Alston & Bird Consumer Finance Blog

Banking Regulatory Agencies

Financial Services Advisory: FDIC Proposes Rule to Establish Custodial Account Recordkeeping Requirements

By ,

Executive Summary
6 Minute Read

Our Financial Services Team studies the Federal Deposit Insurance Corporation’s plans to require insured depository institutions (IDIs) to keep specific records so that they know the actual owner of deposits placed by fintechs and BaaS providers.

  • IDIs would be required to implement internal controls over the covered accounts
  • IDIs would be permitted to contract with a third party to assist in meeting the recordkeeping requirements
  • Comments on the proposed rule are due 60 after it’s published in the Federal Register

_____________________________________________________________________________

On September 17, 2024, the Federal Deposit Insurance Corporation (FDIC) issued a notice of proposed rulemaking (NPRM), Recordkeeping for Custodial Accounts, that would establish new recordkeeping requirements for insured depository institutions (IDIs) about certain custodial accounts that are often used by financial technology companies and banking as a service (BaaS) providers to hold their customers’ deposits and facilitate transactions. The NPRM appears to be a direct response to the May 2024 collapse of Synapse Financial Technologies, a fintech provider that maintained custodial transaction accounts for end-users. Synapse, former FDIC Chair Jelena McWilliams as bankruptcy trustee for Synapse, and certain partner banks have been unable to reconcile the actual amount of funds in the custodial accounts with existing records related to those accounts, restricting end-users’ access to the funds.

The NPRM refers to the accounts it covers as “custodial deposit accounts with transactional features,” defined as “deposit account[s]: (1) [e]stablished for the benefit of beneficial owners; (2) [i]n which the deposits of multiple beneficial owners are commingled; and (3) [t]hrough which beneficial owner(s) may authorize or direct a transfer through the account holder from the custodial deposit account to a party other than the account holder or beneficial owner.”

Specifically, for each nonexempt covered account, the proposed rule would require IDIs to maintain records in a prescribed format of account ownership, beneficial ownership, ownership right and capacity (e.g., single account, trust account, business account), current balances, and accrued interest balances. Each IDI that holds nonexempt covered accounts would be required to implement internal controls appropriate to its size and the nature, scope, and risk of its activities related to those covered accounts, including by maintaining accurate balances at the beneficial ownership level and reconciling account balances at the close of each business day.

The NPRM would permit IDIs to contract with a third party (e.g., a fintech or BaaS provider that established the covered account) to “assist the [IDI] in meeting” the recordkeeping requirements of the proposed rule. The IDI must:

  • Have direct, continuous, and unrestricted access to the records maintained by the third party, even in the event of the third party’s business interruption, insolvency, or bankruptcy.
  • Have a continuity plan and technical capabilities to ensure compliance with the NPRM, including backup recordkeeping capabilities.
  • Implement internal controls to accurately determine and daily reconcile the beneficial ownership of covered accounts.
  • Have a contractual relationship with the third party that:
    • Clearly defines roles and responsibilities for recordkeeping, including by assigning to the IDI the third party’s rights to access data held by other parties.
    • Requires the third party to implement internal controls that would be required of the IDI if the IDI were performing the outsourced function.
    • Requires a periodic, but not less than annual, validation by an independent third party to assess and verify that the third party is maintaining accurate and complete records consistent with the provisions of the proposed rule.
    • Does not relieve the IDI of its responsibilities under the proposed rule.

The proposed rule would exempt certain covered accounts from its requirements, including: (1) accounts holding only trust deposits; (2) accounts established by a government depositor; (3) accounts established by or on behalf of one or more brokers, dealers, or investment advisers; (4) interest on lawyers trust accounts; (5) accounts held in connection with an employee benefit plan or retirement plan; (6) accounts maintained in connection with a real estate transaction; (7) accounts maintained by a mortgage servicer in a custodial or other fiduciary capacity; (8) accounts that are prohibited by federal or state law to disclose the identities of the beneficial owners of the deposits; (9) accounts maintained through deposit placement or reciprocal networks for purposes other than payment transactions; (10) accounts holding security deposits for homeownership associations governed by state law; and (11) accounts holding security deposits tied to residential or commercial leasehold interests.

IDIs holding nonexempt covered accounts would be required to establish and maintain written policies and procedures to achieve compliance with the proposed rule and annually certify compliance with the proposed rule to the IDI’s FDIC regional or area office and the appropriate federal banking agency. Further, these IDIs would be required to submit a report to the IDI’s FDIC regional or area office and the appropriate federal banking agency a description of any material changes to the IDI’s information technology systems; a list of account holders that maintain nonexempt covered accounts at the IDI, the total balance of these accounts, and total number of beneficial owners of these accounts; the results of the IDI’s periodic recordkeeping compliance testing; and the results of the independent validations of records maintained by third parties.

