NCRC Comment on Third Party Guidance for Bank-Fintech Arrangements

(Download)

October 15, 2024

RE: Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses

To Whom it May Concern:

The National Community Reinvestment Coalition (NCRC) appreciates the recent interagency guidance on third party relationships and the follow-up request for information (RFI) on bank partnerships with fintechs (non-bank financial technology firms). A lack of rigorous oversight and guidance for these partnerships will likely result in abusive practices victimizing consumers and an increased risk to the banking system. On the other hand, proper oversight can facilitate benefits of these partnerships including improved access to financial products and enhancements to banks' ability to serve the convenience and needs of communities.

NCRC is a network of more than 700 community-based organizations dedicated to creating a nation that not only promises but delivers opportunities for all Americans to build wealth and attain a high quality of life. We work with community leaders and policymakers to advance solutions and build the will to solve America's persistent racial and socio-economic wealth, income, and opportunity divides, and to make a Just Economy a national priority and a local reality.

For over five years, NCRC has operated an Innovation Council for Financial Inclusion, that seeks to harness the benefits of technology utilized by banks and non-banks. This council discusses pressing policy matters, occasionally issues statements regarding policy, and considers programmatic relationships for delivering high quality products to consumers. The innovation council promotes bank-fintech-nonprofit interactions that improve the public's welfare.

NCRC recommends the following:

• The interagency guidance appropriately warns banks that they are ultimately responsible for compliance with anti-discrimination and consumer protection law in partnerships that they establish with fintechs. These warnings must be retained.
• The interagency guidance must add that banks' CRA ratings could be downgraded due to legal violations committed by fintechs.
• Bank partnerships with fintechs pose challenges to the conventional definition of assessment areas, or geographical areas scrutinized on CRA exams. Non-banks are likely to be engaging in deposit collection and other activity beyond a bank's geographical footprint. The agencies should acknowledge this policy issue and recommend to Congress that non-bank activity on behalf of banks outside of assessment areas should be assessed on CRA exams.

Interagency Guidance an Incomplete Start towards Clarifying Responsibilities

The interagency guidance issued July 25 provides sensible and important guardrails for banks considering third party relationships.[1] It cautions banks to create reliable and strenuous methods for initial due diligence and ongoing monitoring of its third-party partner. It advises banks to maintain control and access over data acquired and used by the third party to ensure that no violations of consumer protection and anti-discrimination laws occur in marketing, underwriting, and customer service.[2] Clear assignment of responsibilities for various functions performed by the bank and third party are critical to minimize risk. Banks must ensure that they do not increase liquidity risk by limiting their access to deposits or engaging in financial management with a third party that leaves them vulnerable to runs on their deposits.[3]

The interagency guidance warns that banks are ultimately responsible for compliance with a host of consumer protection and anti-discrimination laws including the Truth-in-Savings Act, the Anti-Money Laundering Act, and the prohibition against unfair or deceptive acts or practices (UDAP) under Section 5 of the Federal Trade Commission Act (FTC Act).

CRA Compliance not Addressed in Guidance

However, the guidance does not emphasize that illegal and abusive practices can result in downgrades in Community Reinvestment Act (CRA) ratings. In 2022, NCRC together with 39 other consumer and community advocacy organizations, urged the FDIC to fail Transportation Alliance Bank (TAB) because its partnership with EasyPay Finance promoted predatory lending. This partnership resulted in the issuance of loans with nearly 200 annual percentage rates (APR) in states in which it was illegal for non-banks to make these high-cost loans. Hundreds of consumers complained about these loans, describing deceptive marketing and debt collection practices. The CRA exam cited violations of the UDAP standard under the FTC Act leading to a downgrade that resulted in the bank failing its CRA exam.[4]

The geographical footprint of a bank can be significantly expanded by the partnerships it establishes with third party non-banks. For example, the non-bank can collect deposits in areas beyond a bank's branches. A bank's assessment areas should be likewise expanded to encompass where the non-bank partner engages in deposit collection, retail lending, and other activities. As the guidance states, "A bank's use of third parties to perform certain activities does not diminish its responsibility to comply with all applicable laws and regulations."[5] Likewise, a bank's responsibility to adhere to its CRA obligation to serve community needs should extend to all geographical areas served by the bank's partner. The agencies must consider this pressing policy issue and at least recommend to Congress that activities conducted by non-bank partners be included on CRA exams, including activities outside of a bank's assessment area.

