Rose Oswald PoelsBy Rose Oswald Poels

Every fall, I travel to Washington D.C. with a small group of bankers to visit regulators. During this trip, we nearly always meet with staff from Consumer Financial Protection Bureau (CFPB).

Since CFPB’s inception, we inevitably encourage the CFPB staff during each of these annual visits to focus more on the non-bank financial organizations that operate in the traditional “banking” space. Nearly every time we have this conversation, they nod and share that they provide this type of supervision typically through a complaint-based system. This means that if enough consumers complain about a particular financial organization (not a regulated bank), they will investigate and take whatever action they deem appropriate. Certainly, this has been incredibly frustrating for bankers to hear over the years given that many non-bank actors contributed to the causes of the Great Recession back in 2008 and 2009 and CFPB’s mission is that of protecting consumers. It has been too easy for CFPB to focus on the banking industry through their rulemaking and enforcement authorities since banks are easier to find with traditional brick-and-mortar offices.

I was pleasantly surprised to learn recently, however, that the CFPB has focused some of its attention on the non-bank financial industry by assessing fines to fintech companies for actions that have ultimately harmed consumers. Specifically, CFPB recently levied a $2.7 million fine against lender Hello Digit for a range of issues including misleading marketing claims such as “no overdraft fees.” This claim of no overdraft fees was one of several promises made to consumers by Hello Digit that were, in fact, not always true. Other fintechs have made similar claims regarding no overdraft fees as well, including digital lender Chime, that have turned out to be misleading or only true in a limited set of circumstances.

At the same time, the FDIC recently issued cease and desist orders against five crypto firms for making false or misleading statements suggesting that their digital assets were FDIC-insured. According to the FDIC, each of these companies made false representations on their website and social media accounts stating or suggesting that certain crypto-related products are FDIC-insured or that stocks held in brokerage accounts are FDIC-insured. As we all know, these representations are false and misleading.

There are many fintechs that are working to do the right thing and help improve the financial industry through technological efficiencies, but some reasonable level of regulation and oversight is important for these institutions just like banks. These recent regulatory actions against non-bank financial organizations are good reminders that it is important to continue sharing our concerns with regulatory agencies related to non-bank actors and to continue to stress to our clients and the public how trustworthy banks are.

If you are interested in accompanying me on a future fall regulatory agency trip to D.C., please let me know and I will add you to the list. I try to keep the group small, limited to 12 bankers, to ensure meaningful dialogue with the regulatory agencies. Bankers who have joined me in the past have found this trip to be worthwhile given much of our frustration and burden comes from regulation. In the meantime, WBA will continue to advocate for the members on these and other issues affecting the industry.

Rose Oswald PoelsBy Rose Oswald Poels

I’m pleased to announce that the Wisconsin Bankers Association (WBA) is partnering with state bankers associations nationwide and data provider FedFis to offer access to Bankers Helping Bankers to WBA members.

Bankers Helping Bankers is a bankers only platform for collaboration and research. Through data tools and dynamic user groups, Bankers Helping Bankers provides community bankers with a knowledge base focused on bank technology and emerging Fintech companies, as well as hot topics such as cryptocurrencies, banking as a service, and direct digital banking.

In October 2021, the Independent Bankers Association of Texas (IBAT) was the first state banking association to partner with FedFis, a provider of fintech data analytics and a strategy system which tracks financial, M&A, and vendor data (including technology vendors) on every bank and credit union in the United States. Since then, the exclusive, banker-only platform has been expanding to states across the nation.

Given the rapidly changing landscape of banking technology, it is hard to keep up through in-person events alone. Bankers Helping Bankers provides an additional way for bankers to connect with one another via forums and access a wide range of fintech data.

WBA continues to offer our WBA Connect and CEOnly/CFOnly peer groups that provide in-person and online networking for Wisconsin bankers only. Through the new collaboration with Bankers Helping Bankers, we aim to bring even more value to WBA members by offering an additional opportunity that lets bankers connect with their peers across the country, with a focus on banking technology.

If you or any member of your team would like to take advantage of the Bankers Helping Bankers opportunity, please fill out the form to gain access to the platform. You will receive an email within a couple of weeks with details on how to create your account.

BNPL already making a dent in banks’ profits

By Paul Gores

When Joe Sullivan decided to buy a Peloton home exercise machine, he pulled out a credit card to pay for it. But the salesman stopped him.

“The guy says, ‘Oh no, no. You don’t need that. We can do this. You can pay 0% interest. You can pay over time,’” Sullivan recalled.

The Peloton salesman asked whether Sullivan had a cell phone. When he said yes, the salesman texted a link to his phone — an application that took about 30 seconds to complete.

“It was approved, and within three minutes the loan documents were in my email,” said Sullivan, who is chief executive officer of the consulting firm Market Insights Inc. in Seattle. “I completed this entire transaction on my mobile phone. The whole thing took less than five minutes.”

The speed and ease of that transaction — along with the promise of 0% interest over the payment period — are among reasons banks should pay heed to the rapid rise of Buy Now Pay Later firms, Sullivan said.

There’s no question they cut into banks’ credit card business, and payment systems run by BNPL firms like Affirm (the company used in Sullivan’s 2020 Peloton purchase), Klarna, and Afterpay are especially attractive to millennials and Generation Z, who have learned to do — and expect to do — much of their business on a mobile phone.

