Technology partnerships can help banks grow. But regulators want to know: At what cost?
Third-party partnerships can introduce complex and interrelated risks that may be unfamiliar or overwhelming for banks, especially small banks. In July, prudential regulators issued their fourth publication in four years about the risks stemming from third-party partnerships with a new, additional summons attached: a request for information from banks on how they’ve structured these arrangements.
These partnerships can run the gamut: digital account opening, advanced data analytics, cash flow underwriting, sidecar cores supporting online-only banks and banking as a service, or BaaS. BaaS partnerships, where banks offer the backend banking compliance and service platforms for nonbanks and fintechs, can bring in deposits, loans or facilitate payments, often accelerating bank growth.
The agencies are trying to better understand BaaS and other arrangements, as well as their impacts on compliance, risk management and overall safety and soundness. Regulators’ questions for banks include their use of data to manage risks and compliance, end user’s status and relevant disclosures, the role core providers and intermediary platforms play in these arrangements, the costs of these partnerships and risk management strategies.
Regulators want to learn more because they see manifold growth risks arising from these partnerships: misaligned incentives, a lag in operational capabilities, funding concentrations, an inability to manage liquidity risks and inadequate capital. That’s because these partnerships can increase the scale and the pace of change at banks in areas like accounts, deposits or compliance tasks and alerts, says Jesse Silverman, counsel at Troutman Pepper who has previously worked as a financial regulator and a chief legal and compliance officer at fintechs.
“When you grow that big that quickly, you have growing pains,” Silverman says. “You may think you know how to mitigate that risk, but you are always discovering problems you hadn’t considered when your scale doubles or triples in the blink of an eye.”
These partnerships may create concentrations at institutions that become dependent on the deposits, loans or fee income the partner generates, says Kirsten Muetzel, founding principal of KLM Advisory LLC. Banks risk tipping the balance of power toward the partner, a precarious proposition if the bank needs the partner to slow or stop onboarding customers or change the partner’s processes and procedures due to risk to the bank.
“I want to incentivize my partner to grow, but not grow exponentially in a short period of time,” she says. “If I’m garnering deposits through a particular channel, I need to give that channel time to season and to see how those deposits perform before deploying [them] to generate assets.”
Banks tend to be well-versed in expectations around credit concentrations. She points out that they have underwriting policies, credit committees, teams to conduct loan reviews and reserves. Most of those principles could be applied to the liquidity risk management practices that banks need when they engage in BaaS.
Banks wanting to grow fintech partnerships need to think about similar ways to manage concentrations outside of credit. In the July publication and RFI, regulators advised that banks establish “appropriate concentration limits, diversification strategies, liquidity risk management strategies, and exit strategies, as well as maintaining capital adequacy. This may include contingency funding plans that describe how the bank will respond to customers’ unexpected deposit withdrawals and reasonable assumptions, such as non-maturity deposit customer behavior.”
Muetzel recommends BaaS banks adopt a modified version of the Federal Reserve’s liquidity expectations that are required for large banks. This could include identifying and monitoring concentrations from partner activities, drafting policies related to deposits gathered through partners and stress testing the funding sources.
Regulators are concerned that fintech partnerships can carry elevated operational and compliance risk, according to the July statement. These risks include outsourcing significant functions or tasks, fragmented operations, a lack of access to records, insufficient oversight of consumer compliance obligations, lack of experience with new models and weak audit coverage. Banks should respond to partnership-related growth with heightened and strengthened governance and controls, robust due diligence and specific risk assessments for activities.
Silverman says one reason why growth poses such a risk to banks with extensive technology partnerships is that many are on the smaller side, a dynamic that is especially evident in the Durbin-exempt BaaS institutions that are under $10 billion in assets. Their debit interchange rates aren’t capped, as they are for banks above $10 billion, which can be an attractive feature in deposit partnerships.
“The incentives around the Durbin amendment have created a trap for a lot of community banks,” he says. “The sophistication of the executive team and the technology and how they do their business is not up to par with the complexity and the way that BaaS will change the bank.”
Rogersville, Tennessee-based Thread Bancorp, which was the former Civis Bank recapitalized by a new management team in 2021, views its fintech partners almost as branches of the bank, said CEO Chris Black in an early June interview. The bank’s relaunch included a focus on banking as a service; Black used a branch framework to articulate the strengths and responsibilities of each party. About half of the bank’s employees as of June worked in risk or compliance.
“We’ve got an umbrella that shadows over everything, from risk and compliance, operation, liquidity and capital management. That’s the bank’s purview,” Black said. “Each of our partners acts like branch managers under this system, and under the bank’s guidelines and policies of risk tolerances and appetite.”
Thread Bank’s size has grown rapidly since the recapitalization. At the end of 2020, total assets were $98.7 million and total deposits were $95.4 million. At the end of the first quarter, total assets were $721.9 million and total deposits were $636.1 million.
But like many banks in this space, Thread’s growing pains have included regulatory scrutiny. In late June, the Federal Deposit Insurance Corp. made public a consent order that directed the bank to update its enterprise risk management framework and review and revise its policies and procedures related to anti-money laundering compliance, liquidity management, customer due diligence and the banking and lending as a service programs.
In a statement shared with Bank Director about the enforcement action, Black said, “[W]e remain steadfastly committed to collaborating with regulators at the state and federal levels because we believe the regulatory framework is necessary, when conducted properly, and can help create a strong banking system for consumers and small businesses. As such, we are dedicated to meeting all obligations, and we have already made substantial investments to improve our policies, processes, procedures and controls over the past three years. … We will continue to invest in our teams and services to ensure we meet the needs of, and provide strong protection for, our customers and partners as we move forward.”
Increasing growth — and increasing growth risks — should also translate into hiring and technology investments. Banks may find that their existing staff who have managed their Bank Secrecy Act, anti-money laundering and Know Your Customer processes are insufficient for the increased volume and scale of transactions and customers. Indeed, several consent orders targeted at banks with technology partnerships have stipulated that the bank hire more staff in compliance areas. They will need to look closely at the capabilities of their compliance areas like customer identification, transaction monitoring and dispute resolution.
Muetzel says banks should complete a staffing assessment and a functional organizational chart that lays out all the processes and tasks a bank needs to perform to maintain and oversee these partnerships and think about appointing a “full suite” risk officer to take a fulsome approach to risk management and monitoring.
Previous