Banking Regulators Issue Statement and Request for Information on Providing Deposit Products and Services Through Third Parties
On July 25, 2024, the Board of Governors of the Federal Reserve System (the Federal Reserve), the Federal Deposit Insurance Corporation (the FDIC), and the Office of the Comptroller of the Currency (OCC) (together, the Federal Regulators) issued a joint statement on banks’ arrangements with third parties to deliver bank deposit products and services (the Joint Statement). The Joint Statement is essentially a supervisory guidance document for banks and was released concurrently with a request for information (RFI) on bank-fintech arrangements involving banking products and services distributed to consumers and businesses, including payment and lending products in addition to deposit products. While it is not stated specifically, presumably the RFI may result in the articulation of further supervisory or regulatory standards for this evolving area.
Why Now?
The Joint Statement and RFI come in the wake of recent high-profile issues with bank-fintech arrangements. The failure of Synapse Financial Technologies, Inc. (Synapse), a third-party that served as an intermediary between consumer-facing fintechs and banks which maintained deposit accounts, has become a high-profile example of the dangers that can come when customers deposit their funds through non-banks without proper controls. The abrupt shutdown and bankruptcy of Synapse left tens of thousands of U.S. businesses and consumers without access to their bank accounts, when many thought their deposits were FDIC-insured, and the Synapse trustee has reported that there may exist a shortfall of $65 million to $961 million when all is said and done. In addition, many banks that have engaged in so-called “banking-as-a-service” (BaaS) arrangements have found themselves in the cross-hairs of third-party risk management enforcement actions from the federal banking agencies over the past several years.2 The Joint Statement attempts to highlight these challenges, and the associated expectations of the Federal Regulators, by identifying a number of potential risk areas as well as several risk management and governance considerations that banks ought to take into consideration when partnering with third parties to provide deposit products and services.
As noted in the Joint Statement, in recent years an increasing number of banks have entered into arrangements with third parties to deliver deposit products and services, such as checking and savings accounts, to consumers. These relationships, often called BaaS or “embedded finance,” have allowed banks, as well as the third parties they partner with, to increase their revenue or deposit base or to expand their geographic reach by utilizing new technologies and offering innovative products and services. As identified by the Federal Regulators, in these arrangements, a third party, rather than the bank, typically markets, distributes, or facilitates the provision of the deposit product or service directly to the consumer. The Joint Statement noted that banks may rely on one or multiple third parties to maintain the deposit and transaction system of record, process payments, perform regulatory compliance functions, provide end-user facing technology applications, service accounts, perform customer service, and perform complaint and dispute resolution functions. Although banks may rely on third parties to perform these essential consumer-facing services, the Joint Statement stated explicitly that a bank’s use of third parties does not diminish any responsibility to comply with applicable laws and regulations.
It is notable, in this respect, that Congress mandated the permissibility of open banking arrangements in Section 1033 of the Dodd-Frank Act (Section 1033) with the aims of benefiting consumers and enhancing competition, and the Consumer Financial Protection Bureau (CFPB) is in the process of adopting regulations to implement that congressional mandate.3 This Joint Statement and the related RFI are inextricably intertwined conceptually with the implementation of Section 1033, yet curiously make no mention of it. While it is probably not within the authority of the Federal Regulators to prohibit these arrangements, in light of the congressional directive to require banks to make them available, they can impose reasonable risk management and compliance requirements.
Although the Federal Regulators acknowledged in the Joint Statement that these third-party relationships and structures have been utilized in the banking industry for many years, these arrangements have increased in number and have evolved into more complex arrangements, resulting in many banks becoming deeply intertwined and increasingly reliant on third parties that offer deposit products and services to consumers.
Potential Risks Highlighted by the Joint Statement
The Joint Statement identified several risk areas that regulators believe may be heightened when providing deposit products through third parties.
End User Confusion and Misrepresentation of Deposit Insurance Coverage
The Joint Statement noted that banks may be put at risk when the third parties with which they partner use misleading language with end-users — especially when misleading language is used in discussions of deposit insurance coverage for customer deposits.
It is likely no coincidence that the FDIC’s increased concern about end-user confusion regarding deposit insurance coverage emerged in the fallout of the bankruptcy of Synapse. After Synapse collapsed, many consumers expressed surprise when they found they were unable to access funds that they had stored on third-party apps that had advertised themselves as FDIC insured. Some of these third-party apps had relied on Synapse to connect them to insured depository institutions, and consumers appear to have been informed that their money stored on these apps was covered by federal deposit insurance.
