Fintech Law TL;DR (May 4)
Cross River Consent Order
Hi all! 👋
In case you missed it, we released a Fintech Layer Cake episode with Plaid’s co-founder and CEO, Zach Perret that was one of my favorites to record.
Also…this newsletter crossed 4,000 subscribers since the last edition! Thank you all for reading so far; I never imagined it would get this much interest.
No gifs and memes in this edition because…well, it turns out adopting an 85 lb 10-month old dog adds a bit of chaos and exhaustion to your life, so the gif/meme part of my brain is a little offline…
The FDIC Crossed That River When It Got to It
On Friday, the FDIC updated its recent slate of bank enforcement orders. In one of them, the FDIC determined that Cross River Bank’s (CRB) compliance systems and standards weren’t good enough to ensure compliance with the law that prohibits discrimination when extending credit.1
CRB is a big fintech partner bank. And, as expected, the order has a lot to do with the how the bank’s compliance system should have been handling fintechs. I’m going to focus on stuff that jumped out to me (aka, the bits most relevant to fintechs) and leave out the more ordinary stuff. Let’s dig in! ⛏️
Out of a 2021 Review
The order grew out of a normal bank exam CRB had in 2021, in which it seems the FDIC identified fair lending compliance concerns. Bank exams regularly find problems, banks usually address them, bank examiners circle back, everything is fixed, and everybody goes home happy. So the fact there’s a consent order suggests the bank may not have buttoned things up enough on their own.
Fair Lending Laws
The consent order was driven by fair lending concerns. The main law here is the Equal Credit Opportunity Act (ECOA). In short, ECOA says you can’t discriminate when extending credit. It’s the law used, for example, to go after mortgage lenders for redlining.
There are two general ways an institution can get caught discriminating under ECOA:
Disparate / Overt Treatment: This is overtly and intentionally excluding someone because of, say, race or gender. That’s obviously bad.
Disparate Impact: Generally, the “disparate impact” form of discrimination happens if the outcome of a lender’s actions or processes has an adverse effect on people because of, e.g., their race or gender even if the lender didn’t intend to discriminate and had decisions and processes that seemed neutral on their face.2
As a result, lenders will pay for statistical analyses (typically $25-40K per) to see if there are any disparate impacts lurking in their credit products. Hot tip: this becomes relevant later, so remember it.
Also important: ECOA applies to credit products (both consumer and commercial). Which means this CRB order wasn’t about any fintech crypto, debit/prepaid cards, bank account, or brokerage products.
Ok, ok, let’s get to the good stuff. What’s in the order?
Consent for New Credit Products and Fintechs
CRB has to get the FDIC’s consent for any new credit products they want to offer, including any offered via fintechs.3
To get that approval, CRB has to submit several items to the FDIC for every new credit product or fintech credit partner they want. It includes mostly stuff you’d expect (e.g., a CRB risk assessment of the product/fintech), but CRB also has to submit a proposed fintech partnership agreement.
Why would a fintech pay lawyers and invest a significant amount of their own time and resources to negotiate a proposed final bank partnership agreement when it might just be rejected by the FDIC? The rational thing would be to go work with a different bank.
Cross River told Bloomberg it expects the order will have “no meaningful impact” on growth since many of the requirements have been or will soon be met. But I think it’s unlikely they’ll get any new material fintech partners until the order is lifted, and that can take years.
Resources Study and Plan
CRB has to do a study and submit a plan to the FDIC covering what personnel and tools they need to ensure fair lending compliance. This one jumped out because the study specifically has to look at whether the bank can sufficiently recruit and retain qualified personnel, and they have to provide quite granular detail to the FDIC like compliance org charts.
A similar requirement doesn’t appear to be in Anchorage’s and Blue Ridge’s consent orders, which makes me wonder if CRB tried to tell the FDIC “sorry, the job market was too hot” and, well, that doesn’t get you out of legal/regulatory obligations. Interestingly, back in June ‘22 the OCC specifically said one of the banking system risks was turnover and recruitment.
Fintech Assessment for ‘21-’22
CRB has to complete a fair lending assessment for 2021-22 to see if any of their fintech partners offering credit products for 6+ months complied with fair lending laws, and consider if they need to right any wrongs they find.
Going forward, CRB will have to do this kind of assessment at least annually for each credit fintech partner that has partnered with CRB for 6+ months. Remember the ECOA statistical analysis we talked about earlier? That $25-40K test will likely be part of the annual assessment.4 That’s not cheap (though I imagine CRB will make its fintech partners pay for it). Lesson: credit is regulated and expensive to do right!
Also of note: the assessment must include a review of each fintech’s fair lending policies and procedures. While (I hope) most banks and fintechs have all relevant policies and procedures in place, I wouldn’t be surprised if some smaller or less sophisticated ones don’t.
This CRB order may be a wake up call for smaller banks to start demanding more compliance policies and other documentation from fintechs. And that’s a continuation of a theme we’ve seen for the past 6 months: the hurdle to find a good bank partner has increased, and will likely continue to do so.