“It’s going to be a huge disrupter. It already is,” said Sullivan. “It’s going to hit the traditional providers of consumer credit more. It means less credit card business, it means lost interchange revenue, it means less interest rate and fee income.”

While BNPL firms aren’t new, their growth has been explosive in the last few years. A 2021 report by the consulting firm Accenture said the number of BNPL users in the U.S. had increased by more than 300% since 2018, reaching 45 million active users in 2021 — users who were spending more than $20.8 billion.

“This is equivalent to 2.4% of U.S. online retail and 12% of U.S. online fashion retail,” Accenture stated.

Accenture predicted BNPL transactions would reach 10% of all e-commerce nationally by 2024.

“The growth of Buy Now Pay Later is pretty astronomical,” said Michael Emancipator, vice president and regulatory counsel for the Independent Community Bankers of America.

Emancipator cited the Accenture report as evidence.

“When you see numbers like that, it does make you sit up and take notice. And there are other entities — other startups — that are also taking notice and see that as a growth area,” he said. “I think it stands to reason that it’s only going to grow more as more startups see that as a potentially lucrative opportunity.”

The expansion of BNPL firms has the attention of bank trade associations and regulators, such as the Federal Reserve Bank of Kansas City, which published a new report on the industry in December.

The Kansas City Fed report stated BNPL is “already making a dent in banks’ profits.”

“According to McKinsey’s Consumer Lending Pools data, over the past couple of years banks lost $8 billion to $10 billion in revenue per year to fintechs offering BNPL products,” the Fed reported. The Fed also reported that a survey by C+R Research found 38% of BNPL users said BNPL would eventually replace their credit cards.

The Fed noted: “BNPL products may be more appealing than credit cards. Unlike credit cards, BNPL products can be approved without a full credit check and offer consumers flexible financing options, transparent terms, predetermined repayment schedules, and lower or no interest fees.”

Millennials and Generation Z consumers tend to eschew credit cards, given their general dislike of high-interest debt, the Kansas City Fed said. For those groups, the Fed said, point-of-sale BNPL may be a more attractive option. For merchants, BNPL products offer the ability to settle sales quickly, with BNPL providers assuming the risks of chargebacks and fraud, the Fed said.

BNPL firms already have thousands of partnerships with merchants large and small, and are seeking more. For instance, Amazon said last summer it would join with Affirm to let customers break up purchases of $50 or more into monthly installments. Here in Wisconsin, Dodgeville-based clothing retailer Lands’ End has employed PayPal’s “Pay in 4” system. With Pay in 4, a customer pays a down payment at the time of purchase, followed by three payments, each two weeks apart.

Accenture said BNPL is used most often for purchases of electronics, fashion, home goods, and health and beauty goods, but the potential for growth is huge.

To deal with BNPL’s encroachment on their lending business, some banks have engaged with BNPL fintechs in partnerships of their own, while others are trying to offer similar products to their customers.

Sullivan said no matter a bank’s business model, all banks should be addressing the rise of BNPL.

“They have to know that this is out there and not say, ‘Well, this doesn’t apply to us because we don’t offer credit cards anyway,’” he said. “That’s not the point. What they have to pay attention to is what is it that consumers are really needing, and this ease-of-use idea is really, really critical.”

While large banks with greater resources might find it easier to cope with increasing competition from BNPL firms, community banks also need to be looking into what they can do, Sullivan said.

“It’s definitely more difficult. It’s personnel and technical management. They need different people with different skill sets, they need different technologies, and that’s where community banks are behind,” he said.

Banks will need to have technology through which they can offer merchants the BNPL option, he said. It could come via firms like Amount, which has white label BNPL products that a bank could obtain.

“That’s the key here. There’s white label products for this kind of thing out there that would allow a smaller institution to get into the space,” Sullivan said. “They obviously can’t get into the Amazons and Best Buys and the Targets, but they could collaborate with a good partner to offer these BNPL services.”

Among merchants that could use a community bank’s BNPL service: doctors, dentists, and auto repair shops. Unless the customer were paying with a debit card, larger expenses like those typically would go on a credit card. But a no-interest BNPL transaction might be more appealing, and help customers budget for their larger costs.

Emancipator said his organization is concerned that BNPL is another fintech offering bank-like products without having to comply with regulations and consumer protections banks must follow.

Consumer data privacy is one possible issue, he said. Some research suggests BNPL firms are “offering these products at a loss to pretty much gobble up the consumer data,” he said.

“And then they use that for cross marketing purposes, or just simply selling that to other merchants to get a better sense of the consumers from that perspective,” Emancipator said. “Banks don’t do that.”

Last November, the U.S. House Committee on Financial Services held a hearing titled, “Buy Now, Pay More Later? Investigating Risks and Benefits of BNPL and Other Emerging Fintech Cash Flow Products.” In that hearing, Penny Lee, CEO of the Financial Technology Association, stated that BNPL is a new generation of fintech innovators that offer consumers new payment options that can reduce debt and alleviate budget stress.

“Americans on average pay approximately $1,000 per year in interest on revolving credit card debt, and credit card interest rates are amongst the highest as compared to other major consumer finance product categories,” Lee said.

In her written testimony, Lee said a survey found that BNPL users are predominantly female and younger, with millennials and Gen Z customers making up the vast majority of users. She said
the user base also includes lower-income consumers, which may reflect a lack of access to traditional forms of credit or bank services.