Violations of the proposed rule would be subject to enforcement actions under Section 8 of the Federal Deposit Insurance Act and potential termination of the offending IDI’s deposit insurance.

In an accompanying press release, FDIC Chair Martin Gruenberg stated that the proposed rule “is an important step to ensure that banks know the actual owner of deposits placed in a bank by a third party such as Synapse, whether the deposit has actually been placed in the banks, and that the banks are able to provide the depositor their funds even if the third party fails” that would “strengthen the FDIC’s ability to make deposit insurance determinations” and “strengthen compliance with anti-money laundering and countering the finance of terrorism law.”

While the NPRM, if finalized as proposed, would facilitate FDIC administration of pass-through deposit insurance claims by end-users whose funds are held in custodial accounts, the main, practical impact of the rule would likely be that fintech companies and BaaS providers will need to develop recordkeeping and reporting obligations that satisfy explicit FDIC requirements – all under the close scrutiny of their IDI partners. We anticipate that IDIs that hold custodial accounts subject to a final rule as well as their fintech company and BaaS provider partners will need to implement considerable updates to technology systems, internal control practices, and their contractual arrangements to comply with these requirements.

The FDIC’s proposal follows revised rules governing FDIC deposit insurance coverage advertising and misrepresentation, a recent proposed rulemaking and request for information relating to brokered deposits, a July joint statement and request for information relating to bank–fintech arrangements, general third-party risk management guidance that federal agencies updated in 2023, and a handbook the agencies released earlier this year to assist community banks in implementing the guidance.

The FDIC is seeking comment on the NPRM.  Interested IDIs, fintech companies, and BaaS providers should review the NPRM and consider submitting comments. Comments on the NPRM are due 60 days after the proposed rule’s publication in the Federal Register.

Originally published September 24, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.

Financial Services / Investment Funds / White Collar, Government & Internal Investigations ADVISORY: Investment Advisers Face New AML/CFT Compliance Obligations from FinCEN

By , , , , ,

Executive Summary
9 Minute Read

Our Financial Services, Investment Funds, and White Collar, Government & Internal Investigations Teams break down the latest Financial Crimes Enforcement Network (FinCEN) rule investment advisers must prepare for.

  • Investment advisers will now be included in the list of “financial institutions” under the Bank Secrecy Act
  • To mitigate “illicit finance” risks, they must now maintain anti-money laundering/countering the financing of terrorism (AML/CFT) programs
  • The final rule is likely to impose a heavy burden on smaller firms that do not already have AML/CFT programs

______________________________________________________________________

On August 28, 2024, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued two final rules.

The Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers Rule newly applies anti-money laundering/countering the financing of terrorism (AML/CFT) requirements to certain investment advisers that are registered with the Securities and Exchange Commission (SEC) and investment advisers that report to the SEC as exempt reporters. The Investment Adviser Rule was published in the Federal Register on September 4, 2024 and will become effective January 1, 2026.

The Anti-Money Laundering Regulations for Residential Real Estate Transfers Rule will require certain industry professionals to report information to FinCEN about non-financed transfers of residential real estate to legal entities or trusts that present high illicit finance risk and will become effective December 1, 2025.

After numerous failed attempts to pass similar regulations reaching back as far as 2003, the adoption of these rules marks the most significant change to the AML/CFT regulations in decades. According to Treasury Secretary Janet Yellen, “these two rules … close critical loopholes in the U.S. financial system that bad actors use to facilitate serious crimes.” In its press release, FinCEN framed the promulgation of these rules as part of an ongoing effort to combat “illicit finance” and protect U.S. national security.

The Investment Adviser Rule

In February 2024, the U.S. Treasury Department published its 2024 investment adviser risk assessment, focusing on the lack of comprehensive and uniform AML/CFT obligations within the investment adviser industry. Historically, investment advisers have not been included in the laundry list definition of “financial institution” under the Bank Secrecy Act (BSA) or its implementing regulations. As a result, investment advisers have not been required to maintain an AML/CFT program, file suspicious activity reports (SAR), or conduct customer due diligence (CDD) (including implementing a customer identification program (CIP)). According to the Treasury Department, these gaps in uniformity lead to the exploitation of the investment advisory sector by illicit actors and deprive law enforcement, regulators, and other authorities of useful information.

