Carlin McCrory, Keith Barnett, and James Stevens discuss recent enforcement actions in the banking as a service (BaaS) space. They delve into regulatory trends, consent orders, and future anticipated regulatory scrutiny.
In the latest episode of Payments Pros, hosts Carlin McCrory and Keith Barnett are joined by James Stevens to discuss recent enforcement actions in the banking as a service (BaaS) space. They delve into regulatory trends, consent orders, and future anticipated regulatory scrutiny.
James explains the concept of BaaS, highlighting the regulatory scrutiny it faces due to its rapid growth and complexity. The conversation covers common themes in enforcement actions, such as compliance with the Bank Secrecy Act and consumer protection laws. The group discusses the importance of robust due diligence, contracts, and ongoing monitoring in BaaS partnerships. The episode concludes with insights on scaling risk and compliance oversight functions and the potential impact of regulatory changes on BaaS programs.
Payments Pros – The Payments Law Podcast
Navigating Regulatory Waters: Recent Enforcement Actions in BaaS
Hosts: Carlin McCrory and Keith Barnett
Guest: James Stevens
Date Aired: October 16, 2024
Carlin McCrory:
Welcome to another episode of Payments Pros, a Troutman Pepper podcast, focusing on the highly regulated and ever-evolving payment processing industry. This podcast features insights from members of our fintech and payments practice, as well as guest commentary from business leaders and regulatory experts in the payments industry.
I'm Carlin McCrory, one of the hosts of the podcast. Before we jump into today's episode, let me remind you to visit and subscribe to our blog, TroutmanPepperFinancialServices.com. And don't forget to check out our other podcasts on troutman.com/podcast. We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services and more. Make sure to subscribe to hear the latest episodes.
Today, Keith and I are joined by our colleague, James Stevens, to discuss recent enforcement actions in the banking as a service space, or BaaS. As well as regulated trends we have seen related to consent orders and potential future actions that we may see. James, thanks so much for joining us today. Keith and I are looking forward to today's conversation.
James Stevens:
Thanks for having me, Carlin. I look forward to talking to you and Keith.
Carlin McCrory:
We'll go ahead and dive right in. And James, we've seen a number of recent enforcement actions in the banking as a service space. What do you think is going on here?
James Stevens:
Well, good question. And maybe it's best if we start by defining BaaS. What we refer to as banking as a service is when a bank is deputizing a non-bank to onboard customers and then to offer those customers loan deposit or payment services of the bank. And that particular area is where we're seeing a lot of regulatory scrutiny. We're not really seeing it in other areas where banks are partnering with fintech companies where they're not going that full step of embedding the banking products into the fintech's products and services. But we are certainly seeing it in that realm of BaaS providers.
I think a dig driver of that is, frankly, the success that these partnerships have had. A few years back, they were fringy. They were done by a few banks. And the number of banks that are offering these partnerships has grown significantly over the past several years. And other banks that maybe are not jumping into the partnership realm as a line of business are using these partnerships to grow particular parts of their balance sheet or income statement.
And I think that because there's been a lot of growth, there's been a lot of opportunities, frankly, for people to do things wrong. This is hard. It's complex stuff. We're getting guidance from the regulators. But it's coming in dribs and drabs. And I think that when you have something that's growing rapidly and you have people that are jumping into it, that it's a pretty new area, or at least a new to many of these people area, it's an area where it's right for mistakes to be made. Maybe things not to be done as good as they should have been. And so, I think that what we're really seeing, the biggest explanation I have is a combination of rapid growth and maybe a business partnership that, while not new, is something that is new to many of the people that are getting into it.
Carlin McCrory:
There's been a host of consent orders that have come out, as you mentioned, and they do have some common themes within them. Can you talk about those themes?
James Stevens:
Yeah. I'm happy to. Now, I think it is helpful to say that while I acknowledge and agree that there is a lot of regulatory scrutiny and we're seeing a lot of activity, when I think about these true BaaS public enforcement actions, I count 11. We're dealing with a very small sample size. I think it is a little bit dangerous to talk about themes. But I do think that we can see some at least from this small sample size.