“BNPL products are structured to have payment terms that require consumers to pay for a purchase in a matter of weeks or a few months,” Lee said. “This contrasts with revolving credit and high interest products that may take years to pay down, blur the cost impact of a purchase, and oftentimes keep consumers in a vicious cycle of debt due to continuous interest charges or rollovers.”

Lee also asserted that the BNPL industry already is subject to “robust regulation.”

“All BNPL products are subject to key consumer protection laws and regulations, including around anti-money laundering, fair lending, credit reporting, debt collection, privacy, fair treatment of customers, and electronic fund transfers,” Lee stated. “They also are subject to similar state consumer protection laws.”

But Emancipator said BNPL firms should have to follow rules similar to the
rules banks face.

“Right now our position is more so to cast a light on these fintech players that are just growing all the time — casting a light that they need to have the same set of rules, abide by the same set of rules, that community banks do,” Emancipator said. “That’s the best way to have fair competition, but it’s also, at the end of the day, the best way that consumers are being protected.”

Sullivan said there are about 170 BNPL firms right now, and some consolidation is probable, with the strongest ones surviving.

“Banks will likely partner with fintech firms to enter the space,” Sullivan said. “And Buy Now Pay Later fintechs are going to rush to partner with banks to comply with new regulations that are undoubtedly probably going to come.”

He said BNPL is “here to stay.”

“Ultimately, regardless of regulation and consolidation, consumer demand for this kind of credit flexibility will fuel growth for years to come,” Sullivan said.

Paul Gores is a journalist who covered business news for the Milwaukee Journal Sentinel for 20 years.

Rose Oswald PoelsBy Rose Oswald Poels

Last week for the first time in two years, I was back in Washington D.C. with a small group of nine bankers from Wisconsin for meetings with banking regulators and a few members of Congress. Joining WBA was a delegation of six bankers and two staff from the Illinois Bankers Association. While our meetings with regulators were still virtual, all meetings were productive affording the smaller group of bankers ample time to ask questions and hear directly from senior officials about a wide variety of issues.

We began the first day in the afternoon with briefings from the FDIC and OCC. FDIC Board Director Martin Gruenberg led the conversation highlighting the fact that while the FDIC anticipated stress in the banking system heading into the pandemic that did not materialize and notably, there have not been any bank failures in 2021. Areas of focus for the FDIC remain on commercial real estate, tailoring climate change risk concerns based on the impact to different markets and/or the size of the institution, and on the impact of non-bank companies to the financial system. OCC Acting Director Michael Hsu led the discussion with bankers emphasizing his support for community banks, his understanding of the need to tailor regulation to the size and complexity of each institution, and robust discussions around both FinTechs and climate change.

The next day featured conversations with FinCEN and CFPB. Naturally, the discussion with FinCEN was largely around the status of their development of a beneficial ownership registry which remains in process. Until one is finally launched, banks will still have to follow the current beneficial ownership rules. A representative from FinCEN’s Financial Intelligence Division indicated that they have seen an increase in all types of crime notably COVID-19 fraud, work at home scams, cyberthreats of all types (e.g. ransomware and account takeovers), and illicit use of cryptocurrency. The primary focus of our conversation and questions with the CFPB was around the upcoming Section 1071, small business data collection proposal. The bankers took turns stressing the hardships of the current proposal and asking for an extension of the comment period deadline so that the industry had adequate time to respond to the many issues raised in the over 900-page document. CFPB staff indicated that they have been in meetings with the core providers on this proposal already to help prep them ahead of time so that data collection would be easier once the proposal is finalized.

These meetings are impactful largely due to the proactive engagement of the bankers in the room. I encourage you to take advantage of these opportunities as they arise and be involved because each regulator we met with unequivocally stated they want to hear directly from bankers about the impact proposals have on their operations. While WBA certainly represents the industry’s concerns, bankers truly make the best advocates in sharing specific examples about the impact on the operations of individual banks.

By WBA Legal

In late August, the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) issued a new resource titled, Conducting Due Diligence on Financial Technology Companies, A Guide for Community Banks (Guide), which was intended to help community banks in conducting due diligence when considering relationships with fintech companies.

Use of the Guide is voluntary, and it does not anticipate all types of third-party relationships and risks. Therefore, a community bank can tailor how it uses relevant information in the Guide, based on its specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activity (herein, activities) offered by the fintech company.

While the Guide is written from a community bank perspective, the fundamental concepts may be useful for banks of varying size and for other types of third-party relationships. Due diligence is an important component of an effective third-party risk management process, as highlighted in the federal banking agencies’ respective guidance; which, for FRB-regulated banks is SR Letter 13-19, for FDIC-regulated banks is FIL-44-2008, and for OCC banks is Bulletin-2013-29.

During due diligence, a community bank collects and analyzes information to determine whether third-party relationships would support its strategic and financial goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements. The scope and depth of due diligence performed by a community bank will depend on the risk to the bank from the nature and criticality of the prospective activity. Banks may also choose to supplement or augment their due diligence efforts with other resources as appropriate, such as use of industry utilities or consortiums that focus on third-party oversight.

The Guide focuses on six key due diligence topics, including relevant considerations and a list of potential sources of information. The following is a summary of the key due diligence topics within the Guide.

Business Experience and Qualifications

The agencies have identified that by evaluating a fintech company’s business experience, strategic goals, and overall qualifications, a community bank can better consider a fintech company’s experience in conducting the activity and its ability to meet the bank’s needs. Review of operational history will provide insight into a fintech company’s ability to meet a community bank’s needs, including, for example, the ability to adequately provide the activities being considered in a manner that enables a community bank to comply with regulatory requirements and meet customer needs.

