During a panel at the Financial Crimes and Regulatory Compliance Summit, held June 10-11 in New York, experts delved into the complexities of bank-financial technology (fintech) partnerships, providing best practices for banks to protect themselves.
The relationship between banks and fintechs has always posed compliance challenges, especially for community and regional banks anxious about being outpaced by technological advancements. Fintechs offer accessible, bank-like services that would take smaller banks months or years to develop, while providing these banks with access to new customers beyond traditional banking models.
However, banks bear the brunt of the responsibility if issues arise. What happens if a fintech suffers a breach and loses the bank’s customer data? What if the fintech processes transactions for terrorist groups or criminals? What if the fintech suddenly shuts down?
Sheetal Parikh, general counsel and chief compliance officer at banking-as-a-service vendor Treasury Prime, emphasized the importance of banks having a contingency plan for such disruptions. She cited Synapse, a startup that acted as an intermediary between Arkansas-based Evolve Bank & Trust and customer-facing fintech providers, as an example of “the worst of what we see in this space.”
In April, Synapse filed for bankruptcy, cutting off access to thousands of customer accounts, including $109 million in deposits from fintech Yotta, CNBC reported. Subsequent reports estimated $85 million in customer deposits had gone missing. Parikh pointed out that Evolve Bank's fundamental problem was not receiving customer transaction data from Synapse promptly. When issues arose, it was unclear whether Evolve, Synapse, or the fintechs were responsible. “Roles and responsibilities need to be crystal clear,” Parikh stressed.
Zila Acosta-Grimes, managing associate at law firm Linklaters, participating via videolink, highlighted a significant red flag: Synapse customers were unaware of where their deposits were kept. “The gap between what customers understood and what the product was offering seemed pretty big,” she noted. “Customers need to understand where their money is, who their money is with, and about the cash flow. They need to know who they are entering into business with.”
On June 14, the Federal Reserve Board mandated Evolve Bank to address numerous deficiencies in its anti-money laundering (AML), sanctions, risk management, and consumer compliance programs. Meanwhile, Synapse’s bankruptcy case continues through the courts.
Regulatory bodies are increasing scrutiny on fintechs. In June 2023, three U.S. banking regulators—the Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC), and Treasury Department’s Office of the Comptroller of the Currency (OCC)—issued consolidated guidance on managing third-party relationships, specifically noting that the growing relationships with fintechs prompted many of the changes to previous third-party risk management guidance. Other regulators are also considering requiring fintechs that provide banking services like loans, deposits, and payments to meet the same standards as banks, although this is not imminent.
In April 2022, the Consumer Financial Protection Bureau (CFPB) announced it would begin examining fintechs posing risks to customers. In March 2023, the OCC established an Office of Financial Technology to “bolster the agency’s expertise and ability to adapt to the rapid pace of technological changes in the banking industry,” without indicating plans to regulate fintechs.
Another issue for banks is dealing with fintechs that change their terms of service without notifying their bank partners, causing various problems, as highlighted in recent enforcement actions. In April, the Commodity Futures Trading Commission (CFTC) fined Australia and New Zealand Banking Group $500,000 after a vendor it hired to monitor spoofing changed the timing of data sent, causing surveillance gaps of six and four months, respectively, affecting thousands of trades. Ursula Clay, chief compliance officer at Nearwater Capital, recommended including contract language that prevents vendors from altering the timing of data transmission.
Clay underscored the importance of independent, risk-based testing plans, stating, “Stuff will still go wrong, but you’ll catch it quicker and at least it shows an effort to stay on top of your vendors.” Regulators expect firms to have plans for regularly testing the effectiveness of their controls.
Acosta-Grimes also pointed out a compliance gap where a bank outsourcing its sanctions screening was unaware the vendor used a different sanctions list, which had fewer entities than the bank’s list. She advised banks to “drill down on what the real gaps are, drill down on the agreements, and drill down on their vendors. Make sure that everything is clarified in your agreements, make sure the vendor has your policies and procedures, and make sure they have implemented them.”
By fLEXI tEAM
Comments