In an attempt to mitigate the illicit finance risks highlighted in the 2024 risk assessment, the Investment Adviser Rule:

  • Brings certain investment advisers within the scope of financial institutions that are required to comply with a variety of AML/CFT requirements.
    • Covered investment advisers under the new rule include certain registered investment advisers (RIAs), exempt reporting advisers (ERAs), dual registrants (RIAs that are also registered broker-dealers, banks, or bank subsidiaries), and foreign-located investment advisers that are registered or are required to register with the SEC.
    • The term “investment adviser” will not include state registered advisers, foreign private advisers, family offices, or RIAs that are registered with the SEC solely as a mid-sized adviser, multistate adviser, pension consultant, or adviser that does not report any AUM on a Form ADV.
  • Requires covered investment advisers to develop and implement a written risk-based and reasonably designed AML/CFT program that:
    • Implements internal policies, procedures, and controls reasonably designed to prevent money laundering, terrorist financing, or other illicit finance activities.
    • Provides for independent testing of the AML/CFT program on a risk-based schedule.
    • Designates an employee of the investment adviser (or an affiliate) to be responsible for implementing and monitoring the operations and internal controls of the AML/CFT program.
    • Provides ongoing AML/CFT employee training.
    • Implements appropriate risk-based procedures for conducting ongoing CDD similar to existing obligations for CIP obligations for banks, which must include:
      • Identifying and verifying the identity of the customer.
      • Identifying and verifying the identity of the beneficial owners of legal entity customers opening accounts.
      • Understanding the nature and purpose of customer relationships to develop a customer risk profile.
      • Conducting ongoing monitoring to identify and report suspicious transactions and maintain and update customer information.
    • Has been approved in writing by a board of directors or similar governing body.
  • Permits covered investment advisers to contractually delegate the implementation and operation of the investment adviser’s AML/CFT program so long as the investment adviser remains responsible for program compliance and ensures FinCEN and the SEC are able to obtain relevant information and records relating to the AML/CFT program.
  • Requires covered investment advisers to file SARs within 30 days for any suspicious transaction conducted by, at, or through the investment adviser if the adviser knows, suspects, or has reason to suspect that a transaction:
    • Involves funds derived from illegal activity or is intended or conducted to hide or disguise funds or assets derived from illegal activity.
    • Is designed, whether through structuring or other means, to evade BSA requirements.
    • Has no business or apparent lawful purpose and the investment adviser knows of no reasonable explanation for the transaction after examining the available facts.
    • Involves the use of the investment adviser to facilitate criminal activity.

    Examples of suspicious activity that would require an SAR may include:

    • Transactions designed to hide the source or destination of funds.
    • Fraudulent activity.
    • Investors in private funds requesting access to detailed nonpublic technical information about a portfolio company that is inconsistent with a professed focus on economic return.
    • Unusual wire activity that does not correlate with a customer’s stated investment objectives.
    • Transferring funds or other assets involving third-party accounts with no plausible relationship to the customer.
    • Transfers of funds or assets involving suspicious counterparties.
    • Unusual withdrawal requests by customers with ties to activity or individuals subject to U.S. sanctions following or shortly before news of a potential sanction listing.
    • Transactions involving potential fraud and manipulation of customer funds directly by the investment adviser (such as insider trading, market manipulation, or unusual wire transfer requests by an investment adviser from a private fund’s account held for the fund’s benefit at a qualified custodian).
  • Imposes recordkeeping and “travel rule” compliance obligations that require covered investment advisers to create and retain records for extensions of credit and cross-border transfers of currency, monetary instruments, checks, investment securities, and credit exceeding $3,000.
  • Requires covered investment advisers to report transactions in currency over $10,000 on currency transaction reports (CTRs) rather than Form 8300.
  • Requires covered investment advisers to apply an AML/CFT program to “all advisory services” (e.g., the management of customer assets and the submission of customer transactions for execution) provided to all customers other than mutual funds that have AML/CFT programs in compliance with the preexisting AML/CFT program requirements that apply to mutual funds, bank- and trust-company-sponsored collective investment funds, and other investment advisers subject to the Investment Adviser Rule.
  • Confirms that dual registrants are not required to establish multiple or separate AML/CFT programs so long as a comprehensive AML/CFT program covers all the dual registrant’s applicable legal and regulatory obligations.
  • Amends FinCEN’s information sharing, special due diligence, and special measures procedures to expressly bring covered investment advisers within the scope of such procedures, thereby imposing obligations on these covered investment advisers to provide certain information upon request by FinCEN while also allowing them to access confidential information from other financial institutions through 314(b) programs.
  • Delegates FinCEN’s examination authority over covered investment advisers to the SEC but does not delineate any specific examination guidelines. According to the final rule, FinCEN anticipates the SEC’s review of compliance with the Investment Adviser Rule by incorporating its requirements into the SEC’s risk-based examination program.

Comments and Key Takeaways

When FinCEN published the proposed rule on this topic, many investment adviser groups stood in stark opposition – a sentiment that was clearly reflected in comments submitted in connection with the proposed rule. In response to comments received, FinCEN made several adjustments to the Investment Adviser Rule before adopting it in final form; however, the overall response to the final rule has been mixed. While some stakeholders were encouraged by FinCEN’s responsiveness to at least some comments, groups representing investment advisers maintain that the rule still presents several issues.