Review of client references and complaints about a fintech company may provide useful information when considering, among other things, whether a fintech company has adequate experience and expertise to meet a community bank’s needs and resolve issues, including experience with other community banking clients. Review of legal or regulatory actions against a fintech company can be indicators of the company’s track record in providing activities.

When a community bank is considering a third-party relationship, discussing a fintech company’s strategic plans can provide insight on key decisions it is considering, such as plans to launch new products or pursue new arrangements (such as acquisitions, joint ventures, or joint marketing initiatives). A community bank may subsequently consider whether the fintech company’s strategies or any planned initiatives would affect the prospective activity. Further, inquiring about a fintech company’s strategies and management style may help a community bank assess whether a fintech company’s culture, values, and business style fit those of the community bank.

The agencies further instruct that understanding the background and expertise of a fintech company’s directors and executive leadership may provide a community bank useful information on the fintech company’s board and management knowledge and experience related to the activity sought by the community bank. A community bank may also consider whether the company has sufficient management and staff with appropriate expertise to handle the prospective activity.

For example, imagine that a fintech company, its directors, or its management have varying levels of expertise conducting activities similar to what a community bank is seeking. A fintech company’s historical experience also may not include engaging in relationships with community banks. As part of due diligence, a community bank may therefore consider how a fintech company’s particular experiences could affect the success of the proposed activity and overall relationship. Understanding a fintech company’s qualifications and strategic direction will help a community bank assess the fintech company’s ability to meet the community bank’s expectations and support a community bank’s objectives. When evaluating the potential relationship, a community bank may consider a fintech company’s willingness and ability to align the proposed activity with the community bank’s needs, its plans to adapt activities for the community bank’s regulatory environment, and whether there is a need to address any integration challenges with community bank systems and operations.

Financial Condition

Another step the agencies identified is for a bank to evaluate a fintech company’s financial condition to help the bank assess the company’s ability to remain in business and fulfill any obligations created by the relationship. Review of financial reports provide useful information when evaluating a fintech company’s capacity to provide the activity under consideration, remain a going concern, and fulfill any of its obligations, including its obligations to the community bank. Understanding funding sources provide useful information in assessing a fintech company’s financial condition. A fintech company may be able to fund operations and growth through cash flow and profitability or it may rely on other sources, such as loans, capital injections, venture capital, or planned public offerings.

Additionally, information about a fintech company’s competitive environment may provide additional insight on the company’s viability. Review of information on a fintech company’s client base can shed insight into any reliance a fintech company may have on a few significant clients. A few critical clients may provide key sources of operating cash flow and support growth but may also demand much of a fintech company’s resources. Loss of a critical client may negatively affect revenue and hinder a fintech company’s ability to fulfill its obligations with a community bank. A community bank may also consider a fintech company’s susceptibility to external risks, such as geopolitical events that may affect the company’s financial condition.

For example, some fintech companies, such as those in an early or expansion stage, have yet to achieve profitability or may not possess financial stability comparable to more established companies. Some newer fintech companies may also be unable to provide several years of financial reporting, which may impact a community bank’s ability to apply its traditional financial analysis processes. When audited financial statements are not available, a community bank may want to seek other financial information to gain confidence that a fintech company can continue to operate, provide the activity satisfactorily, and fulfill its obligations. For example, a community bank may consider a fintech company’s access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect a fintech company’s overall financial performance.

Legal and Regulatory Compliance

The Guide further outlines how in evaluating a fintech company’s legal standing, its knowledge about legal and regulatory requirements applicable to the proposed activity, and its experience working within the legal and regulatory framework, better enables a community bank to verify a fintech company’s ability to comply with applicable laws and regulations.

A bank may want to consider reviewing organizational documents and business licenses, charters, and registrations as such documentation provides information on where a fintech company is domiciled and authorized to operate (for example, domestically or internationally) and legally permissible activities under governing laws and regulations. Reviewing the nature of the proposed relationship, including roles and responsibilities of each party involved, may also help a community bank identify legal considerations. Assessing any outstanding legal or regulatory issues may provide insight into a fintech company’s management, its operating environment, and its ability to provide certain activities.

A bank could also consider reviewing a fintech company’s risk and compliance processes to help assess the fintech company’s ability to support the community bank’s legal and regulatory requirements, including privacy, consumer protection, fair lending, anti-money-laundering, and other matters. A fintech company’s experience working with other community banks may provide insight into the fintech company’s familiarity with the community bank’s regulatory environment. Reviewing information surrounding any consumer-facing applications, delivery channels, disclosures, and marketing materials for community bank customers can assist a community bank to anticipate and address potential consumer compliance issues. Considering industry ratings (for example, Better Business Bureau) and the nature of any complaints against a fintech company may provide insight into potential customer service and compliance issues or other consumer protection matters.

For example, some fintech companies may have limited experience working within the legal and regulatory framework in which a community bank operates. To protect its interests, community banks may consider including contract terms requiring (a) compliance with relevant legal and regulatory requirements, including federal consumer protection laws and regulations, as applicable; (b) authorization for a community bank and the bank’s primary supervisory agency to access a fintech company’s records; or (c) authorization for a community bank to monitor and periodically review or audit a fintech company for compliance with the agreed-upon terms. Other approaches could include (1) instituting approval mechanisms (for example, community bank signs off on any changes to marketing materials related to the activity), or (2) periodically reviewing customer complaints, if available, related to the activity.

