Bank-fintech relationships can expand access to financial services, help smaller banks compete, and create meaningful innovation. They can also create serious regulatory, operational, and consumer-protection risk when the parties build them on incomplete diligence, weak contracts, or assumptions that past success will continue indefinitely.
I began supporting bank-fintech relationships as a focus of my law practice in 2016. A decade of involvement in something as complex and ever-changing as banking-as-a-service (BaaS) and lending-as-a-service (LaaS) has reinforced one lesson above all others: these relationships work best when banks and fintechs treat structure, oversight, and exit planning as core business priorities from the beginning, not as regulatory afterthoughts.
Bank-fintech relationships promote innovation and play a critical role in allowing smaller banks to remain competitive against the handful of enormous banks that dominate the U.S. banking industry. These relationships can help banks offer more attractive checking accounts, savings deposits, payment services, loan products, and other important offerings, including better customer service, than they could feasibly offer without fintech assistance. On the other hand, if the parties structure or manage them poorly, bank-fintech relationships may cause significant harm to the parties themselves and potentially to millions of consumers.
Key Takeaways
- Bank-fintech relationships can create real value. They support innovation, competitiveness, better products, and improved access to financial services.
- Improper structure can create serious risk. Poorly managed relationships can harm banks, fintechs, and consumers.
- Due diligence, contracts, and exit planning matter. These safeguards are essential before and throughout the relationship.
- Past success is not enough. Existing practices should be reassessed regularly, even when a relationship appears to be working.
The issues that can arise from improper bank-fintech relationships are well catalogued in the various consent orders issued against banks during the Biden Administration. One useful example is the wide-ranging consent order the FDIC issued against Thread Bank in May 2024. The order required the bank to revise its Strategic Plan and Profit Plan and submit both plans to the applicable FDIC Regional Director for review and potential comment.
The order also addressed BaaS and LaaS activities directly. Rather than treating fintech partnerships as isolated vendor relationships, the FDIC focused on whether the bank had a comprehensive system for identifying, measuring, monitoring, and controlling the risks created by those relationships.
What the Thread Bank Order Emphasized
- Risk assessment and due diligence. The order required documented risk assessments of fintech partners, updated methodology, supporting documentation, and customer due diligence processes.
- AML/CFT monitoring and reporting. The order focused on transaction monitoring, suspicious activity reporting, CIP information, beneficial ownership documentation, staff training, and timely legally required searches.
- Third-party oversight and exit planning. The order required processes to ensure third-party partners met the bank’s AML/CFT requirements, along with an exit plan addressing service interruptions, response steps, staffing, customer notifications, outside assistance, and regulatory notice.
The order additionally required management to review and amend, as applicable, the bank’s policies and procedures relating to “third party partner and customer approval requirements, due diligence processes, growth and stress modeling, ongoing AML/CFT compliance monitoring, and steps to unwind third-party business lines, including fintech partners,” with submission in each instance to the FDIC Regional Director for review and possible comment.
Although federal banking regulators are not currently issuing such orders at the high frequency common during the Biden Administration, banks and fintechs should not assume those orders no longer present a threat. The safety and soundness requirements that underpin such orders remain unchanged. Moreover, unlike consumer bank supervision, safety and soundness supervision has historically remained consistent over time.
Due Diligence, Contracts, and the Willingness to Walk Away
In my experience, the best way to avoid the risks of a bank-fintech relationship is through thorough due diligence, strong contracts, and a willingness to walk away from a proposed relationship, or end an existing one, when necessary. Although these safeguards may seem straightforward, putting them into practice is often difficult. That point brings to mind a news story I read years ago about three friends whose annual hunting trip ended in tragedy.
Each year, three friends flew by charter plane from the United States to a remote cabin in northern Canada, returning home a week later. The trips went smoothly for 17 years. In the 18th year, however, the cabin caught fire and one friend suffered burns. The other two set out on foot to find help, unaware that the nearest assistance was more than 150 miles away through impassable wilderness. They disappeared and were eventually presumed to have died from exposure. The injured friend survived because the charter plane returned and found him.
After years of making trips without mishap, I am sure none of the friends gave the slightest thought to asking their pilot about where they were going. Their lack of awareness of the cabin’s remoteness seems egregious in retrospect, but complacency after years of apparent success is commonplace. The message I hope readers take away from this story is that no amount of past performance without glitches, standing alone, should prove that existing practices are appropriate or sufficient. “If it ain’t broke, don’t fix it” is a tempting strategy, particularly for a small firm with limited resources. However, the failure to reconsider existing practices from time to time quells innovation and may mask serious problems that could erupt at any time.