For example, in its official statement, the Investment Adviser Association believes the Investment Adviser Rule is “too prescriptive in certain of its specific requirements, which will make it more difficult for advisers to tailor their programs accordingly” and that it “will also impose undue burdens on smaller firms.”

Ultimately, the final rule imposes a litany of new rules and requirements, each with specific nuances. While many larger investment advisers already have AML/CFT programs in place as a best practice and to comply with contractual obligations, the final rule is likely to impose a heavy burden on smaller firms. For covered investment advisers that have not voluntarily implemented AML/CFT programs or those that are not associated with a bank or broker-dealer, these new compliance obligations will require significant time and attention. Investment advisers that have voluntarily implemented AML/CFT programs or have such programs in place as a result of a bank or broker-dealer relationship should carefully evaluate the sufficiency of the program to prepare for regulatory scrutiny.

As investment advisers prepare for the Investment Adviser Rule to take effect, covered investment advisers should:

  • Consider whether they are adequately resourced to run a comprehensive AML/CFT program in house or if they should enlist a third-party administrator.
  • Review existing third-party administration agreements to (1) ensure the functions the administrator has agreed to perform are in compliance with the Investment Adviser Rule; and (2) confirm the investment adviser’s ability to sufficiently oversee compliance and respond to recordkeeping and information requests.
  • Review existing or develop and implement new AML/CFT program policies and procedures.
  • Prepare a written response in anticipation of pushback from legal entity investors that do not wish to share beneficial ownership information.
  • Develop and implement SAR and CTR monitoring and filing policies and procedures.
  • Incorporate AML/CFT compliance into annual reviews in anticipation of SEC examinations in connection with the Investment Adviser Rule.
  • Consider potential costs associated with implementation and maintenance of a comprehensive AML/CFT program.

Alston & Bird is well-equipped to help clients navigate this new regulatory landscape. Our team of experienced regulatory attorneys can help covered investment advisers develop, implement, and review AML/CFT programs, and our team is prepared to provide guidance and support as covered investment advisers prepare for the Investment Adviser Rule to take effect.

Originally published September 5, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial ServicesInvestment Funds or White Collar, Government & Internal Investigations Teams.

Financial Services Advisory: FDIC Proposes Rule to Revise Brokered Deposit Regulations and Issues Request for Information on Deposit Data

By , ,

Executive Summary
8 Minute Read

In a proposed rule and information request, the Federal Deposit Insurance Corporation expressed its concerns with the current brokered deposit restrictions and reporting requirements. Our Financial Services Team zeroes in on what insured depository institutions should know.

  • The rule would effectively expand the definition of a “brokered deposit”
  • The rule would amend the primary purpose exception and eliminate the exclusive placement arrangement exception
  • The rule would revise or eliminate certain designated business exceptions

_______________________________________________________________________________

On July 30, 2024, the Federal Deposit Insurance Corporation (FDIC) approved a notice of proposed rulemaking relating to the agency’s safety and soundness rules on brokered deposits and issued a request for information (RFI) on deposit data that is not currently reported in the required regulatory reports. The proposed rule would:

  • Revise certain provisions of the “deposit broker” definition.
  • Amend certain aspects of the primary purpose exception (PPE).
  • Eliminate the exclusive placement arrangement exception.
  • Revise or eliminate certain designated business exceptions.
  • Provide guidance on how FDIC-insured institutions can regain their lost “agent institution” status.

Through the RFI, the FDIC is seeking information on certain characteristics that the agency believes affect the stability and franchise value of different types of deposits to determine whether more detailed or more frequent reporting on these characteristics or types of deposits would enhance regulatory risk oversight.

The Proposed Rule

The FDIC previously updated its brokered deposit rules in 2020. The 2020 rule broadened and clarified several exemptions to the brokered deposit definitions and, as a result, allowed banks to classify many deposits as “core” deposits that might have previously been classified as brokered deposits. According to FDIC data, insured depository institutions (IDIs) reported a 31.8 percent decline (nearly $350 billion) in brokered deposits between the first and second quarters of 2021 after the 2020 rule became effective. The proposed rule would roll back many of the 2020 rule’s provisions, with the stated objective of broadening what constitutes a brokered deposit.

IDIs that are less than “well capitalized” are subject to limits on the acceptance, renewal, or rollover of brokered deposits. Further, regardless of capital level, the prudential agencies generally expect that the acceptance of brokered deposits will be a component of a diversified funding strategy and not a tactic to generate funding for rapid expansion or to engage in risky banking activities.

Under the current regulatory framework, a “brokered deposit” means any deposit that is obtained, directly or indirectly, from or through the mediation or assistance of a deposit broker. A “deposit broker” is defined broadly to include:

  • Any person engaged in the business of (1) placing deposits of third parties with IDIs; (2) facilitating the placement of deposits of third parties with IDIs (which includes “matchmaking activities”); or (3) placing deposits with IDIs for the purpose of selling those deposits or interests in those deposits to third parties.
  • An agent or trustee who establishes a deposit account to facilitate a business arrangement with an IDI to use the proceeds of the account to fund a prearranged loan. The lion’s share of the proposed rule focuses on changes to the definition of “deposit broker” and exceptions thereto.