Risk Management and Controls

The agencies have also identified that by banks evaluating the effectiveness of a fintech company’s risk management policies, processes, and controls, such review helps a community bank to assess the company’s ability to conduct the activity in a safe and sound manner, consistent with the community bank’s risk appetite and in compliance with relevant legal and regulatory requirements.

Banks should consider reviewing a fintech company’s policies and procedures governing the applicable activity as it will provide insight into how the fintech company outlines risk management responsibilities and reporting processes, and how the fintech company’s employees are responsible for complying with policies and procedures. A community bank may also use the information to assess whether a fintech company’s processes are in line with its own risk appetite, policies, and procedures. Information about the nature, scope, and frequency of control reviews, especially those related to the prospective activity, provides a community bank with insight into the quality of the fintech company’s risk management and control environment. A community bank may also want to consider the relative independence and qualifications of those involved in testing. A fintech company may employ an audit function (either in-house or outsourced). In these cases, evaluating the scope and results of relevant audit work may help a community bank determine how a fintech company ensures that its risk management and internal control processes are effective.

Banks should also consider the findings, conclusions, and any related action plans from recent control reviews and audits as the information may provide insight into the effectiveness of a fintech company’s program and the appropriateness and timeliness of any related action plans. Evaluating a fintech company’s reporting helps a community bank to consider how the fintech company monitors key risk, performance, and control indicators; how those indicators relate to the community bank’s desired service-level agreements; and how the fintech company’s reporting processes identify and escalate risk issues and control testing results. A community bank may also consider how it would incorporate such reporting into the bank’s own issue management processes. Review of information on a fintech company’s staffing and expertise, including for risk and compliance, provide a means to assess the overall adequacy of the fintech company’s risk and control processes for the proposed activity.

Information on a fintech company’s training program also assists in considering how the fintech company ensures that its staff remains knowledgeable about regulatory requirements, risks, technology, and other factors that may affect the quality of the activities provided to a community bank.

For example, a fintech company’s audit, risk, and compliance functions will vary with the maturity of the company and the nature and complexity of activities offered. As a result, a fintech company may not have supporting information that responds in full to a community bank’s typical due diligence questionnaires. In other cases, a fintech company may be hesitant to provide certain information that is considered proprietary or a trade secret (for example, their development methodology or model components). In these situations, a community bank may take other steps to identify and manage risks in the third-party relationship and gain confidence that the fintech company can provide the activity satisfactorily.

For example, a community bank may consider on-site visits to help evaluate a fintech company’s operations and control environment, or a community bank’s auditors (or another independent party) may evaluate a fintech company’s operations as part of due diligence. Other approaches could include (a) accepting due diligence limitations, with any necessary approvals and/or exception reporting, compared to the community bank’s normal processes, commensurate with the criticality of the arrangement and in line with the bank’s risk appetite and applicable third-party risk management procedures; (b) incorporating contract provisions that establish the right to audit, conduct on-site visits, monitor performance, and require remediation when issues are identified; (c) establishing a community bank’s right to terminate a third-party relationship, based on a fintech company’s failure to meet specified technical and operational requirements or performance standards. Contract provisions may also provide for a smooth transition to another party (for example, ownership of records and data by the community bank and reasonable termination fees); or (d) outlining risk and performance expectations and related metrics within the contract to address a community bank’s requirements

Information Security

In understanding a fintech company’s operations infrastructure and the security measures for managing operational risk, a community bank may better evaluate whether the measures are appropriate for the prospective activity. A community bank may evaluate whether the proposed activity can be performed using existing systems, or if additional IT investment would be needed at the community bank or at the fintech company to successfully perform the activity. For example, a community bank may evaluate whether the fintech company’s systems can support the bank’s business, customers, and transaction volumes (current and projected). A fintech company’s procedures for deploying new hardware or software, and its policy toward patching and using unsupported (end-of-life) hardware or software, will provide a community bank with information on the prospective third party’s potential security and business impacts to the community bank.

For example, fintech companies’ information security processes may vary, particularly for fintech companies in an early or expansion stage. Community banks may evaluate whether a fintech company’s information security processes are appropriate and commensurate with the risk of the proposed activity. Depending on the activity provided, community banks may also seek to understand a fintech company’s oversight of its subcontractors, including data and information security risks and controls.

For a fintech company that provides transaction processing or that accesses customer data, for example, community banks may request information about how the fintech company restricts access to its systems and data, identifies and corrects vulnerabilities, and updates and replaces hardware or software. The bank may also consider risks and related controls pertaining to its customers’ data, in the event of the fintech company’s security failure. Also, contractual terms that authorize a community bank to access fintech company records can better enable the bank to validate compliance with the laws and regulations related to information security and customer privacy.

Operational Resilience

A community bank may evaluate a fintech company’s ability to continue operations through a disruption. Depending on the activity, a community bank may look to the fintech company’s processes to identify, respond to, and protect itself and customers from threats and potential failures, as well as recover and learn from disruptive events. It is important that third-party continuity and resilience planning be commensurate with the nature and criticality of activities performed for the bank.