However, FDIC insurance extends only to the failure of a depository institution itself, not to the failure of a middleman like Synapse. As such, deposit insurance coverage was not available as a recourse following the failure of Synapse, and affected consumers were required to wait to access their funds. Further, retrieving funds in the wake of Synapse’s bankruptcy may have been further hampered by the alleged intermingling of consumer funds in various deposit accounts and conflicting records between Synapse and partnering banks.4 Essentially, the collapse of Synapse shows some of the strain that fintech deposit arrangements are putting on the FDIC’s regulations for advertising of deposit insurance (12 C.F.R. Part 328) and for documenting pass-through deposits (12 C.F.R. Part 330).
Operational and Compliance Risks
The Joint Statement also noted that operational and compliance risks can emerge when providing deposit products and services through third parties. Key among these risks is the loss of control over and management of deposit functions. This loss of control may produce security vulnerabilities within deposit functions if the relationship involves providing another access point into the bank’s systems, as cybersecurity and data-privacy incidents within the third party may affect the partnering bank. In addition, the Joint Statement highlighted the risk that third parties may not adequately perform regulatory compliance functions or risk management themselves, creating risk for the partnering bank, as it remains responsible for failure to comply with applicable requirements.
Growth Risks
The Joint Statement also highlighted growth risks that emerge when providing deposit products and services through third parties. Federal Regulators appeared concerned that differences between a bank and a third party — in incentives, capabilities, and appetite for growth — could create a mismatch wherein growth within the consumer-facing third party could jeopardize a bank’s ability to fulfill its regulatory obligations.
Risk Management and Governance Recommendations in the Joint Statement
The Joint Statement also provided several risk management and governance recommendations that banks should take into account when partnering with third parties to provide deposit products and services.
Governance and Third-Party Risk Management
The Joint Statement recommended that banks develop and maintain appropriate risk management policies and procedures related to third-party risk management, including risk assessments that identify and manage the specific risks of individual third-party relationships. The Federal Regulators referenced the recent 2023 interagency guidance on the risk management of third-party relationships, which provides further clarity on agency expectations regarding third-party risk.5 In addition, these considerations reflect a growing recognition of the importance of third-party risk management by the international banking community, as evidenced by the Basel committee’s recent publication of its own principles for the sound management of third-party risk in July 2024.6
Managing Operational and Compliance Implications
The Joint Statement also recommended that banks properly manage the operational and compliance implications of their third-party relationships, including establishing adequate policies, procedures, and controls to ensure compliance with applicable laws and regulations, and developing contingency plans to address potential disruptions or business failures at the third party itself.
AML, CFT, and Sanctions Compliance
The Joint Statement also noted that banks should have adequate policies, procedures, oversight, and controls to help ensure that partner third parties comply with applicable sanctions requirements, as well as anti-money laundering and combating the financing of terrorism (AML/CFT) requirements, such as monitoring for and reporting suspicious activity, customer identification programs, and customer due diligence.
Managing Growth, Liquidity, and Capital Implications
The Joint Statement also recommended that banks establish appropriate concentration limits, diversification strategies, management strategies, and exit strategies with regard to third-party relationships where deposit products and services are provided to end-users. The Joint Statement also stated that banks should perform the appropriate analysis to determine whether any regulations governing brokered deposits apply to a third-party relationship.7
Addressing Misrepresentations of Deposit Insurance Coverage
The Joint Statement reiterated the danger of misrepresenting deposit insurance coverage and recommended that banks establish policies and procedures to ensure compliance with regulations prohibiting misrepresentation of deposit insurance and ensure that these policies include, as appropriate, provisions related to monitoring and evaluating activities of persons that facilitate access to the bank’s deposit related services to other parties.
Request for Information
In addition to the Joint Statement, the Federal Regulators also issued a related RFI on bank-fintech arrangements involving banking products and services distributed to consumers and businesses. Federal Regulators noted that they had identified “a range of potential risks” within bank-fintech arrangements and issued the RFI to solicit input on (1) the nature of these arrangements, (2) effective risk management practices regarding these arrangements, and (3) whether enhancements to regulatory oversight of these relationships may be necessary.