The proposed rule includes several significant changes, the most notable of which are:

  • Eliminating the exclusive deposit arrangement carveout so that any third party that meets the definition of “deposit broker,” including those involved in placing deposits at only one IDI, would be subject to the FDIC’s brokered deposit restrictions.
  • Reverting the PPE analysis to its status before the 2020 rule so that the PPE would only apply when an agent or nominee’s primary purpose in placing customer deposits at IDIs is for a substantial purpose other than to provide a deposit-placement service or FDIC deposit insurance for particular business lines.
  • Eliminating the ability of third parties to apply for a PPE. Each IDI wishing to rely on a PPE would be required to submit an application for the specific deposit placement arrangement that it has with the third party.
  • Removing the term “matchmaking activities” from the definition of “deposit broker” and replacing it with a “deposit allocation” standard, which can include the provision of services to affiliates.
  • Adding new factors to be considered as part of the PPE application, including whether:
    • The IDI or customer pays fees or other remuneration to the agent or nominee for deposits placed with the IDI and the amount of such fees or other remuneration, including how the amount of fees or other remuneration is calculated.
    • The agent or nominee has discretion to choose the IDIs at which customer deposits are or will be placed.
    • The agent or nominee is mandated by law to disburse funds to customer deposit accounts.
  • Requiring IDIs to provide copies of all contracts relating to the deposit placement arrangement.
  • Changing the 25 percent designated business exception to a 10 percent broker-dealer sweep exception that would:
    • Only apply to a broker-dealer or registered investment adviser that, as agent or nominee, has less than 10 percent of its total assets under management in a particular business line placed into nonmaturity accounts at one or more IDIs.
    • Require an application for sweep programs that use one or more third parties, and prior notice where no additional third party is involved in the sweep program.
  • Eliminating the enabling transactions PPE and the corresponding notice process, and providing that:
    • IDIs currently relying on the enabling transactions PPE via the notice process would be required to file an application under the proposed PPE application process.
    • Applications previously approved under the application process for the enabling transactions PPE where interest, fees, or other remuneration is provided to depositors would be rescinded.

The proposed rule also requests comment on two alternatives to the proposed broker-dealer sweep exception:

  • Alternative 1: IDIs would be required to report all sweep deposits; however, IDIs receiving sweep deposits could apply for the general PPE. Under this alternative, whether a broker-dealer or registered investment adviser would meet the PPE would not be based on a de minimis amount of customer funds placed at one or more IDIs; rather, an IDI would be required to submit the required information listed under the general PPE application process.
  • Alternative 2: Apply the broker-dealer sweep exception only to a broker-dealer or registered investment adviser if:
    • The broker-dealer or investment adviser places or facilitates the placement of swept funds into nonmaturity accounts at an affiliated IDI.
    • The amount of swept funds is less than 10 percent of the total assets that the broker-dealer or investment adviser has under management for its customers.
    • The related fees paid by the IDI to the broker-dealer or investment adviser are flat fees (i.e., a per-account or per-customer fee) as payment for recordkeeping or administrative services and not payment for placing deposits.

Lastly, other than the changes made to the 25 percent designated business exception and the enabling transactions designated business exception, the proposed rule would retain the 2020 rule’s remaining designated business exceptions.

The RFI

The RFI is requesting more granular information on the composition and characteristics of uninsured deposits to help the FDIC determine whether more detailed or more frequent reporting on these characteristics or types of deposits would:

  • Enhance offsite risk and liquidity monitoring.
  • Inform analysis of the benefits and costs associated with additional deposit insurance coverage for certain types of deposits.
  • Improve risk sensitivity of deposit insurance pricing.
  • Provide analysts and the general public with accurate and transparent data following the bank failures that occurred in March 2023.

More specifically, the RFI sets out nine substantive questions regarding:

  • Current internal deposit information collection and reporting practices (questions 1–4).
  • Potential additional deposit data requirements (question 5).
  • Potential deposit insurance coverage reform (questions 6–9).

While the RFI does not by itself change any reporting requirements or insurance coverage, the FDIC hopes the information gathered will inform and improve current risk oversight practices and serve as a foundation for future reform.

Commentary and Key Takeaways

Taken together, the proposed rule and the RFI seemingly highlight the FDIC’s heightened concerns with current deposit restrictions and reporting requirements—especially in light of the March 2023 bank failures and subsequent failures thereafter.