Evaluating a fintech company’s business continuity plan, incident response plan, disaster recovery plan and related testing can help a community bank determine the fintech company’s ability to continue operations in the event of a disruption. Also, evaluating a fintech company’s recovery objectives, such as any established recovery time objectives and recovery point objectives, helps to ascertain whether the company’s tolerances for downtime and data loss align with a community bank’s expectations. A community bank that contemplates how a fintech company considers changing operational resilience processes to account for changing conditions, threats, or incidents, as well as how the company handles threat detection (both in-house and outsourced) may provide a community bank with additional information on incident preparation. Discussions with a fintech company, as well as online research, could provide insights into how the company responded to any actual cyber events or operational outages and any impact they had on other clients or customers.

Understanding where a fintech company’s data centers are or will reside, domestically or internationally, helps a community bank to consider which laws or regulations would apply to the community bank’s business and customer data. Another matter for a community bank to consider is whether a fintech company has appropriate insurance policies (for example, hazard insurance or cyber insurance) and whether the fintech company has the financial ability to make the community bank whole in the event of loss.

Service level agreements between a community bank and a fintech company set forth the rights and responsibilities of each party with regard to expected activities and functions. A community bank may consider the reasonableness of the proposed service level agreement and incorporate performance standards to ensure key obligations are met, including activity uptime. A community bank may also consider whether to define default triggers and recourse in the event that a fintech company fails to meet performance standards.

A fintech company’s monitoring of its subcontractors (if used) may offer insight into the company’s own operational resilience. For example, a community bank may inquire as to whether the fintech company depends on a small number of subcontractors for operations, what activities they provide, and how the fintech company will address a subcontractors’ inability to perform. A community bank may assess a fintech company’s processes for conducting background checks on subcontractors, particularly if subcontractors have access to critical systems related to the proposed activity.

For example, as with previous due diligence scenarios, fintech companies may exhibit a range of resiliency and continuity processes, depending on the activities offered. Community banks may evaluate whether a fintech company’s planning and related processes are commensurate with the nature and criticality of activities performed for the bank. For example, community banks may evaluate a fintech company’s ability to meet the community bank’s recovery expectations and identify any subcontractors the fintech company relies upon for recovery operations. A fintech company may have recovery time objectives for the proposed activity that exceed the desired recovery time objectives of a community bank. If a fintech company can meet the community bank’s desired recovery time objectives, the bank may consider including related contractual terms, such as a contract stipulation that the community bank can participate in business continuity testing exercises and that provides appropriate recourse if the recovery time objective is missed in the event of an actual service disruption.

A community bank may also consider appropriate contingency plans, such as the availability of substitutable service providers, in case the fintech company experiences a business interruption, fails, or declares bankruptcy and is unable to perform the agreed-upon activities. In addition to potential contractual clauses and requirements, a community bank’s management may also consider how it would wind down or transfer the activity in the event the fintech company fails to recover in a timely manner.


The agencies have outlined a number of relevant considerations, non-exhaustive lists of potential sources of information, and illustrative examples to assist community banks with identifying strengths and potential risks when considering relationships with fintech companies. The voluntary Guide helps provide a starting point for banks with their due diligence efforts. The Guide may be viewed here.

Highlighted Special Focus From the October 2021 Compliance Journal

To date, while some federal agencies have made public statements, Congress has not exercised its constitutional power under the commerce clause to regulate cryptocurrencies and blockchain technology to the exclusion of the states. This means that the states remain free to enforce their own legislation. Sixteen states have enacted legislation related to virtual currency or cryptocurrencies and nine states have enacted or adopted laws that reference blockchain technology. 

To help assist lawmakers (and the general public), the State of Wisconsin Legislative Reference Bureau (LRB) created a summary that highlights the responses of major economic players as well as innovative practices on cryptocurrency and blockchain technologies. The report is designed to help gain a broad perspective of the current global regulatory market and the breadth of proposals for further policy and legislative guidance. Cryptocurrency, a subset of digital currency, is held up by some as the "currency of the future," and the technology that allows its existence could revolutionize business and government. 

As cryptocurrency becomes more mainstream, governments around the world have taken the first steps toward regulation; however, advances in technology frequently outpace legislation. The LRB report describes the principal characteristics of cryptocurrencies and the underlying technology that enables its existence-decentralized, distributed ledgers based on blockchains. The report then details recent developments in regulations in the United States by various federal regulatory and enforcement agencies and the most relevant case law. Finally, the report explores developments at the state level and summarizes the global regulatory landscape of international responses to the regulation of cryptocurrency. 

How Blockchains Work: A Sample Case Study

  1. Charlotte and Susie download digital wallets, providing the encryption keys necessary for the transaction. 
  2. Charlotte creates a message requesting a $15 transaction to repay Susie for dinner. The message is encrypted using Susie's public key, ensuring that only Susie can decrypt the message using her private key. The message also includes Charlotte's private key to validate her status as the initiating entity.
  3. The message is broadcast to a peer-to-peer (P2P) network consisting of private computers, or nodes. 
  4. The network validates the transaction and Charlotte's user status, then records and time-stamps it to verify that the cryptocurrency has changed possession. 
  5. The transaction is combined with other transactions to create a new block of data for the ledger.
  6. The new block of data is added to the existing blockchain in a way that is permanent and unalterable.

