Back in July, the OCC, Federal Reserve, and FDIC released a request for information on bank-fintech arrangements.
The purpose of the RFI, coming in the wake of the Synapse mess, was to help shape future rulemaking and guidance from the prudential bank regulators regarding banking-as-a-service and bank-fintech arrangements.
I wrote about some of the key themes from the RFI when it was released in July, but now we have the responses back from industry, and you know there’s nothing I enjoy more than reading comment letters to regulators, so I thought I’d summarize a few of the key takeaways and give my brief takes on them.
And because I’m in a combative mood today, I will frame those takeaways as a series of fights.
(Editor’s Note — I am grateful to my fellow bank nerds Kiah Haslett, Jason Henrichs, Jason Mikula, and Evan Weinberger for sharing their takes with me on the comments. Evan wrote a piece for Bloomberg Law on the subject, and Kiah, Evan, and I talked about the comments in a Bank Nerd Corner podcast, which will be dropping next week!)
Big Banks vs. Small Banks
Quite a few banks and banking trade associations weighed in on the RFI. Historically, on most policy issues, banks tend to stick together, but banking-as-a-service in 2024 is an exception.
Community banks like Coastal Community Bank and The Bancorp and trade associations like the Independent Community Bankers of America (ICBA) forcefully argued that BaaS and other arrangements between banks and fintechs are a net positive for consumers and small businesses and a critical lifeline for community banks.
Here’s how Coastal Community Bank, which has been operating as a partner bank for fintech programs since 2017, describes the importance of fintech to the survival of community banks:
Without fintech partnerships, community banks would not be able to effectively compete with larger banks that have more resources to innovate and respond to evolving customer preferences and the continued digitization of banking.
Big banks, which have played a comparatively small part in the growth of fintech over the last 15 years, had a different perspective. In comment letters from PNC, trade associations like the Bank Policy Institute (BPI) and the American Bankers Association (ABA), and consortiums like The Clearing House (TCH), big banks made the case that community banks (and their fintech partners) unfairly benefit from a series of structural advantages.
From PNC’s comment letter:
The risks of deposit-taking partnerships are especially high because many fintechs choose partner banks precisely to avoid regulation and oversight. Fintechs often seek smaller banks with less than $10 billion in assets for deposit-taking partnerships. They do so not for those banks’ technological expertise (in fact, many partner banks need an intermediary platform provider to provide the requisite technology) or for the smaller banks’ strong local relationships. Rather, fintechs seek smaller banks to pursue regulatory arbitrage. Banks under $10 billion assets are not subject to interchange caps on debit transactions, and they are generally exempt from CFPB supervision and enforcement. These fintechs thus enjoy uncapped debit interchange revenue while enjoying less consumer protection oversight.
To halt this regulatory arbitrage, the Agencies should close the $10 billion exemption loophole on debit interchange caps.
A joint comment letter from the BPI and TCH concurred with PNC about the need to shut down this regulatory arbitrage opportunity and specifically recommended that banks that use deposit sweep arrangements and other balance sheet management tricks to stay under the magical $10B assets threshold be subject to more intensive regulatory scrutiny.
Alex’s Take:
I don’t think big banks’ push to cut fintechs off from Durbin-exempt debit card interchange will work, but points for trying!
Other, less headline-grabbing arguments (like the unfairness of banks artificially staying below the $10B assets threshold to duck additional regulatory scrutiny) may have a better chance of gaining traction.
More broadly, I’m fascinated by the increasing incompatibility of the policy goals and priorities of small community banks vs. large regional and national banks. A similar dynamic is playing out right now in the open banking space.
PNC vs. Chime
Big banks are also getting into it with fintechs.
The most illustrative examples are the comment letters from PNC and Chime.
The Agencies’ RFI attempted to distinguish the risks of different types of bank-fintech arrangements by categorizing them in several different ways, including by bank product type (e.g., payments, lending, deposits).