The FDIC suggests that the proposed rule will help ensure uniform and consistent reporting of brokered deposits, reduce operational challenges and reporting burdens on IDIs, and further strengthen the safety and soundness of the banking system more generally. However, the proposed rule would walk back the 2020 rule’s provisions upon which the industry has relied. Interestingly, at the time the 2020 rule was approved, then-Director Martin Gruenberg issued a lengthy dissent, certain sections of which track almost verbatim with the preamble to the proposed rule.

In approving the proposed rule, the FDIC relies heavily on its 2011 Study on Core Deposits and Brokered Deposits. The study’s data, however, is stale and likely no longer reflects today’s market realities—the FDIC’s issuance of the RFI only bolsters this point. It would seem to be more advantageous for the FDIC to compile and distribute the RFI findings before proposing such substantial regulatory changes.

The proposed rule would narrow key exceptions that many IDIs rely on when determining whether to classify deposits as brokered deposits or nonbrokered deposits. The FDIC projects the proposed rule would substantially increase the number of deposits classified as brokered deposits by roping in deposits the agency believes are currently mischaracterized. An increase in brokered deposits could result in higher FDIC deposit insurance premiums and heightened scrutiny of IDIs, even if “well capitalized.”

Comments on the both the proposed rule and the RFI are due within 60 days of their publication in the Federal Register.

Originally published August 20, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.

Financial Services Advisory: Regulators Focus on Bank-Fintech Arrangements

By , ,

Executive Summary
10 Minute Read

Through joint guidance and an information request, federal bank regulators underscored banks’ compliance responsibilities in their banking-as-a-service (BaaS) relationships with third parties. Our Financial Services Team unpacks what financial institutions and their counterparties need to know about navigating this evolving BaaS regulatory terrain.

  • Comprehensive governance and third-party risk management practices that clearly delineate the responsibilities of each party
  • Systems and controls to address operational and compliance needs, including timely access to relevant records and the development of appropriate contingency plans
  • Adoption of policies and procedures to prevent the misrepresentation of deposit insurance coverage

_________________________________________________________________________________

Amid recent scrutiny and enforcement activity in the banking-as-a-service (BaaS) space, federal regulators have issued a joint statement reiterating the importance of banks’ oversight of certain third-party relationships through sound risk management practices.

The July 25, 2024 joint statement by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency follows more general third-party risk management guidance the agencies updated in 2023 and a handbook the agencies released earlier this year to assist community banks in implementing such guidance. Like the 2023 guidance, the joint statement reiterates that a bank’s reliance on third parties does not diminish its responsibility to comply with applicable laws and regulations, and it highlights that banks often face increased risks that need to be mitigated when partnering with third parties.

While the agencies note that the joint statement does not alter existing legal or regulatory requirements or establish new supervisory expectations, it examines specific forms of BaaS relationships in more detail than prior guidance, identifying certain categories of risk and circumstances that the agencies have observed in the space and that have been the subject of recent public enforcement actions against banks. The regulators also issued a request for information (RFI) to gather insight into the nature and implications of these relationships and effective risk management practices.

The 2023 guidance largely restates previously published third-party risk management principles and applies to virtually any third-party relationship that a bank enters into (including referral arrangements and certain types of the bank’s own customer relationships). The joint statement, on the other hand, focuses on arrangements between banks and third parties to deliver bank deposit products and services. According to the joint statement, these third parties “sometimes include non-bank companies, such as, but not limited to, certain financial technology (or fintech) companies.” The RFI expands on this concept (including in connection with lending and payments services) to explore a stated interest in whether “enhancements to existing supervisory guidance may be helpful in addressing risks associated with these arrangements.” In this sense, the agencies articulate a new regulatory concept of BaaS and possible heightened supervisory expectations that may apply to it.

The RFI contrasts these bank-fintech arrangements with those involving “a core bank service provider or other third-party providers,” which the agencies suggest may “help or hinder” such arrangements. Both the joint statement and RFI seem to distinguish these arrangements from traditional core or similar providers based on (1) their complexity, including the involvement of multiple subcontractors or other intermediaries (including “middleware” firms); (2) the prevalence of a direct relationship between these providers and the relevant “end users” of the products and services; and (3) the degree of the bank’s reliance on fintech partners not only for engaging in direct customer communications but also for performing compliance functions. A major theme of the joint statement is that these factors can combine to outpace the ability of a bank to appropriately manage the risks such an arrangement poses to its customers and to its overall safety and soundness.

Although the joint statement expresses support for responsible innovation and banks’ engaging in BaaS relationships that are conducted in a safe and sound manner, the regulators focus on a number of areas where new risks may emerge or existing risks may be amplified, some of which have surfaced in recent enforcement actions and BaaS market dynamics. As general themes, the regulators highlight:

  • Operational and compliance risks that may develop when significant bank operations are performed in whole or in part by third parties, when there’s a lack of access to key records maintained by third parties, or when there’s a reliance on third parties to perform bank compliance functions.
  • Risks relating to growth, including misaligned incentives between a bank and the third party, operational capabilities that lag rapid growth resulting from BaaS arrangements, financial risks from rapidly increasing funding concentrations, and the potential inability to manage emerging liquidity risks when a significant proportion of a bank’s deposits or revenues are associated with a third party.
  • End user confusion and misrepresentation relating to the availability of FDIC deposit insurance coverage, including potentially misleading statements and marketing from nonbank third parties.