If you'd like to read the full LRB report please visit

By, Amber Seitz

Resurgence of rare charter may reshape the banking industry

The FDIC has two decisions to make that will have a tremendous impact on the financial services industry. On June 6, online personal finance company Social Finance, Inc.* (better known as "SoFi") applied for an industrial loan charter (ILC) for the purposes of offering FDIC-insured NOW deposit accounts and credit card products—this in addition to the student loan refinancing, mortgages, and personal loans the company already offers its customers. The de novo would be chartered in Utah under the name SoFi Bank. On September 7, payments giant Square filed its application** for a Utah-based ILC for the purposes of expanding its lending arm—in addition to payments, Square also offers small business and consumer loans. While (at the time of this writing) the FDIC has yet to take action, approval or denial of these applications will set the stage for the next phase of bank-fintech relations. 

Historical Context 

Now state-chartered companies operating with federal deposit insurance, the ILC business model has been in existence since the early 1900s. Since their inception, non-bank retail companies have used these entities primarily to make consumer finance loans in order to sell their products, explained Attorney James Sheriff, partner at Reinhart Boerner Van Deuren, s.c. For example, BMW, General Motors, and Target all had industrial bank subsidiaries (and some still do). "The charter allows commercial companies to own financial institutions that can take federally insured deposits," explained Attorney Patrick Neuman, partner at Boardman and Clark, LLP. This bucks the long-standing policy in the U.S. to separate commerce and banking, a policy created in 1933 by the Glass-Steagall Act and reinforced by the Bank Holding Company Act of 1956 (BHCA).

Only seven states currently have provisions allowing for ILCs: California, Colorado, Minnesota, Indiana, Hawaii, Nevada, and Utah (where the vast majority of industrial banks are headquartered). Due to their exemption from the BHCA, ILCs are regulated only by their chartering state regulator (the Utah Department of Financial Institutions oversees ILCs with over $143 billion in combined assets) and the FDIC. The Federal Reserve has no authority to regulate the activities of the parent company, which—unlike traditional charters—is not limited to activities that are substantially related to banking.

However attractive this charter may seem, it has not been a popular option in recent years. No ILC applications were filed between 2009 and SoFi's application in June 2017—a timeframe which includes a three-year moratorium imposed by the Dodd-Frank Act (lifted in 2013). The last company to garner attention for its ILC application was Walmart in the mid-2000s. Fearing the retail juggernaut's entry into retail banking, the banking industry successfully lobbied for laws in several states (including Wisconsin) prohibiting ILCs from having a banking facility within 1.5 miles of a retail location owned by the same parent company. At the time, it was considered a great success. However, today's applicants aren't interested in physical retail locations. "Before, the goal was to bring consumers into the store in order to win their banking business," Sheriff explained. "Today, the brick-and-mortar isn't important, but rather wanting to expand financial products and services. It's a different threat."

Comparison of commercial and industrial bank charters

Renewed Appeal

The current financial services landscape is ripe for renewed interest in ILCs. Technological advances have made brick-and-mortar branches unnecessary and nation-wide reach attainable. However, banking's regulatory structure has not kept pace with the change. "Right now, in order to be a financer these companies need to get licensed in all states they do business in," Sheriff explained. One of the biggest attractions of an ILC is the federal pre-emption it offers. "Instead of 50 state regulators examining your consumer finance company, there's one state and the FDIC," he said. 

Another major draw of an ILC is that it allows the parent company to retain the flexibility to experiment that fintech startups are known for. "SoFi is a tech company and doesn't want to be hamstrung by the Bank Holding Company Act," said Neuman. "ILCs are not subject to consolidated supervision at the holding company level. That's a big advantage." 

Operationally, fintech companies like SoFi and Square would receive another important benefit from obtaining an ILC: a stable funding source. "Both companies make loans, and if they get an industrial loan charter they get access to federally insured deposits. Deposits are a significantly less expensive source of funding than investment capital or bonds," Neuman explained. The availability of government-backed deposits as a funding source would alleviate concerns over whether institutional funding is stable enough to weather an economic downturn or significant market fluctuation. 

What Happens If…

FDIC's approval of either pending ILC application would have profound implications for the future of the financial services industry. "If the FDIC decides to approve one of those applications, it could be a game-changer," said Neuman. "If either application is approved, there will be a flood of new applications." If SoFi or Square does receive an ILC, the banking industry will need to prepare for several long-term effects. 

First is a new, aggressive source of competition. "The most often-cited concern with ILCs is that they could lead to a concentration of economic power in banking," said Neuman. With ILC charters, giant technology retail companies like Apple, Amazon, and Google could offer the same products to consumers as banks. "They'd be behemoths to deal with in a consumer or small business banking sector," said Sheriff. In addition, those companies' data collection activities would not be restricted by the BHCA, enabling them to obtain and analyze consumer data that is not available to most banks. "That could seriously undermine a bank's ability to compete," said Neuman. One area where the competition could be especially fierce is in small business lending. "If the ILC option becomes more popular, and if small fintech lenders like Prosper get these charters, it would create a lot more competition for community banks in small business lending," said Sheriff. "It has some real potential detriments for community banks."

Another concern directly relates to SoFi's business model, which is driven by a focus on HENRY customers (High Earner Not Rich Yet). "Much of their business is student loan financing for professionals such as doctors and lawyers. There's concern in the industry that fintech lenders won't adequately serve the working class household or be able to meet CRA requirements," Neuman explained. "This type of business model could lead to a disproportionate allocation of credit." Banks can only speculate how the state regulators and FDIC will address CRA concerns with ILCs. 

Increased popularity of ILCs may also dampen partnerships between banks and fintech companies—partnerships that currently expand product and service offerings for many bank customers. "If FDIC starts approving these charters, there will be fewer partnerships between fintechs and banks," said Sheriff. "The fintech companies will no longer need to partner in order to get data and deposits." This is not conjecture. Former SoFi CEO Michael Cagney told TechCrunch the company plans to offer checking, deposit, and credit card services through a regional banking partner if the ILC application is not approved. 