The RFI itself laid out in brief how the Federal Regulators are conceptualizing relationships between banks and fintechs. The RFI grouped bank-fintech arrangements into three general categories: arrangements in connection with payment activities (such as the issuance of credit cards), arrangements in connection with consumer and small business lending, and arrangements that utilize fintechs as intermediate platform providers (for example, arrangements involving the recently bankrupt Synapse). The RFI noted that these three categories may not be inclusive of all kinds of bank-fintech relationships that merit attention and sought further comment on whether additional categories of relationships should be considered.
The RFI also highlighted the particular risks that the Federal Regulators currently associate with bank-fintech arrangements. The RFI noted (1) risks for banks regarding accountability for certain violations of law and regulation by fintechs, (2) potential for end-user confusion (again touching upon risks highlighted by the failure of Synapse), (3) potential for the misuse and improper handling of data and customer data, (4) risk of excessively rapid growth that outpaces the development of appropriate safeguards and operational capacity, and (5) added complexity for concentration and liquidity risk management.
The RFI itself suggested an already developed, already critical view by the Federal Regulators of the risks posed by bank-fintech arrangements. However, the RFI also indicated that these critical views, while developed, are not yet set in stone. The RFI posed a range of questions addressing bank-fintech arrangements, including whether the Federal Regulators descriptions and categorizations of bank-fintech arrangements were adequate, what steps are being taken to manage risks posed by fintechs, and whether these partnerships reduce or increase instability in the financial system.
These questions indicate that the Federal Regulators’ views on these subjects are still open to input. Accordingly, the RFI welcomed comment on these questions and more from a range of stakeholders. Industry participants interested in responding to the RFI should provide comments to the OCC, the Federal Reserve, or the FDIC by September 30, 2024.
Takeaways
The Joint Statement, as well as the accompanying RFI, suggest that the Federal Regulators will continue to keep a close eye on the relationships between banks and the third parties through which they deliver deposit products and services to consumers. Banks should likewise pay close attention to the particular risks posed by the relationships highlighted in the Joint Statement, as well as the recommendations that the Federal Regulators proposed in response to these risks.
Although this Joint Statement is not binding on banks, it represents the latest views of the Federal Regulators on the topic of delivering deposit products and services through third parties. As such, it is likely that these risks and recommendations will emerge as themes in supervisory examinations in the coming years, making it essential that banks take them into account (and document that they have done so). Banks should pay close attention both to the non-binding statement, as well as the binding regulations that underpin it, such as FDIC’s regulations for advertising of deposit insurance (12 C.F.R. Part 328) and for documenting pass-through deposits for insurance purposes (12 C.F.R. Part 330), as they seek to manage these relationships carefully and avoid the many regulatory pitfalls that accompany them.
* * *
Financial institutions interested in how the Joint Statement may impact their businesses or in submitting a comment in response to the related RFI may contact any of the authors of this Advisory or their usual Arnold & Porter contact. The firm’s Financial Services team would be pleased to assist with any questions about the Joint Statement, the RFI, third-party risk management for financial institutions, or financial regulation more broadly.
© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
-
Chapter 11 Trustee’s Third Status Report at 6, In re Synapse Financial Technologies, Inc. (No. 1:24-bk-10646-MB) (Bankr. C.D. Cal. 2024).
-
See, e.g., OCC Consent Order with Blue Ridge Bank (Jan. 24, 2024); FDIC Consent Order with Choice Financial Group, Fargo, North Dakota (Dec. 18, 2023); Federal Reserve Consent Order with Metropolitan Commercial Bank (Oct. 16, 2023).
-
See 12 U.S.C. § 5533. The CFPB is in process of adopting regulations to implement Section 1033 of the Dodd-Frank Act. See Required Rulemaking on Personal Financial Data Rights; Industry Standard-Setting, 89 Fed. Reg. 49084 (Oct. 31, 2023).
-
See Chapter 11 Trustee’s Initial Status Report at 4-10, In re Synapse Financial Technologies, Inc. (No. 1:24-bk-10646-MB) (Bankr. C.D. Cal. 2024).
-
Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed. Reg. 37920 (June 6, 2023).
-
Basel Committee on Bank Supervision, Principles for the Sound Management of Third-Party Risk (2024).
-
On July 30, 2024, the FDIC proposed amendments to the regulatory framework used to determine whether deposits qualify as “brokered deposits” under Section 337.6 of the FDIC’s regulations. For further information, please see Arnold & Porter’s August 2024 Advisory addressing the FDIC’s proposed amendments.