The joint statement and RFI exhibit an understanding of and specific interest in particular details of these arrangements that will be familiar to many who have developed or helped to document them, including:

  • Account Titling and Associated Recordkeeping. The RFI includes a request for feedback on deposit account titling and recordkeeping practices, and it recognizes that the bank’s “core deposit ledger may only include omnibus [end user] accounts,” often titled as “for the benefit of” or “FBO” accounts. The agencies question what controls exist to ensure the accurate exchange of information between banks and fintechs about these accounts and note the possibility that a bank’s lack of sufficient access to such information could lead to delays in end users’ access to deposits and associated legal and compliance risks.
  • Determining the Bank’s “Customer” for Regulatory Purposes. The technology or user experience layering associated with BaaS arrangements can lead to ambiguity in the application of existing laws and regulations that depend on whether the fintech, its end users, or both are “customers” of the bank. The RFI specifically refers to this issue in the context of customer identification program obligations under the Bank Secrecy Act and privacy-related obligations under Regulation P. Of particular importance to nonbank fintechs, a designation of an end user as a customer of both the bank and the fintech or solely as a customer of the fintech also potentially impacts the fintech’s independent regulatory obligations, especially under state and federal money transmission licensing and registration requirements.
  • Data Use and Ownership. The 2023 guidance identified data use and ownership as a risk consideration for banks, but the joint statement and RFI explore this issue in greater detail, including the degree to which the use of innovative data inputs and formats (such as for underwriting purposes) poses risks to banks. Other potential risks cited by the agencies in this regard include increased exposure to fraud and data security incidents based on the parties’ systems integration, as well as the use or access restrictions that the fintech may attempt to impose on data generated as part of a BaaS arrangement that the fintech regards as its proprietary information. Regulatory attention to this issue by these agencies could overlap with existing and possible future rulemaking by the Consumer Financial Protection Bureau, which is not a party to the joint statement or RFI, on open banking or digital wallets. The RFI specifically identifies larger firms (which, according to the RFI, are sometimes referred to as “Big Tech”) with multiuse technology platforms as among the types of “fintech” companies having bank partnerships on which the agencies are focused for purposes of their analysis.
  • Allocation of Responsibility. As with data rights, the 2023 guidance and prior regulatory pronouncements generally emphasize the importance of clear contractual and operational allocation of responsibility any time a bank partners with a third party to conduct activities, while the RFI and joint statement explore this issue in some depth, including the potential for gaps or delays to occur that could cause a bank to violate applicable law. In addition, the agencies observe that a bank’s lack of meaningful negotiating power relative to the fintech partner or the bank’s heavy reliance on revenue or liquidity from the fintech partner could impede the bank staff’s ability to effectively oversee and challenge critical aspects of the fintech’s performance. This consideration also implicates the role of middleware providers or other intermediaries engaged by a bank’s fintech partner whose contractual or other legal obligations to the bank may not be clear. These obligations may arise, if at all, through pass-through or other provisions of the bank-fintech agreement by which the bank seeks to rely on the fintech partner to enforce the bank’s expectations and to exercise appropriate monitoring and oversight of the middleware providers or other intermediaries.
  • FDIC Insurance Disclosures and Customer Confusion. The RFI and guidance identify the risk of end user confusion around the availability and terms of FDIC deposit insurance as a key risk of fintech partnerships that involve deposits. Citing aspects of advertising rules that the FDIC recently revised, including with respect to pass-through insurance disclosure requirements, the regulators indicate that bank-fintech arrangements pose unique risks in this regard given the tendency for end users to have a direct relationship with and visibility to a bank’s fintech partner, who the end user may view as its primary provider.
  • Brokered Deposit Treatment. The agencies did not address directly the issue of brokered deposits in the 2023 guidance, but it is a focus of both the RFI and the joint statement. The joint statement encourages institutions to conduct appropriate analyses to determine whether parties involved in the placement of deposits meet the definition of a deposit broker and whether deposits placed through a program require reporting as brokered deposits. Within days of the publication of the RFI and joint statement, the FDIC published proposed changes to aspects of the substantial overhaul to brokered deposit rules finalized by the agency in 2020, including their “primary purpose” exceptions. In this proposal, the FDIC specifically notes that certain operational and liquidity problems it has observed since 2020 (including in connection with high-profile bank and nonbank insolvency events) can be attributed, in part, to rapid growth based on banks’ reliance on middleware fintech companies and the volatility of some bank-fintech deposit placement programs.

