In 2018, when CEO Mike Butler and his team at the former Radius Bancorp were brainstorming a new business line that would become their version of banking as a service, they pulled up a whiteboard.
On the whiteboard, the team outlined the client’s journey and highlighted points where they felt there could be risk, or that they suspected the regulators would see risk so they could address and manage it. With Butler at the helm, Radius went on to become a pioneer in BaaS, where a regulated bank uses its charter to partner with another company to attract customers indirectly with deposit, loan or payment offerings. LendingClub Corp. in 2020 bought Radius and Butler moved on to serve as CEO of the de novo Grasshopper Bancorp, which is based in New York and has $733 million in assets.
Grasshopper is a digital-only bank that also offers BaaS. That’s why Butler is watching the pile of mounting enforcement actions against other BaaS banks with interest.
Bank Secrecy Act/anti-money laundering compliance is nothing new for banks, but regulators are concerned about how technology is complicating banks’ ability to monitor their customers. Bank Director analyzed more than a dozen formal enforcement actions from federal prudential banking regulators between 2023 and 2024 that looked specifically at technology issues or issues identified at banks with complex financial technology partnerships, such as banking as a service or cryptocurrency, to learn more about regulators’ expectations for financial institutions. BSA/AML compliance at banks is a major focus of at least seven of those actions, which highlight deficiencies ranging from risk assessments, staffing and program effectiveness.
“It is important that banks continuously evaluate their BSA/AML risks and corresponding controls to keep pace with new or changing risk profiles” especially as institutions “expand their digital and electronic products, services, and capabilities,” the Office of the Comptroller of the Currency wrote in its Fall 2023 semiannual risk perspective.
Digital capabilities or financial technology vendors that bring deposits to the bank have made it harder for banks to get to know their customers and monitor their behavior. And while they’ve updated the customer-facing systems, institutions may not have made similar upgrades to the back-end compliance systems.
“Some banks still struggle to implement corrective actions” including implementing adequate internal controls to monitor for money laundering or countering terrorism financing, or filing suspicious activity reports in a timely manner, the Department of Treasury wrote in its 2024 National Money Laundering Risk Assessment report. “New technologies employed by financial institutions have advanced financial crimes compliance but also exposed banks to risks.”
When $586 million FinWise Bancorp started its fintech partner banking program in 2016, the Murray, Utah-based bank focused on compliance, staffing and technology, says CEO Kent Landvatter. That included making strategic hires to lead the business, building strong compliance, risk testing and monitoring teams. The new employees added technology and capabilities to help the bank collect, monitor and understand customer data. The bank also kept its regulators in the loop throughout the process and still does today, telegraphing developments, findings and significant stumbles. Neither Grasshopper nor FinWise have a formal enforcement action against them, despite their robust fintech partner programs.
“We started [our fintech program] with the mindset that these are all our products and that we were not going to rely on the fintech for anything that we feel could damage the bank,” Landvatter says.
Financial institutions should consider strengthening their risk management and compliance programs, policies and procedures and adding appropriate technology and staff before a partnership begins. Butler warns that successful third-party partnerships can cause customer accounts to grow rapidly, and an adequately staffed compliance group can quickly become under-resourced if accounts explode. And while technology can assist the BSA team, it can’t substitute for officers.
“If you’re offering a swimming pool, you certainly aren’t going to hire the lifeguards after the people jump into the water,” says James Stevens, an Atlanta-based partner with Troutman Pepper. “You’ve got to put the lifeguards around the pool before the swimming starts.”
At FinWise, employees in the compliance, risk management and information technology, or IT, functions make up “approximately 40% of total staff,” Landvatter says. He sees IT as complementary to compliance. The tech needs to be sophisticated enough to automatically monitor transactions, prevent fraudulent ones and settle legitimate ones fairly and accurately, as well as grow and scale as needed.
Banks should also be aware of how fintech and digital capabilities can change their risk profile. In enforcement actions, regulators ordered banks to articulate the anti-money laundering risks in their current activities and geographies and ensure they have effective and broad oversight into their partners’ activities. They’ve ordered banks with customer-facing third-party relationships to better document the risks their partners create for them, including identifying control weakness and gaps they may have in their processes and any deficiencies that the bank discovers during independent testing.
Landvatter and Butler believe that banks that maintain sophisticated compliance programs will be the ones that have the most success with their digital offerings, especially those involving third-party partnerships. While not as exciting or innovative as new products and capabilities, a culture of compliance and focus on BSA/AML regulations is fundamental for banks as they move to automate more processes and shift more tasks into digital spaces.
“You’ve got to understand the required infrastructure to onboard these accounts safely. You’ve got to understand the risk and have a risk management program in place to do that yourself,” Butler says, adding: “The No. 1 issue for us has been to protect the charter. That’s what is most important to us, and we’re not going to let a client mess up our charter.”
BSA/AML Takeaways From Formal Enforcement Actions:
• An effective BSA/AML risk assessment ascertains the bank’s risk across products, services, customers, entities and geographies, including activities that are provided by or through a third party. It includes the bank’s policies, procedures, and processes to identify, measure, monitor, control and manage BSA/AML compliance. The assessment should also analyze and document risks that arise from its third-party relationships, any identified control weaknesses, gaps and any deficiencies discovered during independent testing.
• A bank should create robust processes, internal controls and systems that assess its BSA/AML-related risks and compliance efforts, especially those that might stem from affiliate and third parties. This includes establishing thresholds for when accounts and customers require further monitoring, how suspicious activity is communicated to management, the financial institution’s response to situations such as multiple suspicious activity reports being filed on the same customer or a customer failing to provide due diligence information, as well as the procedure to close a customer’s account.
• BSA departments need to be headed by qualified and experienced BSA officers who have sufficient executive authority, time and resources, including staffing, to ensure compliance. BSA compliance should be BSA officers’ only job.
• Banks must have effective BSA/AML training programs for management, staff and the board that cover relevant aspects of the law and regulations, as well as bank policy and procedures. The training should be conducted annually and documented.
• Boards should establish independent BSA audit and testing programs that review activities conducted by the financial institution and its partners for compliance with applicable laws and regulations. They should sufficiently test transactions to validate the effectiveness of suspicious activity monitoring.
Previous