PNC strenuously agreed with this approach and argued that deposit-taking is a uniquely important and high-risk activity deserving of additional, direct regulatory scrutiny:
While heightened risks exist to some extent in every type of fintech partnership, the risk is highest in deposit-taking partnerships because that activity goes to the core of the business of banking and user confidence in the U.S. banking system. Failures in deposit-taking partnerships are also more likely to pose risk to the Deposit Insurance Fund, further justifying special regulatory attention. For these partnerships, Agency supervision must be more than theoretical. It must be frequent and meaningful, just as if a bank itself engaged in high-risk activities while that bank had (like a fintech) structural and financial incentives in favor of increased risk taking and against strong risk management.
Chime, which has a very large deposit-taking business built on top of multiple partner banks (The Bancorp and Stride Bank), argued the opposite:
We recognize that recent market events have demonstrated that bank-fintech relationships involving deposit-taking can present significant risks, including to consumers, due to reconciliation issues. We also appreciate that the Agencies have noted deficiencies for several banks with respect to financial crimes compliance related to fintech relationships, including those involving deposit-taking activities.
However, we disagree that the involvement of deposit-taking activities alone causes a bank-fintech relationship to pose higher risks or that it necessarily does so. As an initial matter, we believe that numerous deficiencies seen in certain bank-fintech relationships involving deposit-taking are due in significant part to complexity in bank partnership models, idiosyncratic risk profiles or inadequate risk management practices. These are issues that merit supervisory and industry attention, but they do not necessarily indicate heightened risk in all relationships that involve deposit-taking.
In fact, Chime made the case that such arrangements are actually good for the overall stability of the U.S. financial services industry:
Bank-fintech relationships can promote financial stability by providing banks with this stable deposit funding. The products and services that fintechs like Chime work with banks to provide include deposit accounts into which numerous consumers deposit their paychecks and use as their primary transaction accounts. As a result, deposits in these accounts are “sticky.” The Chime member base is diverse with no single member or group making up a significant portion of deposits.
And thus should not be considered brokered by the FDIC:
We view the FDIC’s recent brokered deposit proposal as too broad in its characterization that deposits received by banks in connection with fintech relationships are “brokered.” Such a characterization will adversely affect a broad range of activities, even those that do not present the risks targeted by the proposal, likely harming consumers and banks, without corresponding benefits.
Alex’s Take:
PNC’s comment letter is actually very well written and persuasive, although I’m naturally skeptical of it given that PNC doesn’t have much of a BaaS/embedded finance/fintech business to speak of, which suggests that they might just be commenting to suppress the competitive threat posed by fintechs like Chime.
Chime’s comment letter makes me feel bad for Chime. They’re correct that not all deposit-taking fintechs should be painted with the same broad brush (for the most part, Chime has been a good actor in the space), but it’s challenging to make that argument while thousands and thousands of consumers are still waiting to recover their money from the Synapse/Evolve vortex of pain.
Additionally, I agree with Chime’s claim that their customer deposits are sticky and low-risk. However, the problem is that Chime’s relationship with The Bancorp and Stride isn’t nearly so low-risk (commercial arrangements end abruptly all the time), so the argument that these deposits aren’t risky for the banks doesn’t hold water.
Regulators vs. The BSCA
Banks and bank trade associations were almost unanimous in their feedback to the Agencies that regulators need to do a lot more direct supervision of fintechs.
Here’s the BPI and TCH:
The current supervisory approach relies too heavily on partner banks to oversee their fintech and middleware platform partners especially where the activities of these third parties introduce new risks to the system. Rather than leaning more on banks to serve as quasi-regulators for partner fintechs – only without the enforcement tools and oversight authorities possessed by the Agencies – the Agencies should instead focus on clarifying applicable responsibilities for fintechs and directly oversee fintech compliance with applicable laws.
Under what authority would regulators directly oversee all of these fintechs?
The authority granted by my favorite bank nerd law — the Bank Service Company Act!
I’ll let PNC explain:
The Agencies have long and consistently maintained that the Bank Service Company Act (“BSCA”) provides each banking agency “legal authority to examine functions or operations that a third party performs on a banking organization’s behalf.” Section 7 of the BSCA states that when a bank “causes” a third party to perform BSCA-authorized services on the bank’s behalf, the performance of those services is “subject to regulation and examination by such agency to the same extent as if such services were being performed by the depository institution itself.”
