Regulators tighten BaaS oversight

Banking-as-a-service works like a bank renting out its charter and payment rails to a fintech app — and U.S. regulators have spent the past two years warning that the bank still owns the risk. On July 25, 2024, the Federal Deposit Insurance Corp., Office of the Comptroller of the Currency and Federal Reserve issued a joint statement on those arrangements. (fdic.gov) The agencies said the statement did not create new rules. It said banks remain responsible for complying with law and regulation even when a third party handles customer-facing work, and it pointed banks back to the interagency third-party risk guidance issued on June 7, 2023. (fdic.gov) (federalreserve.gov) The same day, the agencies opened a formal request for information on bank-fintech partnerships, and the notice was published in the Federal Register on July 31, 2024. They asked for comment on deposit, payments and lending arrangements and set a September 30, 2024 deadline. (federalregister.gov) The regulators’ message followed a run of enforcement actions at sponsor banks. The Federal Reserve said on June 14, 2024 that Evolve Bank & Trust had failed to maintain an effective risk-management framework for fintech partnerships and ordered stronger oversight, monitoring, recordkeeping and consumer-compliance controls. (federalreserve.gov) The Federal Deposit Insurance Corp. also issued 2024 consent orders to banks with fintech-heavy models. A January 29, 2024 order against Lineage Bank cited unsafe or unsound practices tied to its third-party risk program and fintech partners, and a May 21, 2024 order against Thread Bank required a revised strategic plan, stronger liquidity planning and support for anti-money-laundering compliance. (fdic.gov 1) (fdic.gov 2) The Office of the Comptroller of the Currency took a similar line with Blue Ridge Bank. Its January 24, 2024 consent order replaced a 2022 formal agreement and cited unsafe or unsound practices, failure to fix previously reported problems, and deficiencies in the bank’s Bank Secrecy Act and anti-money-laundering program. (occ.gov) What changed was not a new BaaS rulebook but the level of supervisory pressure. The 2023 interagency guidance already told banks to manage third-party relationships across the full life cycle — planning, due diligence, contract negotiation, ongoing monitoring and termination — and the 2024 actions showed examiners applying that framework to fintech distribution models. (federalreserve.gov) (fdic.gov) The agencies’ 2024 statement listed the weak spots they were seeing: unclear roles between bank and fintech, poor access to customer and transaction data, compliance gaps, ineffective complaint handling, and trouble tracing funds in complex deposit arrangements. The notice said banks can still pursue these partnerships, but only with controls that match the size and complexity of the program. (fdic.gov) (federalregister.gov) Banks and fintech vendors answered the request for information by arguing that the model can expand access and speed product launches if responsibilities are clearly allocated and data flows are reliable. The agencies, in their notice, said they support “responsible innovation” but framed the review around safe-and-sound banking, consumer protection and financial-crime controls. (federalregister.gov) (fdic.gov) (regulations.gov) For sponsor banks, that leaves a narrower operating lane. If a fintech handles onboarding, payments, ledgering or customer service, examiners are signaling that the bank needs documented due diligence, clear escalation paths, direct access to records, and the authority to slow growth or exit the relationship before the next consent order does it for them. (federalreserve.gov 1) (federalreserve.gov 2)