Financial institutions have utilized service providers such as third-party vendors and nonbank entities that partner with banks for a multitude of purposes over many years. The use of service providers has not historically been a controversial issue, and financial institutions have always had an obligation to manage relationships in a manner that is consistent with safety and soundness standards. Given this background, what should we do differently when evaluating so-called bank partnership programs that have received more scrutiny, particularly in the FinTech context? The answer: closely monitor state legislation, given how rapidly evolving state law has created a patchwork of legal and regulatory issues for these programs, similar to but more complicated than prior waves of legislation regulating mortgage brokers, loan servicers, and debt collectors.
In June 2023, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued guidance on managing risks associated with third-party relationships (Guidance). This Guidance replaces and rescinds prior guidance and frequently asked questions that date back to 2008. The Guidance acknowledges the long-standing use of service providers—“[b]anking organizations routinely rely on third parties for a range of products, services, and other activities”—and the benefit of such relationships: “The use of third parties can offer banking organizations significant benefits, such as quicker and more efficient access to technologies, human capital, delivery channels, products, services, and markets.” However, it notes the use of a third party does not diminish or negate the financial institution’s responsibility to ensure its activities are run in a safe and sound manner and comply with applicable laws and regulations. In other words, a financial institution cannot avoid liability by delegating certain responsibilities to their service provider.
The Guidance emphasizes the need for an appropriate risk assessment of service provider relationships, as well as tailoring the compliance management system and oversight to be commensurate with the risk presented by the service provider. For financial institutions that wish to partner with a nonfinancial institution in a “bank partner” model, this Guidance provides a good framework on how to develop policies and procedures to ensure safe and sound banking practices.
At a glance, this should be the end of the story—create solid risk management practices and appropriately manage your relationships. However, state licensing regimes and the interplay of federal and state law create complex issues, particularly when analyzing a consumer lending bank partner program. Both financial institutions and their partners that are not financial institutions must be cognizant of the rapidly changing landscape on the state level. States have threatened, and currently are attempting, to opt out of the Depository Institutions Deregulation and Monetary Control Act (DIDMCA). The purpose of DIDMCA was to place national and state banks on a level playing field. Other state legislation has created “predominant economic interest” and other so-called “true lender” tests to determine whether the financial institution is in fact the lender of record, or whether the loans should be treated as if the nondepository partner were the lender.
As a result, while the general premise of a bank partnership is old news, the current wave of legislation brings both an old concept (state licensing and supervision) and a new concept (substantively regulating the terms of credit extended by financial institutions through legislation purportedly applicable only to the nondepository entity) to regulating such partnerships. The complexity and sheer volume of state laws aimed at exercising authority over financial services products being provided by financial institutions means that both financial institutions and their partners must be diligent when crafting their relationship and monitoring ongoing legislative changes. Up-front consideration should be taken in developing the program, assigning responsibilities, developing comprehensive compliance management systems, and ensuring ongoing diligence.