Alex’s Take:
Yes!!! It’s happening!!! After a long bank nerd influence campaign waged tirelessly by myself, Kiah Haslett, Jason Mikula, James Bergin, and many others, the BSCA is finally sexy!
I was stunned, honestly, by how many different comment letters suggested that regulators take a much more active role in supervising fintechs using the BSCA.
Having said that, I am reluctantly forced to admit that the BSCA is unlikely to be our savior. There are a couple of reasons for this.
First, and rather bizarrely, regulators have never developed an implementing regulation for the BSCA. As such, it’s unclear exactly how the law can be applied in practice (even though it has been used multiple times since 1962), and there’s little precedent to guide the more expansive use that industry is pushing for.
Second, on a more practical level, the Agencies don’t have the resources to directly supervise every fintech company in the U.S. Not even close.
Given these realities, I think it’s unlikely that we will see significant use of the BSCA to directly supervise fintechs moving forward, much to the disappointment of banks (and myself).
Intermediate Platforms vs. Everyone Else
Given that it was the bankruptcy of Synapse, a BaaS middleware platform (or what the Agencies’ RFI calls an “intermediate platform”), that precipitated this industry-wide discussion that we’re having on bank-fintech arrangements, I was not surprised that the Agencies’ RFI asked a lot of questions about the benefits and risks of Synapse-type middleware models.
And I wasn’t surprised to see BaaS banks and fintechs work very hard to distance themselves from that model in their comment letters.
Chime:
Less complex relationship structures – in particular, direct, contractual relationships between a bank and a fintech – inherently enable more effective risk management, compliance and consumer protection, regardless of the specific products and services involved. In these structures, the applicable bank and fintech can discuss and agree on an appropriate division of responsibilities and the bank can ensure it has the ability to effectively review, manage and oversee the fintech, including through open and direct lines of communication.
Complexity, on the other hand, makes it more difficult to clearly allocate responsibilities and to have open lines of communication. Where, for example, a bank-fintech relationship involves multiple intermediaries, operational and other risks are necessarily heightened. A bank may be unable to effectively oversee other parties in the relationship, especially if the bank does not have a direct, contractual relationship with one or more of those parties. A fintech may also have no ability to monitor the bank with which it is working. Moreover, if a bank lacks a contractual relationship with either the consumer or the platform that interfaces with the consumer, the bank must rely on intermediaries to implement effective consumer protection.
The Bancorp:
With respect to the various bank-fintech arrangements noted in the RFI, the Bank views the direct partnership model between the bank and fintech as the most effective in assuring the bank’s fulfillment of its risk management, compliance and safety and soundness obligations (as opposed to bank-fintech arrangements established and managed through an intermediary or “middleware” platform provider).
Under the direct partnership model, the bank and fintech are collaborative partners, with the bank having the critical advantage of a direct “line-of-sight” into both the fintech itself and the underlying fintech program. This level of visibility is absolutely essential, given that in most bank fintech relationships, the bank issues the fintech product, and the fintech in turn provides services in connection with the product on the bank’s behalf.
Even Mercury, which was itself a customer of Synapse, had the cheek to take a shot at the intermediate platform model:
Mercury has some direct experience with the intermediate platform provider model. We initially launched our product in 2019 with such a partner, which allowed us to get to market quickly. … But the model proved unworkable for Mercury as we scaled. With the benefit of scale, in 2021 we began work to launch a direct connection with a separate bank partner, and that model proved beneficial for many of the reasons outlined here. … As we developed our multi-bank, direct engagement model, it also became increasingly clear that our intermediate platform provider was not operating excellently in certain key areas, including compliance, cementing our preference for and belief in direct bank relationships.
From under the bus, several intermediate platform providers attempted to gently clarify why their model isn’t actually that bad.
Here’s Unit:
Over the last several years, a significant number of new digital infrastructure providers, like Unit, have emerged to help banks better manage their bank-fintech arrangements. We recommend considering how digital infrastructure solutions can strengthen and make more efficient the bank’s oversight of its service providers. By centralizing important end customer and program information, utilizing consistent processes and tooling, and reducing the number and permutations of third and fourth parties used by the bank, digital Infrastructure companies can reduce the total “surface area” of responsibilities requiring oversight and enable a bank to better focus its oversight efforts.
