The regulatory tides may be changing in the US, as the Office of the Comptroller of the Currency (OCC) suggests banks should be doing more to manage risks related to partnering with fintech firms.
In June 2023, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the OCC and the US Treasury Department issued joint guidance to all banking organisations for developing and implementing risk management practices when engaging in third-party fintech partnerships.
Towards the end of February, Michael Hsu, CEO and acting comptroller of the currency at OCC, delivered a presentation at Vanderbilt University in Nashville, Tennessee, discussing how the ‘blurring of the line’ between banking and non-banking entities could lead to financial instability.
Fintech innovation has been rife throughout the last decade, with payments changing drastically and encouraging the growth of the e-commerce sector.
However, while many have celebrated the speed of change driven by the fintech industry, Hsu fears that more nonbank entities taking on the various elements of banking could lead to financial instability – as they fall outside of the banking regulatory remit – and as public confidence is reduced.
These concerns could lead to significantly more regulatory attention, with Hsu outlining that the OCC expects banks to manage risks related to fintech partnerships, adding that “micro-prudential supervision and regulation have a role to play in mitigating some of the macroprudential risks from nonbanks”.
To find out more about the potential consequences of this, we reached out to industry experts to get their take on the future of collaboration between fintechs and banks.
‘We are facing a crisis of a significant mismatch’
Phil Goldfeder, CEO of the American Fintech Council (AFC), the industry association representing responsible fintechs, explained to The Fintech Times that the OCC could negatively impact the fintech industry in the US, if it interferes with partnerships too broadly: “As a standards-based trade association, AFC recognises that not all fintech is created equal. Painting bank-fintech partnerships, and the risks associated with them, with a broad brush, negatively impacts responsible companies that are working tirelessly to assess the actual risks associated with a given product, service, or partnership.
“Responsible bank-fintech partnerships operate very differently than other, less responsible, models. To that end, the OCC and the other banking regulators should carefully consider each individual bank-fintech partnership, and the nuances entailed within it, when assessing the risk of a given partnership.
“We are facing a crisis of a significant mismatch between the fintech used to conduct our daily lives and the regulatory mechanisms designed to ensure a fair and stable banking system. Regulated and responsible fintech companies are poised to lead the future of financial services innovation as they break down the traditional barriers to capital and reach families and businesses traditionally left behind.
“The onus is on the bank and fintech company to manage risk, but equally important that regulators assess risk effectively. An effective system requires both parties to understand the entire ‘supply chain’ of banking and clearly recognise the real extent of the risk presented. That understanding starts with proper examiner education of the unique products and services being examined, consistent engagement between both regulators and their regulated entities, and a focus on modernising regulations that are currently impractical for the future of financial services.”
Finding a balance between overcorrecting and ensuring bank standards
Jonah Crane, partner at Klaros Group, a financial services advisory and investment firm, shares a similar view and explained that while change is needed to ensure no calamity comes from these partnerships, it must be introduced carefully, to not dull fintech innovation completely: “When banks enter into partnerships that allow fintechs and other nonbanks to offer banking products to their customers, those customers become bank customers.
“So, all activities in connection with offering those products need to meet bank standards, and ultimately the bank is responsible for making sure they do. This is not exactly new, but the explosion of new fintech programmes led many banks to see a free lunch: ‘the fintech does all the work, and I get deposits and fee revenue’.
“This premise was faulty from the beginning, and once regulators started to dig in they didn’t like what they saw. This will be a challenging space for a few years, but the structural need for this model (especially in the US) means there will be great opportunities on the other side. It’s not rocket science, but it’s also not trivial, and the cost of operating a bank-sponsored programme is undoubtedly going up. The question is whether we can find a workable model or if, instead, we overcorrect to the point that the next Chime or Cash App never makes it to market.”
Fintechs and banks ‘must understand the regulators’ concerns’
However, Rick Kuci, COO of FundKite, an SMB fintech funding platform, believes OCC concerns are fair. Because many banks did not do their due diligence when engaging in fintech partnerships, significant risks have emerged from them: “The OCC has valid points around fintech and banking relationships when it comes to managing risks.
“Unfortunately, many banks caused this risk issue for themselves. Community and regional banks jumped into fintech partnerships without fully understanding these issues around compliance, hacks and consumer protection. Fintech partnerships were new to banks and regulators alike, and there wasn’t much guidance from regulators in the early days.
“The concept was good: offering more services and faster decision-making to bank clients. It was more cost-efficient to partner with a fintech company instead of trying to develop the programme themselves.
