Recent actions underscore key concerns from regulators over the Banking-as-a-Service (BaaS) model and signal that additional guidance may be forthcoming.

The federal banking agencies recently issued a joint statement discussing their view on the risks faced by banks when partnering with nonbank fintechs to provide deposit products and services through the fintechs.[1] The agencies also issued a request for information (RFI) on Banking-as-a-Service arrangements.[2] Together, these actions underscore the agencies’ increased scrutiny of the BaaS model, which is currently under pressure from multiple fronts.[3]

At the same time, the joint statement and RFI evince a willingness among the agencies to support BaaS arrangements, as long as they are appropriately structured and executed in a safe and sound manner. The agencies also signaled that they could take a granular approach, based on specific use cases, to evaluate bank-fintech relationships going forward and that additional guidance may be forthcoming. For example, a press release accompanying the materials stated that the agencies are considering whether “additional steps could help ensure banks effectively manage risks associated with these various types of arrangements.”

Below are key points from these actions. 

Key points from the joint statement

The joint statement highlights the agencies’ views about the elevated risks of certain bank-third party arrangements, including operational and compliance risks, risks associated with rapid growth and risks of end user confusion and misrepresentation of deposit insurance coverage. For example, the joint statement emphasizes the agencies’ concerns with:

  • Rapid balance sheet growth (including significant intraday balance sheet levels) for bank partners.
  • Funding concentrations and deposit or revenue concentrations leading to increasing liquidity and funding risks.
  • Issues with anti-money laundering / countering the financing of terrorism and sanctions compliance, particularly when banks rely on third parties to perform compliance functions.
  • Misrepresentation of deposit insurance coverage, including misrepresentation of when pass-through deposit insurance coverage applies.
  • Operational and compliance risks, including with respect to any significant operations performed by a third party, access to records maintained by a third party and oversight of a third party.

The agencies also provide examples of effective risk management and governance practices for the identified risks, including risk assessments that pinpoint the risks specific to each bank-fintech arrangement; effective due diligence and ongoing monitoring; appropriate risk limits, strategies, and contingency funding plans; and risk-based policies, procedures, oversight and controls. The joint statement again highlights the agencies’ focus on representations regarding deposit insurance and discusses the importance of compliance with brokered deposit regulations.

A key question raised by the concerns cited in the joint statement and the risk management and governance discussion is whether bank partners are realistically positioned to address all of the issues highlighted by the agencies. Relatedly, as the focus on the BaaS space intensifies, it may be that increased costs and obligations are passed on to fintech partners, which over time could narrow the gap between the benefits of using a BaaS arrangement versus, for example, seeking a bank charter. At a minimum, the agencies will likely continue to scrutinize the contractual agreements underlying BaaS arrangements, particularly the allocation of roles and responsibilities between banks and fintechs. Thus, such contractual agreements should be regularly revisited as the agencies’ expectations and guidance continue to develop. 

Key points from the RFI

The RFI reinforces that, although the agencies will continue to scrutinize bank-fintech partnerships, the agencies also recognize and acknowledge that such arrangements, if appropriately structured and executed, could benefit consumers. Indeed, the RFI confirms that the agencies “support responsible innovation and support banks in pursuing bank-fintech arrangements in a manner consistent with safe and sound practices and applicable laws and regulations.” The RFI defines bank-fintech partnerships as including the following use cases:

  • Deposit-taking activities. In these arrangements, fintechs partner with FDIC-insured banks to provide end users with deposit accounts, debit cards, savings accounts and other account-related services through the fintechs’ online or mobile platforms. Fintechs typically play the primary role in maintaining the deposit and transaction system of record, and the banks’ core deposit ledgers may only include omnibus accounts, often titled to reflect that they are held for the benefit of end users.
  • Payment activities, including card issuance. Banks and fintechs may enter fund-transfer, card sponsorship and other payment arrangements to provide end users with a broad range of products and services, including debit and credit card offerings, Automated Clearing House transactions, wire transfers, contactless payments, prepaid services, instant payments and digital wallets. A bank that sponsors a fintech’s access to a payment system or card network will often establish an omnibus account to settle end users’ payment transactions, and the fintech will typically provide recordkeeping and ledger-management services to facilitate transaction settlement.
  • Consumer and small business lending. Bank-fintech partnerships may also enable fintechs to market and distribute a variety of loan products, including those targeted to consumers, students and small businesses. A bank typically agrees to facilitate and fund loans, while the fintech solicits end users and collects application data. Banks may retain the loans on their balance sheets or sell all or a portion of the loans to the fintech, which may then securitize and resell the loans into public or private asset-backed securities markets.
  • Intermediate platform providers. The agencies also highlight in the RFI that the growth in these bank-fintech arrangements has led to the rise of intermediate platforms, sometimes called “aggregation layers” or “middleware” firms, that facilitate these relationships. These intermediate platforms enable banks to connect to multiple fintechs and often facilitate bank and fintech relationships by connecting partners seeking such relationships. Intermediate platforms may provide a broad range of services, including technological, operational, informational, compliance, risk management, transfers and funds flow services. The arrangement may also involve a bank permitting an intermediate platform to transfer data via application programming interfaces to facilitate an exchange of end user and transactional data between banks and fintechs.

The agencies solicit information on the descriptions of common bank-fintech arrangements and the summaries of associated risks in the RFI, as well as on effective risk management practices and potential enhancements to existing supervisory guidance. Comments will be due 60 days after date of publication in the Federal Register.
 

[1] Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation & Office of the Comptroller of the Currency, Joint Statement on Bank’s Arrangements with Third Parties to Deliver Bank Deposit Products and Services (July 25, 2024).

[2] Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation & Office of the Comptroller of the Currency, Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses (July 25, 2024).

[3] On July 30, 2024, the Federal Deposit Insurance Corporation (FDIC) voted 3-2 to advance a notice of proposed rulemaking to its brokered deposit rule, which would significantly expand the deposits required to be classified as brokered. In the preamble, the FDIC stated that changes are necessary in light of certain bank and nonbank failures since the 2020 final rule. At the international level, the Basel Committee recently published a consultation on Principles for the sound management of third-party risk, aimed at enhancing banks’ ability to withstand operational disruptions and mitigate impacts of severe disruptive events.

If you have any questions regarding the matters covered in this publication, please reach out to any of the lawyers listed below or your usual Davis Polk contact.

This communication, which we believe may be of interest to our clients and friends of the firm, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions. Please refer to the firm's privacy notice for further details.
Copy link to share post