Better Info Visibility
Under the order, CRB has to ensure it has access to all info about credit decisions or credit models that a fintech makes. More generally, the bank is required to set up an information system to ensure they have sufficient visibility into whether the bank and any fintech partners comply with fair lending laws.
Lesson: if you’re a fintech, your bank partner needs easy and fast access to information. If they ask for data or info for compliance purposes, that better be a top priority for the company to rally around. If you’re too slow to provide info, there’s a chance the bank could view your program as non-compliant or too risky and worth offboarding.
Due Diligence and Third Party Merchants
The order requires CRB’s due diligence process for fintechs to identify the name, address, product, and any categories of “third party merchants” that will offer the product.
That “third party merchants” category is curious to me.5 I have two theories:
Maybe it’s referring to Affirm (which was a CRB fintech partner, but revealed it was parting ways at the beginning of this year) and similar companies, where they have products that other merchants promote (e.g., Affirm as a checkout option).
Or maybe it’s referring to BaaS-like structures where there’s (1) the bank, (2) the BaaS provider, and (3) a customer of the BaaS provider (i.e., a third party merchant?).
Under the order, CRB has to monitor and have oversight over any third party merchants. That’s notable because, generally, banks want to be out of the relationship between a BaaS provider and the fintechs that use it. But, if a BaaS provider isn’t able to effectively facilitate monitoring and oversight of its merchants, banks may be compelled to ask for more direct relationships to those customers after the CRB order.
Fintech Agreements
The order specifies a few terms CRB has to require in every new credit fintech partner agreement:
The fintech must collect, maintain, and readily share with the bank all info needed for fair lending monitoring and compliance.
The fintech must agree to initial and period training of all personnel who have scope that includes fair lending controls.
The training one jumped out, as I imagine many early stage fintechs probably aren’t doing fair lending training.
One example: marketing teams should potentially be trained to watch for fair lending issues. If all your ads only show straight, white couples, that arguably is a fair lending problem because it may unintentionally discourage non-white, non-straight couples from applying. (Also, that’s a friendly reminder that in 2021 the CFPB confirmed sexual orientation and gender identity are classes protected from discrimination).
Sidenote: this is a great example of why the legal teams at fintechs need to be looped into marketing content reviews! If a lawyer reviews and catches fair lending problems, there’s less need to have a marketing team go through annual fair lending training.
Do All Diligence
The order requires various diligence steps for new credit products CRB wants to offer themselves or via a third party. Interestingly, the order requires that “all due diligence processes [must] be satisfactorily completed.”
I wouldn’t be surprised if CRB waived or looked the other way for certain diligence factors for large or strategic fintech partners. Lesson: check all your diligence boxes, even for bigger, known actors!
Number of Third Parties
You don’t have to work in a fintech legal/compliance role long to get used to seeing statements like “an AML program should be based on the company’s risk profile, size, and complexity.” But the CRB order had something I haven’t seen before: their board also must take into account “the number of [c]redit products offered and number of third parties involved.”
The number of fintech partners a bank has is becoming an explicit factor in risk assessments. More partnerships means more risks, which might lead banks to only agree to work with a few higher quality fintechs.
Not the End of the World (Just This Edition)
OK so there’s lots of bad stuff for CRB (that other banks and fintechs can learn from).
But consent orders aren’t catastrophic. While they’re not great, in a sense they’re saying “you have some problems, but not enough to be shut down, so go fix them.”
CRB is a sophisticated bank. I don’t expect them to disappear from the roster of fintech bank partners. ButBut their consent order has lots of useful lessons for fintechs and fintech partner banks.
About
Hi! I’m Reggie. I’m a fintech product lawyer at Lithic and host of the Fintech Layer Cake podcast.
Reach out (email or Twitter) if you’re interested in sponsoring the newsletter, want to connect with good + practical fintech counsel, want to collaborate, or just want to say hey!
Any views expressed are my own (well, sort of? I mean, they’re based on laws and regulations, so they’re not really “mine”?). Nothing here is legal or financial advice. If you need me to tell you not to get legal advice from Substack, you probably shouldn’t be on the internet?
The actual “determination” is that CRB was engaged in “unsafe or unsound banking practices related to its compliance with applicable fair lending laws” by failing to have internal controls, information systems, and prudent underwriting practices. But that is absolute gibberish to anyone who isn't a bank regulatory lawyer.
This description of ECOA and disparate treatment vs. impact is all very, very high-level. If you want more of the nuance, read the second paragraph in this.
OK, fine, you caught me. The order talks about getting FDIC “non-objection” and not consent. But the idea of non-objection is that CRB has to tell the FDIC “we want to sign up X new partner” and as long as the FDIC doesn’t object in a reasonable time (45 days), CRB can go ahead and do it. But if you were a bank under a consent order, would you really move forward with a fintech partner if the FDIC was ominously silent? No, you would not. So practically, this is a form of consent.
I can imagine CRB may not have to do an ECOA analysis if, e.g., there have been no material changes to a credit program since the last one.
For the curious, the order defines third party merchants as “merchants offering one or more CRB Credit Products through or in conjunction with a Third Party.”