“However, many banks did not hold fintechs to the same cybersecurity and privacy standards as they held themselves. If fintechs want to partner with banks, they must understand the regulators’ concerns, stay up to date on those concerns, and provide assurances to the banks that they adhere to the strictest privacy and cybersecurity regulations.”
Risk is a ‘shared responsibility’
For Kevin McWey, chief revenue officer at DataVisor, an AI-powered fraud and financial crime prevention platform, the burden of risk should be shared between the fintechs and banks: “The risk posed to the financial ecosystem is a shared responsibility across banks and fintechs. No one party should shoulder all of the burden.
“It is essential for both parties to collaborate with data and insights to place effective controls in place. Fintech is bringing a wealth of innovation to the financial sector we have not encountered before, and some of that can be done because of the lack of regulatory burden. The partner banks and regulators should be collaborating with fintechs on how to implement effective controls to protect their customers and protect the financial ecosystem from criminals and bad actors.
“Beyond regulatory considerations, it is not news that all financial services providers should adopt a holistic approach to customer risk, whether that be fraud or regulatory risk.
“Having the ability to adopt systems that can be interchangeable across different data sets and transaction vehicles enhances understanding and cooperation between both parties. Breaking down point solutions siloes and bringing the focus back to client behaviour is the only way to holistically prevent fraud and stay out of the regulatory crosshairs.”
Looking to the future
While most appear to agree that a subtle approach on behalf of the regulator is ideal, the signs suggest that increased regulatory attention is inevitable.
Ryan Christiansen, executive director of the University of Utah Stena Center for Financial Technology, offers advice to fintechs to prepare themselves for increased levels of scrutiny: “Fintechs are beginning to feel some of the tension developing as they are asked by their sponsor banks or BaaS providers to increase the level of reporting, accept additional liability, and increase compliance and controls within their businesses.
“However, banks have traditionally been the entity that customers and regulators seek to reimburse harmed customers. The reality is that the entity that caused harm should be liable for the losses. To effectively identify liability the attributes of transparency, traceability, and security must exist between banks and fintechs. To operate these attributes at scale, fintechs and banks should develop standards around each of these principles. In the absence of standards, partnerships between banks and fintechs require systems and agreements to facilitate these attributes.
“New and existing regulations are emerging in ways that will require fintechs to have more bank-like controls in place. Successful fintechs should increase their level of financial regulatory understanding; invest in compliance tools and personnel; be prepared to accept additional financial liability; insure against financial risks; and build partnerships with banks that are fully compliant with the emerging regulations.”
Who should harbour risk responsibility?
Aaron Kouhoupt, member chief privacy officer for McGlinchey Stafford, a US-based business law firm, adds: “Neither the bank nor the non-bank should harbour all risk responsibility and that is not the way partnerships are currently structured or ever have been.
“Each entity has its own role, and risk, to play in the space and those are regulated activities. The bank has risk obligations that are established by prudential federal regulatory agencies while non-banks are often subject to state obligations and restrictions. Understanding each party’s obligation respective to their regulated activities is the key to a successful partnership.
“Fintech companies should understand their obligations both to their bank partner and to any federal or state regulatory obligations that may be imposed based on their particular activities. Restricting your activities, based on your level of authority, is critical for each party.
“Tighter scrutiny and increased examination are likely and the fintech should focus on strong compliance management practices.”
‘More is coming’
Jess Cheng, payments and fintech partner of Wilson Sonsini Goodrich & Rosati, a legal advisor to technology and other growth enterprises, discusses what enhanced regulatory attention could mean for fintechs looking to collaborate with banks: “The publication of the Guidance on Third-Party Relationships: Risk Management by the Federal Reserve, the FDIC, and the OCC is just the beginning. More is coming. To many banks partnering with fintechs, these supervisory expectations are new.
“Reading between the lines, there is recognition among officials at the banking agencies that something more beyond the guidance is needed to give smaller banks the necessary clarity and tools to implement risk management practices to meet these new supervisory expectations.
“Across the industry, fintechs are also starting to appreciate the risks of this situation – reliance on one bank partner, who may have risk exposure to a range of other fintechs and be susceptible to a bad supervisory exam, could be an existential risk to their own business. Until the banking agencies provide clearer supervisory expectations, these fintechs will have to cast their own discerning eye on their partners or potential partners.
“For these fintechs, among key things to look for in a bank partner is whether it has an effective compliance oversight programme for its fintech partners, including a dedicated internal compliance team to monitor ongoing activities and performance of fintech partners.”
How strongly and how soon new regulatory rules could come into play for fintech-bank partnerships is yet to be seen, but it is clear that fintechs may need to prepare themselves for change.