A core example of regulatory challenges between banks and third parties is highlighted by entities that operate within a Banking as a Service (BaaS) model. Synapse, a major BaaS company, provided a suite of middleware services between banks and other non-banks and was responsible for recordkeeping of consumer deposits between both banks and a significant network of non-banks. As highlighted in a letter from members of the Senate Banking Committee to Synapse's partner bank, Evolve Bank & Trust, up to $96 million in consumer deposits have been unaccounted for as of May, 2024.[6] There were a multitude of problems in the Evolve Synapse model, most specifically, the weak compliance practices of all parties involved meant that there were large ongoing discrepancies in account balances that went unresolved for an extended period of time. The letter further highlights that the responsibility of oversight of third parties falls upon the bank itself. Some community banks in this space may not have the resources, compliance capability, or technical expertise to effectively monitor their non-bank partners. To that end, we encourage the regulators to continue to focus their efforts on supervision of banks that are partnered with non-banks to ensure that all regulatory expectations are being met, and to expeditiously finalize the FDIC proposal on proper recordkeeping to ensure that there is daily reconciliation of custodial accounts used in bank-fintech partnerships.

In February of this year, the FDIC issued a pair of consent orders to Piermont[7] and Sutton[8] banks raising concerns about safety and soundness practices as well as effective risk monitoring of each respective bank's non-bank partners. This may suggest that there are wider concerns regarding the current viability of the BaaS model itself beyond the context of Synapse's collapse.

Additionally, we applaud the recent FDIC regulation that establishes specific expectations for disclosure of FDIC deposit insurance coverage by third-party entities to consumers[9]. The FDIC's recent rule requires that non-insured institutions specifically disclose that: (i) they are not FDIC insured institutions and (ii) deposit insurance only covers the failure of an FDIC insured institution. We encourage more efforts by the FDIC, as well as banks, to make it clearer to end consumers that deposits made with non-banks will not be covered under FDIC insurance unless the partnering bank itself fails.[10] Other solutions regulators should consider to mitigate third party risks include, restricting non-bank partner's products or services for failing to maintain effective compliance practices, assessing fines to banks for failing to maintain oversight of partners, and requiring all parties to submit reports detailing efforts made to address operational risks.

Conclusion

Lending that is abusive and predatory fails to meet the convenience and needs of communities. Likewise, abuses in deposit services and other functions that partner fintechs perform for banks must result in failed CRA ratings. The agencies must clearly warn banks about this risk. Furthermore, the agencies must support CRA modernization necessitated by the partnerships banks establish with non-banks.

If you have any questions, please contact me on [email protected] or Josh Silver, Senior Fellow, at [email protected], or Bakari Levy, Government Affairs Associate, at [email protected].

Sincerely,

Jesse Van Tol
President and CEO

[1] Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Joint Statement on Banks' Arrangements with Third Parties to Deliver Bank Deposit

Products and Services, July 25, 2024, https://occ.gov/news-issuances/news-releases/2024/nr-ia-2024-85a.pdf

[2] Joint Statement on Banks' Arrangements, pp. 2-4.

[3] Joint Statement on Banks' Arrangements, p. 3

[4] NCRC Press Release, TAB Bank, Facilitator Of Predatory Puppy Loans, Gets Rating Downgraded By FDIC, February 7, 2023, https://ncrc.org/tab-bank-facilitator-of-predatory-puppy-loans-gets-rating-downgraded-by-fdic/

[5] Joint Statement on Banks' Arrangements, p. 1.

[6] Letter from Members of the Senate Banking Committee to Evolve Bank & Trust, June 28, 2024,

https://www.banking.senate.gov/imo/media/doc/synapse_letter.pdf

[7] FDIC Order in the Matter of Piermont Bank, Consent Order, FDIC-23-0038b, https://orders.fdic.gov/sfc/servlet.shepherd/document/download/0693d00000CMxbNAAT?operationContext=S1

[8] FDIC Order in the Matter of Sutton Bank, FDIC-23-0110b, https://orders.fdic.gov/sfc/servlet.shepherd/document/download/0693d00000CTBl4AAH?operationContext=S1

[9] FDIC, Official Signs and Advertising Requirements, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC's Name or Logo, January 18, 2024, https://www.federalregister.gov/documents/2024/01/18/2023-28629/fdic-official-signs-and-advertising-requirements-false-advertising-misrepresentation-of-insured

[10] FDIC, Banking With Third-Party Apps, https://www.fdic.gov/consumer-resource-center/2024-06/banking-third-party-apps

Public link

Please use the above public link if you want to share this noodl on another website.