Digital banking has become an expectation for consumers, prompting banks to partner with fintech companies to meet this growing demand. In the race to stay competitive, however, some banks forged relationships that left them vulnerable to security and compliance risks.
This was evidenced by recent consent orders the FDIC entered against Ohio-based Sutton Bank and Piermont Bank, which is headquartered in New York. The FDIC’s concerns center around the possibility of illegal or illicit financial activity arising from third-party relationships.
Both banks were asked to revise their anti-money laundering/countering the financing of terrorism (AML/CFT) programs. They will have to conduct thorough risk assessments to ensure their fintech partners adhere to security and compliance requirements.
Sutton and Pierman are just two banks among many who offer Banking-as-a-Service (BaaS) in collaboration with fintech companies. The FDIC’s findings are alarming because banks and credit unions doubled their investment in digital transformation from 2021 to 2022. It’s estimated that banks had an average of 2.5 fintech partnerships in 2021, and credit unions had 1.5.
Unsafe and Unsound
The consent order against Sutton Bank cited unsafe and unsound banking practices and “violations of law or regulation alleged to have been committed by the Bank, including those related to the Bank Secrecy Act.” Sutton Bank leadership didn’t confirm or deny the allegations.
The Piermont consent order accused the bank of failing “to have internal controls and information systems appropriate for the size of the Bank and the nature, scope, and complexity of its Third-Party Relationships.”
While there’s no doubt that fintechs offer banks the ability to rapidly meet the growing digital demand, the challenges the partnerships pose have been well-documented. By their nature, fintech companies are prime targets for cyberattacks, and since they aren’t banks, they aren’t required to meet stringent regulatory requirements.
Reevaluating Risk
The soaring proliferation of partnerships between banks and fintech companies isn’t likely to stall based on the FDIC’s actions. Banks will continue to look for ways to navigate the ever-changing waters of digital transformation.
The consent orders will shed light, however, on substantial risks that can arise from banks’ partnerships with fintech players. Because fintech companies have their own initiatives and incentives, their actions may not always align with the bank’s best interest.
Regulatory agencies have long been concerned about the relationships, and they are increasingly under the microscope.
As Comptroller of the Currency Michael Hsu recently stated, “We will not… lower our standards, create a special regime, or take an overly expansive view of banking to entice new entrants or in the hope of bringing a particular activity into the bank regulatory perimeter.”