to American Banker, Michael Emancipator, senior vice president and senior regulatory counsel for Independent Community Bankers of America, a trade association representing small banks, said the recent increase in enforcement actions is concerning, “especially in the absence of new regulations, policies or guidelines that account for this increased scrutiny.”

Emancipator acknowledged the guidance finalized last year, but noted that the framework remained largely unchanged from the 2021 proposal and provided no indication that substantial oversight was warranted.

“If there has been a change in agency policy that is now manifested through enforcement actions, ICBA encourages banking agencies to issue a notice of proposed rulemaking that more explicitly explains the policy change and how banks can appropriately operate under the new policy,” he said. “In the absence of such additional guidance and an opportunity for comment, we are seeing a new breed of ‘regulation by enforcement,’ which is obviously suboptimal.”

There is optimism among industry experts that the Fed’s new business oversight program will be able to address some of these outstanding issues and provide banks with the guidance they need to operate the industry safely and effectively.

“I would expect more clarity in the future both in the context of oversight actions and if they adopt review manuals and a full review process,” Crane said. “I still see the glass half full in how new activity programs will impact the space. It’s a pretty strong signal that the agencies are not just trying to kill this activity. They wouldn’t set up entirely new programs and oversight teams if that’s what they’re trying to accomplish.”

The program will work alongside existing oversight teams, with the Washington-based group of specialists accompanying local examiners to explore specific issues related to emerging business practices. Crane said that until more formal examination policies are established, the extent of the enhanced oversight conducted by these specialists remains to be seen.

“In theory, this increased supervision should only apply to new business,” he said. “It is an open question whether, in practice, the entire bank will be held to a higher standard.”

Lyons said adding oversight by a Washington-based entity, such as the Novel Activities Supervision Program, erodes the discretion of local examiners. It also inevitably leads to the identification of preferred practices.

“When these types of groups get involved in oversight, it tends to lead to more comparisons of how one bank addresses issues versus another,” Lyons said. “It’s not formally a horizontal review, but it’s that kind of principled thing where supervisors identify certain practices that they prefer over others.”

Lyons added that escalation policies, like the one implemented by the FDIC, also eliminate examiner discretion and could create a situation where one type of deficiency, such as third-party risk management, can quickly escalate into a different one with more significant consequences.

“If issues persist for more than one review cycle, they can go from being a third-party risk management issue to also being a management issue for not monitoring an urgent risk accurately enough,” he said. “Management is typically considered the most significant of the six components of [regulators’ banking soundness rating system] CAMELS for the purposes of determining the composite rating, for example.”

Source

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version