Hi all! đ
In case you missed it, we released a Fintech Layer Cake episode with Plaidâs co-founder and CEO, Zach Perret that was one of my favorites to record.
AlsoâŚthis newsletter crossed 4,000 subscribers since the last edition! Thank you all for reading so far; I never imagined it would get this much interest.
No gifs and memes in this edition becauseâŚwell, it turns out adopting an 85 lb 10-month old dog adds a bit of chaos and exhaustion to your life, so the gif/meme part of my brain is a little offlineâŚ
The FDIC Crossed That River When It Got to It
On Friday, the FDIC updated its recent slate of bank enforcement orders. In one of them, the FDIC determined that Cross River Bankâs (CRB) compliance systems and standards werenât good enough to ensure compliance with the law that prohibits discrimination when extending credit.1
CRB is a big fintech partner bank. And, as expected, the order has a lot to do with the how the bankâs compliance system should have been handling fintechs. Iâm going to focus on stuff that jumped out to me (aka, the bits most relevant to fintechs) and leave out the more ordinary stuff. Letâs dig in! âď¸
Out of a 2021 Review
The order grew out of a normal bank exam CRB had in 2021, in which it seems the FDIC identified fair lending compliance concerns. Bank exams regularly find problems, banks usually address them, bank examiners circle back, everything is fixed, and everybody goes home happy. So the fact thereâs a consent order suggests the bank may not have buttoned things up enough on their own.Â
Fair Lending Laws
The consent order was driven by fair lending concerns. The main law here is the Equal Credit Opportunity Act (ECOA). In short, ECOA says you canât discriminate when extending credit. Itâs the law used, for example, to go after mortgage lenders for redlining.
There are two general ways an institution can get caught discriminating under ECOA:
Disparate / Overt Treatment: This is overtly and intentionally excluding someone because of, say, race or gender. Thatâs obviously bad.
Disparate Impact: Generally, the âdisparate impactâ form of discrimination happens if the outcome of a lenderâs actions or processes has an adverse effect on people because of, e.g., their race or gender even if the lender didnât intend to discriminate and had decisions and processes that seemed neutral on their face.2
As a result, lenders will pay for statistical analyses (typically $25-40K per) to see if there are any disparate impacts lurking in their credit products. Hot tip: this becomes relevant later, so remember it.
Also important: ECOA applies to credit products (both consumer and commercial). Which means this CRB order wasnât about any fintech crypto, debit/prepaid cards, bank account, or brokerage products.Â
Ok, ok, letâs get to the good stuff. Whatâs in the order?
Consent for New Credit Products and Fintechs
CRB has to get the FDICâs consent for any new credit products they want to offer, including any offered via fintechs.3
To get that approval, CRB has to submit several items to the FDIC for every new credit product or fintech credit partner they want. It includes mostly stuff youâd expect (e.g., a CRB risk assessment of the product/fintech), but CRB also has to submit a proposed fintech partnership agreement.Â
Why would a fintech pay lawyers and invest a significant amount of their own time and resources to negotiate a proposed final bank partnership agreement when it might just be rejected by the FDIC? The rational thing would be to go work with a different bank.
Cross River told Bloomberg it expects the order will have âno meaningful impactâ on growth since many of the requirements have been or will soon be met. But I think itâs unlikely theyâll get any new material fintech partners until the order is lifted, and that can take years.
Resources Study and Plan
CRB has to do a study and submit a plan to the FDIC covering what personnel and tools they need to ensure fair lending compliance. This one jumped out because the study specifically has to look at whether the bank can sufficiently recruit and retain qualified personnel, and they have to provide quite granular detail to the FDIC like compliance org charts.
A similar requirement doesnât appear to be in Anchorageâs and Blue Ridgeâs consent orders, which makes me wonder if CRB tried to tell the FDIC âsorry, the job market was too hotâ and, well, that doesnât get you out of legal/regulatory obligations. Interestingly, back in June â22 the OCC specifically said one of the banking system risks was turnover and recruitment.Â
Fintech Assessment for â21-â22Â
CRB has to complete a fair lending assessment for 2021-22 to see if any of their fintech partners offering credit products for 6+ months complied with fair lending laws, and consider if they need to right any wrongs they find.
Going forward, CRB will have to do this kind of assessment at least annually for each credit fintech partner that has partnered with CRB for 6+ months. Remember the ECOA statistical analysis we talked about earlier? That $25-40K test will likely be part of the annual assessment.4 Thatâs not cheap (though I imagine CRB will make its fintech partners pay for it). Lesson: credit is regulated and expensive to do right!
Also of note: the assessment must include a review of each fintechâs fair lending policies and procedures. While (I hope) most banks and fintechs have all relevant policies and procedures in place, I wouldnât be surprised if some smaller or less sophisticated ones donât.
This CRB order may be a wake up call for smaller banks to start demanding more compliance policies and other documentation from fintechs. And thatâs a continuation of a theme weâve seen for the past 6 months: the hurdle to find a good bank partner has increased, and will likely continue to do so.
