The first big news story this week was that Mercury, the B2B neobank, offboarded some of its customers:
Digital banking startup Mercury is no longer serving U.S.-domiciled customers with passports from certain countries, including Ukraine, the company confirmed to TechCrunch.
Mercury made headlines earlier this year when it was caught up in federal scrutiny through one of its partners, Choice Bank, around the practice of allowing foreign companies to open accounts.
The FDIC was “concerned” that Choice “had opened Mercury accounts in legally risky countries,” the Information reported. Officials also reportedly chastised Choice for letting overseas Mercury customers “open thousands of accounts using questionable methods to prove they had a presence in the U.S.”
Mercury told TechCrunch in April that it was investing in its risk and compliance teams. In an apparent response to that federal scrutiny and as part of the company’s “ongoing commitment to compliance,” a Mercury spokesperson told TechCrunch on Monday that it recently updated its eligibility requirements and notified certain customers that it could “no longer support them due to either the address(es) they provided or the locations where we recorded frequent account activity.”
In the wake of this negative news coverage from TechCrunch and from observers like me on Twitter, multiple fintech folks who I deeply respect leapt to Mercury’s defense.
Their argument was that it is the bank partners – Choice and Evolve – not Mercury who are responsible for this bad outcome and that Mercury was simply caught between a rock (its bank partners) and a hard place (a shift in the regulatory environment that is forcing BaaS banks to tighten the screws).
I completely disagree with this argument.
It is true that Mercury’s bank partners, both of which are now operating under regulatory consent orders, deserve a lot of the blame. And it’s also true that oftentimes fintech companies, which are ultimately subject to whatever requirements banks and regulators hand down to them, are sometimes unfairly caught off guard by sudden changes in the macro environment that have nothing to do with how responsibly or irresponsibly they’ve built their businesses.
However, in the case of Mercury specifically, we have no reason – based on the available reporting and common sense – to give them the benefit of the doubt. I shared this excerpt from Jason Mikula’s most recent reporting about the compliance lapses in the Mercury/Synapse/Evolve relationship in Monday’s newsletter, but it’s worth resharing because it’s just that insane:
Synapse had concerns about higher-risk jurisdictions, like Turkey, or those with sanctions in place, like Russia.
But Mercury wanted to facilitate users and transactions in those countries, and, when Synapse wasn’t sufficiently cooperative, Mercury sought Evolve’s signoff on adding certain users to a so-called “whitelist,” former Synapse staffers said. Being added to the whitelist would enable those accountholders to make transactions in amounts and with counterparties that they otherwise would not be able to make.
Despite higher risk ratings for certain countries or accounts, some users would be “grandfathered in” to enable them to continue using their accounts without interruption, the former Synapse employees said. For example, some users who had opened an account before sanctions were put in place in a given jurisdiction would be whitelisted and allowed to continue using their accounts, the staffers said.
This isn’t a case of an innocent fintech company that didn’t know any better blundering into a compliance mess because its partner bank said it was OK or because the rules suddenly and unexpectedly changed.
This is a fintech company strategically using its leverage to sidestep its middleware provider (Synapse appears to have been actually trying to do the right thing in this instance… wild!) and get the bank to agree to a process that it knew was a compliance time bomb.
Now that bomb has exploded and I’m supposed to feel sympathy for Mercury?
No.
You can’t build in financial services by assuming that the rules don’t apply to you when you’re small, and if you get big enough, you can force the rules to adapt to you. This isn’t Uber and the City of San Fransisco in 2010.
In financial services, the refs always win.
They may be slow to adapt to the innovative strategies that players introduce to the game, but they always catch up … eventually.
Which brings us to the second big news story of the week – the refs are asking the players for input on the rules:
The federal bank regulatory agencies today … have requested additional information on a broad range of bank-fintech arrangements, including with respect to deposit, payments, and lending products and services. The agencies are seeking input on the nature and implications of bank-fintech arrangements and effective risk management practices.
The agencies are considering whether additional steps could help ensure banks effectively manage risks associated with these various types of arrangements.
In last week’s essay, which was informed by some recent conversations that I’ve had with regulators and public policy folks, I predicted that the OCC, Fed, and FDIC would revisit their guidance on bank third-party risk management (TPRM) and (maybe?) expand their supervision of non-banks under the Bank Service Company Act, in the wake of the Synapse/Evolve clusterfuck, and indeed, that seems to be what’s happening.