Finally, ILC opponents see increased risk to the industry as a whole if these charters have a resurgence among technology companies. "What happens if one of these goes through and becomes huge, but then the parent company makes some wild bet and goes under? That could be a huge hit to the FDIC and the banking industry in general," Sheriff said. "Bank regulators aren't familiar with how to evaluate some of those widespread risks. We've separated banking and commerce for 85 years for a reason." The same concern applies to the potential for further increasing the market power of the "Big Five" (Amazon, Apple, Facebook, Google, and Microsoft) by adding banking services to their already diverse lines of business.

What if the FDIC denies the pending applications? Will community banks be able to breathe a sigh of relief and go back to business-as-usual? Probably not. "If these fintech companies don't get approval for an ILC, I believe they'll pursue other avenues, such as an OCC fintech charter," said Neuman. "Banks are going to see fintech as a real competitor in the lending space, and sooner rather than later." Influencer companies in the technology sector have set their sights on banking products, and they won't be easily deterred. "The bottom line is that there is activity in this area right now," said Sheriff. "This isn't hypothetical."

Boardman and Clark, LLP is a WBA Gold Associate Member. 
Reinhart Boerner Van Deuren, s.c. is a WBA Associate Member. 

*View a copy of SoFi's application here. On October 13, SoFi withdrew its application for an ILC charter as it undergoes a leadership transistion, but says "a bank charter remains an attractive option."
**Square's ILC will be named Square Financial Services, Inc., according to a Wall Street Journal report.

By, Amber Seitz


Join WBA and your fellow Retail, Sales, and Marketing peers from across Wisconsin for the gathering of the WBA LEAD360 Conference! The Conference will kickoff on November 16 at 9:30 a.m. and adjourn at Noon on November 17. 

Bank Member Registration: The registration fee is $350 for first attendee. Each additional attendee from your bank is $300 each additional attendee in-person*.

  • Registration includes networking meals and breaks, general sessions, breakout sessions, and access to the conference mobile app. Day Two Only Registration is $100/per attendee.

*To receive the published discount, you must register everyone at the same time.

Associate Member Registration:

  • Associate Members are encouraged to send their staff as well! The same registration fee is available to WBA Associate Members.
  • Interested in upgrading your presence? Register to be a conference sponsor to receive additional benefits and conference recognition!
  • Click on the Speakers and Agenda tabs for more information.  This Conference is for your Retail Bankers, Sales/Marketing Bankers, and Financial Literacy Bankers.

Associate Member & Exhibitor Registration Information:

WBA Associate Members can register to exhibit at the conference ($600/booth including 2 attendees; $250/additional booth attendee) or register as a non-exhibiting conference attendee ($350/attendee).

Please contact WBA’s Nick Loppnow at 608-441-1259 for more information.

  • Non-members are welcome to register to exhibit at the conference at the non-member rates ($1,000/booth including 2 attendees; $250/additional booth attendee)
  • Interested in upgrading your presence? Register to be a conference sponsor to receive additional benefits and conference recognition!

Fintech companies are dramatically changing the financial services industry. Many community banks are entering into business relationships with fintech companies to provide innovative products to enhance customer satisfaction, increase the bank’s efficiency, and reduce costs. Due diligence and risk evaluation have always been important components in a bank’s third-party risk management process, and this is especially important when “partnering” with fintech companies. This webinar will detail the specific items that bank regulators require you to consider when conducting due diligence and evaluating a fintech company. You’ll also learn the practical business issues to address when entering into such a relationship.

Attendance certificate provided to self-report CE credits.

Understand the regulatory and legal requirements of partnering with a fintech company
Explain both the bank and the fintech company’s roles and responsibilities in their relationship
Conduct the required regulatory due diligence
Properly evaluate the risks and benefits before entering into a relationship
Create the best relationship structure with a fintech company
Negotiate with a fintech company to obtain favorable contract terms

This informative session will benefit bank management, loan and deposit operations personnel, technology staff, new product staff, vendor management personnel, compliance officers, auditors, attorneys, and others involved in the strategic planning, due diligence, and evaluation processes.

Guide for community banks (published by the FDIC, OCC, and Federal Reserve) titled Conducting Due Diligence on Financial Technology Companies – A Guide for Community Banks
Due diligence checklist specifically designed to evaluate fintech companies
Employee training log
Interactive quiz

NOTE: All materials are subject to copyright. Transmission, retransmission, or republishing of any webinar to other institutions or those not employed by your financial institution is prohibited. Print materials may be copied for eligible participants only.

Elizabeth Fast, JD & CPA, Spencer Fane LLP

Elizabeth Fast is a partner with Spencer Fane Britt & Browne LLP where she specializes in the representation of financial institutions. Elizabeth is the head of the firm’s training division. She received her law degree from the University of Kansas and her undergraduate degree from Pittsburg State University. In addition, she has a Master of Business Administration degree and she is a Certified Public Accountant. Before joining Spencer Fane, she was General Counsel, Senior Vice President, and Corporate Secretary of a $9 billion bank with more than 130 branches, where she managed all legal, regulatory, and compliance functions.


Live Webinar Access – $245
On-Demand Access + Digital Download _ $245
Both Live & On-Demand Access + Digital Download – $350