Better Info Visibility
Under the order, CRB has to ensure it has access to all info about credit decisions or credit models that a fintech makes. More generally, the bank is required to set up an information system to ensure they have sufficient visibility into whether the bank and any fintech partners comply with fair lending laws.Â
Lesson: if youâre a fintech, your bank partner needs easy and fast access to information. If they ask for data or info for compliance purposes, that better be a top priority for the company to rally around. If youâre too slow to provide info, thereâs a chance the bank could view your program as non-compliant or too risky and worth offboarding.Â
Due Diligence and Third Party Merchants
The order requires CRBâs due diligence process for fintechs to identify the name, address, product, and any categories of âthird party merchantsâ that will offer the product.
That âthird party merchantsâ category is curious to me.5 I have two theories:
Maybe itâs referring to Affirm (which was a CRB fintech partner, but revealed it was parting ways at the beginning of this year) and similar companies, where they have products that other merchants promote (e.g., Affirm as a checkout option).
Or maybe itâs referring to BaaS-like structures where thereâs (1) the bank, (2) the BaaS provider, and (3) a customer of the BaaS provider (i.e., a third party merchant?).
Under the order, CRB has to monitor and have oversight over any third party merchants. Thatâs notable because, generally, banks want to be out of the relationship between a BaaS provider and the fintechs that use it. But, if a BaaS provider isnât able to effectively facilitate monitoring and oversight of its merchants, banks may be compelled to ask for more direct relationships to those customers after the CRB order.
Fintech Agreements
The order specifies a few terms CRB has to require in every new credit fintech partner agreement:
The fintech must collect, maintain, and readily share with the bank all info needed for fair lending monitoring and compliance.
The fintech must agree to initial and period training of all personnel who have scope that includes fair lending controls.
The training one jumped out, as I imagine many early stage fintechs probably arenât doing fair lending training.
One example: marketing teams should potentially be trained to watch for fair lending issues. If all your ads only show straight, white couples, that arguably is a fair lending problem because it may unintentionally discourage non-white, non-straight couples from applying. (Also, thatâs a friendly reminder that in 2021 the CFPB confirmed sexual orientation and gender identity are classes protected from discrimination).Â
Sidenote: this is a great example of why the legal teams at fintechs need to be looped into marketing content reviews! If a lawyer reviews and catches fair lending problems, thereâs less need to have a marketing team go through annual fair lending training.Â
Do All Diligence
The order requires various diligence steps for new credit products CRB wants to offer themselves or via a third party. Interestingly, the order requires that âall due diligence processes [must] be satisfactorily completed.â
I wouldnât be surprised if CRB waived or looked the other way for certain diligence factors for large or strategic fintech partners. Lesson: check all your diligence boxes, even for bigger, known actors!
Number of Third Parties
You donât have to work in a fintech legal/compliance role long to get used to seeing statements like âan AML program should be based on the companyâs risk profile, size, and complexity.â But the CRB order had something I havenât seen before: their board also must take into account âthe number of [c]redit products offered and number of third parties involved.â
The number of fintech partners a bank has is becoming an explicit factor in risk assessments. More partnerships means more risks, which might lead banks to only agree to work with a few higher quality fintechs.
Not the End of the World (Just This Edition)
OK so thereâs lots of bad stuff for CRB (that other banks and fintechs can learn from).
But consent orders arenât catastrophic. While theyâre not great, in a sense theyâre saying âyou have some problems, but not enough to be shut down, so go fix them.â
CRB is a sophisticated bank. I donât expect them to disappear from the roster of fintech bank partners. ButBut their consent order has lots of useful lessons for fintechs and fintech partner banks.
About
Hi! Iâm Reggie. Iâm a fintech product lawyer at Lithic and host of the Fintech Layer Cake podcast.Â
Reach out (email or Twitter) if youâre interested in sponsoring the newsletter, want to connect with good + practical fintech counsel, want to collaborate, or just want to say hey!
Any views expressed are my own (well, sort of? I mean, theyâre based on laws and regulations, so theyâre not really âmineâ?). Nothing here is legal or financial advice. If you need me to tell you not to get legal advice from Substack, you probably shouldnât be on the internet?
The actual âdeterminationâ is that CRB was engaged in âunsafe or unsound banking practices related to its compliance with applicable fair lending lawsâ by failing to have internal controls, information systems, and prudent underwriting practices. But that is absolute gibberish to anyone who isn't a bank regulatory lawyer.
This description of ECOA and disparate treatment vs. impact is all very, very high-level. If you want more of the nuance, read the second paragraph in this.
OK, fine, you caught me. The order talks about getting FDIC ânon-objectionâ and not consent. But the idea of non-objection is that CRB has to tell the FDIC âwe want to sign up X new partnerâ and as long as the FDIC doesnât object in a reasonable time (45 days), CRB can go ahead and do it. But if you were a bank under a consent order, would you really move forward with a fintech partner if the FDIC was ominously silent? No, you would not. So practically, this is a form of consent.
I can imagine CRB may not have to do an ECOA analysis if, e.g., there have been no material changes to a credit program since the last one.
For the curious, the order defines third party merchants as âmerchants offering one or more CRB Credit Products through or in conjunction with a Third Party.â