So, let’s review the OCC, Fed, and FDIC’s Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses and see if we can pick out some salient themes.
Reviewing Regulators’ RFI
Before we get into the details, I will say that this RFI is impressively specific. It asks about all of the areas that have become hot-button issues in BaaS over the last 6-12 months.
It also does a good job of outlining the different types of arrangements that exist in BaaS and other types of bank-fintech partnerships. The RFI divides these arrangements up by product type – deposits, payments and card issuing, and lending – and distinguishes between direct arrangements and arrangements that involve intermediate platforms (more on that in a bit):
Of course, it remains to be seen whether the specificity of the RFI translates over into clearer and more detailed guidance, but this question from the RFI suggests that the agencies are thinking that it might:
To what extent would additional clarifications or further guidance be helpful to banks with respect to bank-fintech arrangements? If so, please explain. In what specific areas would additional clarification or further guidance be most helpful?
Now, let’s review some of the other questions from the RFI and consider what they might mean for BaaS and bank-fintech partnerships in the future.
We will organize them into a few different buckets.
(Editor’s note – you will see the bloody fingerprints of Synapse and Evolve all over these questions. It’s obvious that the Synapse/Evolve meltdown was the precipitating factor for this RFI. However, the RFI also touches on many areas outside of Synapse/Evolve.)
Intermediate Platform Providers
This is the term that the agencies use to describe BaaS middleware platforms like Synapse, Increase, Unit, Synctera, Treasury Prime, Helix, Infinite, and Atelio.
And thanks largely to Synapse, these companies are squarely in the agencies’ sights, as this question demonstrates:
Describe the range of practices regarding the use of an intermediate platform provider. Describe how the use of an intermediate platform provider may amplify or mitigate risk, and to what extent, if any, intermediate platform providers influence how banks handle operational, compliance, or other issues when dealing with fintech companies within the intermediate platform provider’s network.
The RFI makes clear that the agencies are worried about program management – a service provided by some intermediate platforms, in which they handle certain tasks (compliance, risk management, transaction processing, reconciliation, etc.) on behalf of the bank or fintech.
This concern is not new, which is why most of the intermediate platform providers that did offer program management have been scrambling to pivot away from that model or de-emphasize that aspect of their services.
Power Dynamics
One of the primary deficiencies in the agencies’ TPRM guidance to date has been the implicit assumption that the relationship between banks and their third-party service providers is always one in which the bank has the leverage.
This made sense in a world in which third-party service provider always meant vendor.
However, fintech companies aren’t your typical third-party service providers. For many BaaS banks, fintech has been a critical, irreplaceable source of revenue and growth. This has given fintech companies a great deal of leverage over their bank partners, leverage that they haven’t always wielded in the smartest or most responsible way (I’ll refer you back to the Mercury/Synapse/Evolve example above).
The agencies’ RFI demonstrates that they have finally grokked this. Here’s a quote that Andrew Grant, Partner, Runway LLP, pointed out to me:
These facets of bank-fintech arrangements may create heightened or novel risks for banks relative to the risks associated with more traditional third-party vendor relationships.
In the RFI, the agencies ask about the impact of these dynamics on contract negotiation and due diligence processes:
What impact, if any, does the size and negotiating power of the bank or the fintech company have on [contract negotiation and due diligence]? What impact, if any, does the fintech company’s or intermediary platform provider’s degree of control of operational functions have on [contract negotiation and due diligence]? What impact, if any, does bank liquidity or revenues concentration represented by any particular fintech company, intermediary platform provider, or business line have on [contract negotiation and due diligence]?
They ask about the business models that underpin these arrangements:
Describe the range of practices regarding how revenues and costs resulting from these arrangements are allocated between the bank and fintech company.
They even ask, somewhat philosophically, who owns the customer:
How do the parties to bank-fintech arrangements determine the end user’s status as a customer of the bank, the fintech company, or both, including for purposes of compliance with applicable laws and regulations, and each party’s responsibility in complying with contractual requirements?