The two themes that I see for the most part are about half of these involve some kind of failure to comply with the Bank Secrecy Act. The second half, or failure to comply with some other type of consumer protection laws. It's compliance-related. It's people that are engaging in a partnership with one another, dividing up functions. And then the bank being held accountable for failures of the program to comply with very specific Bank Secrecy Act or consumer protection laws.
I will say that what we haven't really seen a lot of but that what we've seen in three recent orders is just a general criticism of the banks in terms of their implementation of these third-party arrangements. And so, specifically, there were three recent enforcement actions with banks that they certainly involved failure to comply with specific things that the regulators thought that the bank should be complying with. But also, you can see throughout those enforcement actions the regulators generally commenting that maybe those three parties need to do a better job of managing these third-party relationships.
Of those three, two of these involve the synapse debacle, which continues to unfold. And I think that that program in particular created a lot of challenges for the banks that were involved with it. And so, the enforcement actions were likely in those. But I think that that's what we're seeing in terms of themes.
Keith Barnett:
If I could just add something to that. James, it's actually also along those lines. What these enforcement actions have been doing is not only noting the failures of following a BSA policy. But they have, in some instances, been requiring certain BSA policies and procedures, and following the procedures, and having dedicated employees who understand the bank and the fintech's responsibilities under the BSA. And they've even gone so far as to say, "Hey, the board needs to adopt these new policies and procedures. And you need to report all these things to the board." They're not only bringing in management. But they're bringing in the board and the employees as well as a part of implementing the BSA policies.
James Stevens:
You're right, Keith. Very frequently, when you're dealing with bank regulatory enforcement actions, regulators seek to make whatever failures are being highlighted. And that can be regulatory enforcement actions in the BaaS space. Or that could be plain vanilla regulatory enforcement actions related to capital, or liquidity, or some of the other things that we're seeing in the market.
But in all of those instances, for several years now, the regulators have always made these failures corporate governance failures as well. And so, it is very important for banks that are involved in this space to get their boards involved and to make sure that they have updated all of the policy and procedures that are coming out of the board and if they have appropriate staffing at the bank, so that they can hopefully not make these challenges that they may face be criticized as a corporate governance failure.
Carlin McCrory:
James, are you expecting more orders to come out and be issued?
James Stevens:
Unfortunately, in the short term, yes. I think that we are seeing a very aggressive approach by the regulators. Anyone that is doing anything BaaS-related is getting scoured by the regulators. And I think that as a result, it's inevitable that some programs and some banks that are involved in those programs will be criticized by regulators and will look to put in place public or non-public enforcement actions.
I do think that longer term, maybe, I don't know, medium to long term, that we see a slowdown. And I think that's going to be as a result of the bad programs, for lack of a better term, getting surfaced and being dealt with. But I think, also, you are seeing at the same time, as regulators are working through these programs, we're all learning more. We're all learning what good looks like and what bad looks like. And I think that regulators are going to get more comfortable with this space.
I don't engage in political prognostication. But I think it is also fair to say that if we had an administration change, that acceptance of these programs would accelerate. But, again, I don't think that the eventual slowdown in these orders depends upon a regime change. I think that might just accelerate it.
Carlin McCrory:
What other regulatory threats do you see in the BaaS space?
James Stevens:
Well, there's a number of different threats that are out there depending on the type of program. For example, if the BaaS program is designed to originate credit products, the state true lender issues continue to dominate that space. But I think I will answer your question by raising perhaps the most timely new threat, which is yesterday's pronouncement about the brokered deposit rule rollback.
In 2020, the bank regulators, the FDIC adopted rules to clarify what deposits are considered brokered and what deposits are considered not brokered. Generally speaking, a brokered deposit is a deposit that is brought to a bank through the efforts of a third party. You can imagine, banking as a service partnership, there's always a third party involved. And so, if that program involves deposits or payments that are facilitated by deposits, you always have a question about whether the deposits that are being generated are brokered.
And in 2020, the regulators did a really good job of defining what is and what is not brokered and creating a number of exceptions that a lot of these programs have been built upon. For example, one of those exceptions is that if the non-bank that is generating these deposits has an exclusive relationship with the bank partner, those deposits would not be considered brokered.