Alex’s Take:
Taken in total, I think the comment letters submitted in response to this RFI will confirm the Agencies’ priors regarding the inherent dangers of working with intermediate platforms. I doubt that the intermediate platform model will go away entirely, but it will continue to fall out of favor, and the remaining providers in the space will continue to reposition themselves as core bank technology vendors.
On that last note, I would have loved to have seen a more direct and honest comment letter from Unit. Rather than torturing the English language to make it appear as if they had always enabled direct relationships between banks and their fintech programs (which we know isn’t true), it would have been really neat (and effective) for them to simply say, “we’ve always tried to build our product the right way, but we changed our model when it became evident to the market that direct bank-fintech relationships needed to be the foundation for all BaaS technology platforms.”
I also have to say that I find it OUTRAGEOUS that Mercury threw Synapse under the bus when we know from reporting that Synapse was actually the most responsible actor in the Mercury-Synapse-Evolve troika. Why even submit a comment letter? Saying nothing was an option!
Standard-Setting Organizations vs. A Deep Well of Skepticism
For our last fight, I wanted to talk about standard-setting organizations (SSOs).
Several commenters wrote that a common set of industry standards and compliance certifications would be useful for helping to raise the overall level of quality in BaaS and help banks and fintechs work together more efficiently, without overburdening regulators or bank vendor risk management teams.
Here’s the ICBA:
Just as the creation of FASB, the adoption of GAAP standards, and SOC reports helped achieve uniformity, commonality, and an assurance that expectations have been met, the creation of a fintech SSO could greatly enhance and address the common inhibitors to bank-fintech partnerships.
The clear benefit of this model would be a shorter ‘time-to-market’ for fintechs.
One such SSO — the Coalition for Financial Ecosystem Standards (CFES) — submitted a comment letter to the agencies, in which it outlined (at a very high level) a framework for standards, which it calls STARC:
CFES is developing the Standardized Assessment for Risk Management and Compliance (STARC) framework. STARC is modeled off the FFIEC’s TPRM and guidelines, and it reflects the feedback and guidance of leaders in the industry. It’s crucial to emphasize that the STARC framework contemplates a two-step solution to aligning risk management and compliance expectations within bank-nonbank partnerships.
First, STARC defines a set of standards that operationalizes risk management and compliance as applied to these partnerships. These standards are informed by the FFIEC’s TPRM and other guidelines, with additional input provided by fintechs and other industry experts. This approach creates a common language and benchmark for best practices across areas such as BSA/AML compliance, third-party risk management, and operational risk. Second, STARC provides a robust framework for due diligence and ongoing assessment against these established standards. This includes detailed evaluation methodologies, scoring systems, and reporting that enable thorough, consistent assessment of nonbanks participating in bank-nonbank partnerships. Importantly, a certified third-party firm will perform an assessment of a fintech’s risk and compliance maturity against these standards, ensuring an objective and professional evaluation.
CFES counts nine fintech companies as members today — Bluevine, Block, Brex, Mercury, Relay, Rho, Sardine, Stripe, and Treasury Prime. However, they do not yet have any banks signed up (at least publicly), nor is there any indication, at this early stage, how regulators feel about CFES or the chances that regulators might someday give this STARC framework their official or unofficial blessing.
That last part is extremely important, as the ICBA notes:
A critical factor with the certification would be the acceptance of the certification as a form of approval by regulators. If regulators do not accept the certificate, or if examiners add additional due diligence measures because the third party is not certified, the creation of the SSO and certification program would be a step backward and increase burden without providing any benefit. For this program to work effectively, examiners must rely on the certification as evidence of compliance with agreed-upon standards.
Alex’s Take:
The idea of a standard-setting organization that could do much of the foundational work necessary for banks and fintechs to safely and efficiently work together has a universal approval rating.
The tricky part is turning that abstract idea into a workable reality.
There is a deep well of skepticism among lawmakers, regulators, banks, and even other fintech companies about the viability of such an effort, especially when it lacks any participation from members that don’t have an obvious self-interest in being included.
There are several different efforts underway to pull together a fintech SSO, and I hope that one or more of them succeed.
