The Federal Deposit Insurance Corporation (FDIC) recently announced a consent order with Tennessee-based Lineage Bank containing orders relating to the bank’s third-party risk management program and its financial technology (fintech) partners.

Under the terms of the consent order, the FDIC has ordered, among other things, that:

  • The bank’s board of directors (the board) increase its participation in the bank’s affairs by assuming full responsibility for the approval of the bank’s policies and for the supervision of the bank’s management.
  • Within 30 days, the bank shall undertake a review and assessment to determine the adequacy of existing reserve account balances to cover all liabilities related to any fintech relationships.
  • Within 60 days, the board shall submit a general contingency plan to the FDIC’s Regional Director detailing how it will administer an effective and orderly termination with significant fintech partners.
  • Within 90 days, the board shall implement a plan to enhance the internal audit functions to include evaluation of risk controls for high-risk areas of the bank, including on boarding deposits obtained through third parties, processing payments obtained through third parties, and sweeping deposits.
  • Within 90 days, the bank shall engage a qualified independent firm to complete an assessment and report of existing relationships with fintech partners.
    • Within 30 days of receipt of the report, the board shall develop a written plan to correct any deficiencies or recommendations identified in the report and shall monitor progress in addressing recommendations at least monthly. The board’s monthly monitoring shall be documented and submitted to the FDIC’s Regional Director.
  • Within 90 days, the board shall formalize the process for accepting new fintech partners in the form of a written “formal onboarding process.”
  • Within 120 days, the board shall adopt a written program to assess and manage the risks posed by relationships with fintech companies. Such plan will be provided to the FDIC’s Regional Director for review and comment.
    • Thereafter, the board shall engage a qualified third-party to assess the adequacy and effectiveness of the risk management program at least annually and amend the program to maintain effectiveness as needed or directed by the FDIC.

The formal onboarding process required under the terms of the consent order, which tracks prior interagency guidance and should serve as a roadmap for other banks in the space, must include provisions requiring the completion of due diligence for each proposed fintech partner relating to, at a minimum, a written assessment of:

  • The financial condition of the potential fintech partner;
  • Proposed contracts between the bank and the fintech partner;
  • Type and volume of anticipated activity under the program;
  • Bank management’s experience associated with the activity proposed by the fintech partner;
  • Readiness of the bank’s system for processing transactions related to the fintech partner;
  • Registration or licensing requirements;
  • Expected additional parties or companies involved in the program;
  • Marketing and consumer and deposit insurance disclosures of the fintech partner;
  • Compliance with applicable laws and regulations by the fintech partner;
  • Quantified analysis of how the fintech partner is expected to impact the bank’s financial measures including asset totals, capital ratios, earnings, liquidity, and sensitivity to market risk; and
  • Approval authority for the fintech partner, including the role of the board.

Our Take:

This consent order is the latest in a series of regulatory enforcement actions dealing with third-party risk management programs and fintech partner issues — clearly evidencing the regulators’ increased focus on this area. This should not be a surprise since, as discussed here, in June 2023, the FDIC, along with the Board of Governors of the Federal Reserve System (FRB) and Office of the Comptroller of the Currency (OCC), issued guidance to banking organizations on managing the risks associated with third-party relationships. The June 2023 interagency guidance provided: (i) principles for a banking organization to consider through each stage of its third-party relationship “life cycle” from planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination; and (ii) considerations that banking organizations use as part of sound risk management planning (i.e., specific consideration of whether a fintech may have access to or use consumers’ information or otherwise interact with consumers)

While the FDIC does not provide specific allegations as to what led to this consent order, through the series of regulatory actions on this topic, we are seeing an increased emphasis on ongoing monitoring of third parties and the risks posed by the bank’s various fintech partners, including:

  1. Fintechs with whom the bank has a direct relationship (Direct Fintechs) or an indirect relationship through a banking-as-a-service (BaaS) intermediary (Intermediaries); and
  2. Fintechs with whom the bank’s Direct Fintechs or Intermediaries have a business relationship (Third-Party Fintechs) through which any funds or transactions are processed by the bank.