Complexity Creates Knowledge Gaps
In the case of bank-fintech relationships, complexity heightens the likelihood of knowledge gaps. For example, on its face, a prepaid card may appear to be a straightforward, low-risk product. Yet anyone who has worked through Regulation Z’s complicated rules governing hybrid prepaid cards, or tangled with the confounding intricacies of Regulation E, would surely disagree. Aside from risks arising from the nature of the given product itself, risks can vary markedly based on the applicable marketing, including whether the parties use telemarketing, online videos, email, or text messaging. Moreover, once the given product is active, any subsequent material changes, including changes to marketing strategies, can create serious knowledge gaps unless both parties understand and anticipate them.
As complete an understanding as possible of business and regulatory risks is an essential first step toward arriving at an effective contract. Until that occurs, the parties cannot make well-informed staffing decisions, because those decisions require both strong knowledge of contractual requirements and assurances that those requirements will not change without the written consent of both parties.
Each step in the process of arriving at an effective bank-fintech relationship depends on the step before it. If either party neglects a critical step or gives it only cursory attention, the entire relationship will suffer the consequences. Unfortunately, the resulting adverse effects may not emerge until strong interdependencies have developed, leaving the affected party with a no-win choice between remaining in or leaving the troubled relationship. In addition, attempting to improve an existing relationship mid-stream, after the parties have already struck the deal, presents an extremely daunting challenge. Thus, banks and fintechs should build these relationships correctly from the start.
Red Flags for Banks and Fintechs
For fintechs, a prospective bank partner’s inability to articulate reasonable contractual expectations, a cohesive overall strategy for its fintech relationships, organized due diligence, or a clear explanation for what appears to be an excessively high volume of existing fintech relationships should raise serious red flags. The existence of one or more recent consent orders or other enforcement actions should raise similar concerns. For banks, a prospective fintech’s lack of prior experience offering the subject product or service should be treated as both a red flag and a high-risk factor if the relationship goes forward.
Moreover, in all cases, including for start-up firms, a prospective fintech partner should possess a solid understanding of the applicable laws and regulations, coupled with a proven monitoring and testing program, or at a minimum a concrete, actionable written plan for conducting one. The fintech should also be able to provide examples of timely reporting on key risk indicators (KRIs) and key performance indicators (KPIs). Unless the subject bank maintains just one or a mere handful of fintech relationships, attempting to compensate for a fintech partner’s lack of knowledge or insufficient risk management controls will likely prove a fool’s errand for a host of reasons, including the need for constant oversight of the fintech’s business activities. In addition, banks should treat recent consent orders or other enforcement actions against the fintech as serious red flags.
Closing Thoughts
The current lull in federal banking agency enforcement actions targeting bank-fintech relationships is best seen as a temporary pause, not as something on which long-term plans should be based. It offers an opportunity for banks and fintechs to self-assess their respective third-party relationships and the various controls that support those relationships. Waiting for examiners or state or federal investigators to initiate those tasks is invariably a huge mistake. In the case of a bank, management could inadvertently give bank examiners a seat at the table for decisions involving strategic planning and profit planning. In addition, resulting monetary penalties could immediately wipe out perceived financial savings from foregoing or delaying this extremely important work.
If management chooses to assess its bank-fintech program, I strongly suggest involving external resources in the effort. Internal resources need to participate, but it is unrealistic to expect someone who manages a given process, or may have even created it, to be fully objective. In addition, because most in-house counsel occupy dual business and legal roles, attorney-client privilege is more likely to be recognized if external counsel participates. Lastly, involving external resources should help negate the potential adverse effects of internal politics, which, if left unmitigated, could defeat the entire exercise.
As noted at the beginning of this article, bank-fintech relationships provide a myriad of benefits. They spur innovation and help keep smaller banks relevant in the marketplace and competitive against the banking behemoths. They also serve the public good by bringing sorely needed banking services to underserved populations. Furthermore, for any fintech hoping to eventually become a bank, the ability to demonstrate past success in maintaining one or more bank-fintech relationships should prove enormously valuable when applying for a bank charter.
After ten years of involvement, I remain excited about supporting this important activity. But excitement should not replace discipline. Banks and fintechs that want these relationships to endure should reassess their programs before problems surface, strengthen the controls that support them, and make sure their contracts, oversight, staffing, and exit plans match the risks they have actually undertaken.
About the Author
Mark Dabertin
Mark Dabertin supports banks, fintechs, and financial services companies in navigating bank-fintech relationships, regulatory expectations, third-party risk management, compliance strategy, and related legal and business considerations.