Cross River Bank recently found itself in hot water with the FDIC when the agency declared that the bank engaged in unsafe or unsound banking practices in relation to its compliance with fair lending laws and regulations, specifically the Equal Credit Opportunity Act and the Truth-in-Lending Act. Now, the bank is required to receive FDIC approval for all new third parties and credit products. Oof.
Cross River is a household name in Banking-as-a-Service (BaaS). It has more than 80 fintech partnerships including Coinbase, Upgrade, Affirm, Best Egg, Divvy, Rocket Loans and Stripe. The FDIC Consent Order is going to impact all partnerships going forward. In effect, Cross River is in time out.
According to an email statement to Bloomberg, Cross River anticipates that the order will not significantly affect its growth because several of the improvements mandated by the order have already been implemented, while it will address the remainder within the next few months. How long the time out is and how significant this FDIC ruling affects its growth remain to be seen.
At a high level, BaaS is straightforward. By “renting” out a charter to a fintech company, a bank can create new revenue streams while also diversifying its businesses. The fintech can take advantage of the bank’s established infrastructure and regulatory compliance to offer banking services to its customers without going through the hassle of obtaining a charter.
It sounds like the perfect partnership: The fintech company takes on most of the costs around customer acquisition and banks get a portion of the interchange or fee income generated by those customers.
If only it were so easy.
While nearly half of financial institutions surveyed for Cornerstone Advisors’ 2022 and 2023 What’s Going On In Banking studies had BaaS on their radar for a future strategy, those currently pursuing a BaaS strategy, in the process of developing a strategy or considering a strategy all declined year over year. Those that have never discussed or completely ruled out a BaaS strategy increased.
And headlines around both banks and fintechs are not stoking optimism. Before Cross River, MoneyLion and Blue Ridge Bank were big news and brought compliance into the limelight. For fintech firms, knowing whether a program could violate a law is table stakes for compliance.
According to recent research from Cornerstone Advisors, by 2026, 300 banks in the United States will be providing BaaS services, generating $25 billion in revenue. An individual bank serving one million consumers and 300,000 commercial accounts could generate roughly $41 million in annual non-interest income – $17 million from consumer accounts and $24 million from commercial accounts.
For banks, navigating the choppy waters of compliance in bank-fintech partnerships will take work. It will take a proactive approach that prioritizes ongoing compliance monitoring and risk management. And regulators have made it clear that ignorance of the law is no excuse.
But fear not, compliance-conscious compadres. Here are five ways to help you prevail over these challenges, regardless of whether there is already a BaaS program in place or the bank is about to set sail with one.
Study the regulatory requirements that apply to the partnership inside and out. This means federal and state laws and regulations, including those surrounding consumer protection, anti-money laundering and data privacy. Don’t leave any loopholes unchecked.
Research the fintech’s business operations, leadership, financial stability and regulatory compliance history. Most importantly, investigate who it is targeting, the why and what of the monetization strategy, and the unit economics behind that strategy to ensure the fintech’s story aligns with the bank’s strategic goals and values.
Outline the roles and responsibilities of both parties in ensuring ongoing compliance and agreement. Don’t get complacent. The partnership does not diminish the bank’s responsibility to operate in a safe and sound manner and comply with applicable legal and regulatory requirements, including federal consumer protection laws and regulations – just as if the bank were to perform the service or activity itself.
Monitor the fintech’s compliance on an ongoing basis, including regular audits and reviews. Keep the fintech partner honest and informed of the findings, ensure each partner is aware of its responsibilities, and don’t let any compliance issues go unnoticed. A snag in the compliance program is a risk to all parties involved. If an issue does arise (and let’s face it, it probably will), establish a remediation plan to address the problem and ensure ongoing compliance.
Knowledge is power in this game. Stay up to date on regulatory changes that may impact the partnership and news surrounding other bank-fintech partnerships. For instance, last year, Nacha raised the ACH transaction limit to $1 million. Dealing with people’s money and data are two of the most important regulated pieces of a consumer’s identity. Increasing the limit means that fintechs offering ACH to their customers need to be ever more diligent around fraud. Even more so, new regulations could start popping up around artificial intelligence and if and how this begins to impact various aspects of AML.
The BaaS industry is in hot water. If banks and fintechs are to realize the rewards of this potentially lucrative industry, they’re going to have to learn to play by some non-negotiable rules – together. Only when both sides actively and transparently participate as stakeholders in the partnership will they be able to successfully manage the risk.
Elizabeth Gujral is a senior consultant at Cornerstone Advisors. Follow Elizabeth on LinkedIn.