Notably, per this order, the FDIC ordered the bank to:

  • “not enter into any new line of business or expand a current business line that would result in annual 10 percent growth in total assets or total liabilities without the prior written consent of FDIC Dallas Regional Director;” and
  • “refrain from onboarding any new fintech partners or ACH end-customers via FinTech Partners until the Formal Onboarding Process has been submitted to the Regional Director for review and comment, approved by the Board, and thereafter implemented.”

We’ve seen similar stoppage requirements over multiple consent orders by the federal banking regulators.

In light of the series of regulatory actions, banks will need to consider whether their third-party risk management programs are up to date and sufficiently rigorous, particularly as they assess their BaaS programs and the types of fintech involvement contained within those programs.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of James Stevens James Stevens

James is the co-leader of the firm’s Financial Services Industry Group. He has significant experience working with clients across the entire financial services sector, regularly working with public and private companies such as banks, neobanks, marketplace lenders, and other fintech and financial services…

James is the co-leader of the firm’s Financial Services Industry Group. He has significant experience working with clients across the entire financial services sector, regularly working with public and private companies such as banks, neobanks, marketplace lenders, and other fintech and financial services providers and partners.

Photo of Samer Roshdy Samer Roshdy

Samer represents public and private companies on both corporate and financial services regulatory compliance matters. With a significant portion of his practice devoted to representing clients in the financial services industry, Samer routinely advises depository institutions, innovative fintech companies, and other nonbank financial…

Samer represents public and private companies on both corporate and financial services regulatory compliance matters. With a significant portion of his practice devoted to representing clients in the financial services industry, Samer routinely advises depository institutions, innovative fintech companies, and other nonbank financial services companies.

Photo of Sarah Hanna Sarah Hanna

Sarah is an associate in the firm’s Corporate practice. She works with public and private companies on a wide range of corporate matters, including equity and debt offerings, SEC reporting, corporate governance, and financial services matters.

Photo of Matthew Bornfreund Matthew Bornfreund

Matthew provides comprehensive guidance to clients on a wide range of regulatory, transactional, and compliance matters, helping them to advance their operational goals and launch new products and services. His clients include domestic and international traditional and nontraditional banks, as well as fintechs…

Matthew provides comprehensive guidance to clients on a wide range of regulatory, transactional, and compliance matters, helping them to advance their operational goals and launch new products and services. His clients include domestic and international traditional and nontraditional banks, as well as fintechs, private equity funds, and payment services firms.

Photo of Caitlin Oh Caitlin Oh

Caitlin is an associate in the firm’s Corporate practice. She graduated from Emory University School of Law, where she earned her J.D., with honors. During her time at Emory, Caitlin was a Dean’s teaching fellow, a managing editor of the Emory Law

Caitlin is an associate in the firm’s Corporate practice. She graduated from Emory University School of Law, where she earned her J.D., with honors. During her time at Emory, Caitlin was a Dean’s teaching fellow, a managing editor of the Emory Law Journal, and a student attorney at the Emory Barton Child Law and Policy Center.

Photo of Ethan G. Ostroff Ethan G. Ostroff

Ethan Ostroff’s practice focuses on financial services litigation and consumer law compliance counseling. Ethan is part of the firm’s national practice representing consumer-facing companies of all types in defense of individual and class action claims and counseling them on compliance with federal and

Ethan Ostroff’s practice focuses on financial services litigation and consumer law compliance counseling. Ethan is part of the firm’s national practice representing consumer-facing companies of all types in defense of individual and class action claims and counseling them on compliance with federal and state laws.

Photo of Glen Trudel Glen Trudel

A former bank in-house counsel, Glen brings real-world experience to financial institutions, marketplace lenders, fintechs, and other companies grappling with both regulatory and transactional issues.