They also do a wonderful job outlining their concern about the impact that poor or imbalanced contract negotiations can have on the division of operational responsibilities between banks and their fintech partners and the resulting impact on providers’ accountability when something breaks:
Contractual accountability for different aspects of the end-user relationship may be allocated among the parties to a bank-fintech arrangement. However, banks remain responsible for compliance with applicable law. Failure to conduct sufficient due diligence, ongoing monitoring, and oversight of the bank-fintech arrangement may complicate the bank’s ability to ensure such compliance and to identify risk. In addition, contractual division of labor may complicate the bank’s ability to establish clear lines of accountability, implement effective risk and compliance management strategies, and address and remediate issues as they arise, especially where novel arrangements place certain traditional banking activities outside of the bank.
End-User Confusion
Given the very public plight of Synapse’s end users, it was a sure bet that the agencies were going to make end-user confusion a central topic in this RFI.
And indeed they did:
The fintech company’s efforts to provide a seamless end-user experience could make it difficult for end users to know in what capacity they are dealing with the bank or the fintech company. In some cases, marketing materials or other statements by the fintech company or bank may exacerbate end-user confusion. For example, end users may not be well-informed regarding the type of account relationship that the end user is establishing through the fintech and may not understand that Federal deposit insurance does not protect them from a nonbank fintech company’s failure.
One interesting question from the RFI that caught my eye, was this one focused on initial and ongoing disclosures to end users about the nature of the relationship between the bank and the fintech:
Describe the range of practices regarding disclosures (e.g., initial, annual, or ongoing) to end users about the involvement of bank-fintech arrangements in the delivery of banking products and service.
Perhaps, in the future, it won’t be enough to say, “Chime is a financial technology company, not a bank. Banking services provided by The Bancorp Bank, N.A. or Stride Bank, N.A.; Members FDIC” on your homepage and call it a day.
Planning for the Worst Case
The agencies also stressed the importance of operational resilience and contingency planning in worst-case scenarios like …
Your middleware platform going bankrupt, and you realizing you have an unresolved reconciliation nightmare on your hands:
In the context of bank-fintech arrangements, how are deposit accounts usually titled? Describe the range of practices reconciling bank deposit account records with the fintechs’ records. Generally, what party holds and maintains the account records?
Or you suffering a data breach that exposes the personal information of more than 7 million people:
Describe the range of practices regarding planning for when a fintech company or intermediate platform provider exits an arrangement, faces a stress event, or experiences a significant operational disruption, such as a cyber-attack.
Obviously, these are just hypotheticals, but it’s nice to see the agencies thinking ahead here!
The Risks of Rapid Growth
Finally, the RFI makes a point to emphasize the risks that can be introduced when a fintech partnership (or partnerships) lead to rapid growth:
A bank may experience rapid growth as a result of engaging in a bank-fintech arrangement, especially in the case of a community bank. Various risks can emerge from rapid growth and the bank’s changing risk profile, including risks that may threaten the bank’s safety and soundness or its ability to comply with applicable laws and regulations.15 These risks may arise from challenges such as appropriately scaling risk and compliance management systems, operational complexities, significant deposit growth, and insufficient capital to support the rapid growth, among other things.
Specifically, the agencies see the potential challenges created by rapid growth in deposits:
Rapid deposit growth related to a bank-fintech arrangement can also pose risks related to funds management. For example, a bank may need to invest an influx of short-term deposits that greatly exceed amounts the bank has traditionally managed. To the extent that deposits are used to fund growth in longer-term or higher-risk fixed-rate assets, including loans and securities, the bank may be exposed to greater liquidity, interest rate, or credit risk, especially when such investments are concentrated, or the risks are otherwise correlated.
And payments:
Bank-fintech arrangements may also pose operational complexities, which may lead to increased risk. For example, potentially significant increases in the volume of payment processing may give rise to increased transaction monitoring alerts. In addition, depending on the integration of the bank’s information technology systems with those of the fintech company, security vulnerabilities and other sources of operational disruption may arise, increasing the likelihood of data breaches, privacy incidents, service interruptions, and fraud. In some cases, banks do not have or are unable to develop the infrastructure to adequately address these complexities, and instead rely on manual workarounds, which could lead to operational breakdowns that may implicate various other risks, including compliance and legal risks.
Interestingly, lending-related bank-fintech arrangements seem to be less of a concern for the agencies (though they do definitely talk about lending-specific challenges like concentration risk).