The joint statement references the 2023 guidance along with various other previous advisories and policy statements on bank safety and soundness expectations relating to managing third-party risk and the importance of board and senior management oversight. It also highlights examples of effective risk management practices, providing banks with an opportunity to review and potentially refresh their existing risk management practices and governance mechanisms to align with those in the joint statement. It may also be productive for fintechs to assess whether their own operational and compliance processes can support the regulatory expectations to which their partner banks are subject. According to the agencies, effective risk management practices include:

  • Comprehensive governance and third-party risk management practices, including risk assessments tailored to the specific features of each third-party arrangement, with appropriate due diligence and contracts that clearly delineate the roles and responsibilities of each party.
  • Systems and controls to manage operational and compliance implications, including risk-based contingency plans or exit strategies to address the disruption or business failure of the third party that could affect end-user access to funds, and ensuring effective complaint management and resolution.
  • Adequate structures to ensure bank compliance with applicable Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) rules and sanctions requirements.
  • Management of growth, liquidity, and capital implications, including contingency funding plans in the event of unexpected customer withdrawals.
  • Adoption of policies and procedures to prevent the misrepresentation of deposit insurance coverage.

As the BaaS market continues to develop, both banks and fintechs should consider contributing to the regulatory dialogue through responses to the RFI. Responses are due on September 30, 2024.

The RFI could lead to a number of regulatory initiatives designed to increase the requirements associated with BaaS arrangements or even expand the agencies’ ability to supervise nonbank fintech firms directly, such as under existing Bank Service Company Act authority. In the meantime, the joint statement and RFI provide a road map for banks and fintechs in the BaaS space that outlines corresponding risk management expectations of the prudential U.S. bank regulators, and these publications can be expected to reflect and influence the way in which examiners oversee such arrangements.

Originally published August 8, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.

New York DFS to Impose Climate Change Safety and Soundness Expectations on Mortgage Lenders, Servicers, and other Regulated Organizations

By

What Happened?

On December 21, 2023, the New York Department of Financial Services (“NYDFS”) published an 18-page guidance document (the “Guidance”) on managing material, financial and operational risks due to climate change. The NYDFS issued the Guidance after considering feedback it received on proposed guidance it issued in December 2022 on the same topic. The Guidance applies to New York State regulated mortgage lenders and servicers, as well as New York State regulated banking organizations, licensed branches and agencies of foreign banking organizations (collectively, “Regulated Organizations”).

Why Is It Important?

The NYDFS has set forth its expectations, replete with examples, for Regulated Organizations to strategically manage climate change-related financial and operational risks and identify necessary actions proportionate to their size, business activities and risk profile.  Such expectations include:

  • Corporate Governance: An organization’s board of directors should establish a risk management framework, including its overall business strategy and risk appetite, which include climate related financial and operational risks, and holding management accountable for implementation. Such framework should be integrated within an organization’s three lines of defense – quality assurance, quality control and internal audit. Recognizing that low and moderate income (“LMI”) communities may be adversely impacted from climate change, the NYDFS expects an organization’s board of directors to direct management to “minimize and affirmatively mitigate disproportionate impacts” which could violate fair lending and other consumer finance laws. On that note, the NYDFS reminds organizations to consider opportunities to mitigate financial risk through financing or investment opportunities which enhance climate resiliency and are eligible for credit under the New York Community Reinvestment Act.
  • Internal Control and Risk Management: Regulated Organizations should also consider and incorporate climate related financial risks when identifying and mitigating all types of risks, including credit, liability, market, legal/compliance risk, and operational and strategic risk. The NYDFS defines financial risks from climate change to include physical risks from more intense weather events as well as transition risks, resulting from “economic and behavior changes driven by policy and regulation, new technology, consumer and investor preferences and changing liability risks.” The NYDFS recognizes that insurance is an important mitigant to climate change risk but cautions that the availability of such insurance in the future is not guaranteed.
  • Data Aggregation and Reporting: Regulated Organizations should establish systems to aggregate data and internally report its efforts to monitor climate related financial risk to facilitate board and senior management decision making. Such organizations also should consider developing and implementing climate scenario analyses.

What Do You Need to Do?

The NYDFS stresses that organizations should not let “uncertainty and data gaps justify inaction.” Although the NYDFS has not issued a timeline for implementation of the Guidance or begun incorporating such expectations into examinations (which will be coordinated with the prudential regulators to align with joint supervisory processes), now is the time to begin integrating climate-related financial and operational risks into your company’s organizational structure, business strategies and risk management operations.  This will help you prepare for when your organization is required to respond to the request for information which the NYDFS anticipates sending out later this year.  It is anticipated that the NYDFS will ask for information on the steps your organization has taken or will take within a specified period to manage financial and operational climate-related risks, including government structure, business strategy, risk management, operational resiliency measures, and metrics to measure risks.