Yesterday, the FDIC board in a 3-2 decision on proposed rules and asked for comments on those rules that would roll back virtually all of the clarity that was added in 2020. And if that happens, if that becomes anything close to what was proposed, becomes the new law, it will have a dramatic negative impact on the growth and utilization of vast programs that involve deposits or payments.
Keith Barnett:
What was the rationale behind that decision?
James Stevens:
I don't know. I think that the vote seemed to be on party lines. And the press has reported that, apparently, in 2020, the head of the FDIC was vehemently opposed to the rules that were adopted in 2020. And so, this is something, as he's on his way out of that organization, that he felt like he needed to do before he left.
Keith Barnett:
Interesting.
Carlin McCrory:
To wrap up, James, what are you telling your clients that are currently in or considering these types of partnerships?
James Stevens:
Well, I guess the one thing I would say as a overarching comment is that these BaaS partnerships, it's not just a partnership between the bank and the non-bank. I think the parties really have to keep in mind that the regulators are essentially a silent partner to this relationship.
Banks are highly regulated. Banks can't outsource compliance. And when problems come up, it's going to become the problem of the bank. And so, it is incumbent upon the banks that have that direct line exposure to the regulatory scrutiny to realize that that specter is out there and realize that the regulators will be looking at these programs that they have a seat at the table in what these programs need to look like. And they try to build the programs to withstand that scrutiny when it comes.
More specifically, I think that we've seen these orders that have come out have focused on a number of things where the partnerships have broken down. And we can learn from what those enforcement actions say. Clearly, there have been some deficiencies over due diligence between the bank and the non-bank. Fintech should be ready for intense due diligence by their bank partners. And banks really need to have a good plan in place to do the due diligence necessary before they partner with fintechs in these partnerships.
The contracts need to be very robust. And there is very specific and explicit guidance from the regulators about what those contracts should say. The banks and the non-banks need to make sure their contracts say those things. I don't know how people put those partnerships in place without checking off everything that's in that guidance. But it's clear that that has also been present in some of these partnerships historically.
And probably, the biggest area where we've seen criticism is on the ongoing monitoring. Banks are expected to do due diligence on their partners. They're expected to have robust agreements with their partners. And then they're expected to monitor the performance of their partners and the performance of the program in general over time. And that requires having the policies and procedures in place that are imposed upon the non-bank. As well as the personnel inside the bank that can conduct that monitoring and oversight.
Last but not least, maybe not as important, hopefully, but all partnerships are going to have an end. And I think it is wise for people to spend probably more time than they have historically on negotiating what the separation is going to look like. It's kind of like a prenup. And right now, when times are good and everybody trusts each other and is getting along, it's a great time for these people to decide what an exit looks like. What a termination looks like? What does a wind down look like? And I think if banks and their partners will follow that advice, they will be well-served when the regulatory scrutiny comes to them.
Carlin McCrory:
And James, just thinking about one of the things you just mentioned, if a bank is considering starting one of these types of partnerships, I'm sure there's something to be said for doing this at scale. But also noting that it requires updates to policies and procedures having the requisite staff and not onboarding too many all at once and it becomes overwhelming. Do you have thoughts on that?
James Stevens:
Yes. And I think this is the challenge. I mean, if it was easy, it wouldn't be worth doing as people say. And I think that that is certainly the challenge here. I think that before you invite people to swim in your pool, you got to make sure there's plenty of lifeguards around the pool. And I can't necessarily build all of that for where I'm going to be in three to five years on day one. Nor should I. But at the same time, I can't onboard a tremendous amount of deal flow, be it deposit transactions, or loan transactions, or payment transactions, without having the appropriate policies procedures and personnel in place.
And so, that really, in my mind, is among the hardest challenges for banks is to figure out how do I scale over time my risk and compliance oversight function to make sure at all times that I'm at least a few steps ahead of my partner in terms of its production? It's challenging. It is doable. And at the front end, it is going to involve certainly some investment.
Carlin McCrory:
Well, James, thanks so much for joining us today. And thanks to our audience for listening to today's episode. Don't forget to visit our blog, TroutmanPepperFinancialServices.com. And subscribe so you can get the latest updates. Please also make sure to subscribe to this podcast via Apple Podcast, Google Play, Stitcher, or whatever platform you use. We're looking forward to next time.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.