The Federal Deposit Insurance Corp. (FDIC) has recently heightened regulatory scrutiny on banks involved in banking-as-a-service (BaaS) partnerships with fintech companies, with Piermont Bank and Sutton Bank receiving notable enforcement actions in early 2024. These actions indicate significant deficiencies in these banks’ internal controls, compliance programs, and management of third-party relationships. This increased scrutiny arises as financial institutions increasingly collaborate with fintech companies to offer innovative products and services. Regulators have raised concerns about the risks associated with these partnerships, including issues related to compliance, anti-money laundering (AML) measures, and overall financial stability.
Piermont Bank: Unsafe and Unsound Practices
Piermont Bank, based in New York City, faced accusations of engaging in unsafe and unsound banking practices, according to the FDIC’s consent order. This order emphasized that Piermont’s internal controls and information systems were inadequate relative to its size, scope, and risk profile, particularly concerning its third-party relationships. Consequently, Piermont has been mandated to enhance its management oversight, risk monitoring, and AML and counterterrorism financing systems. Moreover, the bank is required to reassess its internal controls comprehensively, conduct an extensive review of its transactions since September 2022, and undertake a meticulous audit of Electronic Funds Transfer Act disputes dating back to August 2020.
Within 90 days, Piermont must evaluate its operational data, processes, and third-party relationships to ensure that they comply with regulatory standards and effectively manage risks. This evaluation is expected to identify any areas needing improvement and allow the bank to implement necessary changes to strengthen its risk management framework. Subsequently, within a 120-day period, the bank must refine its third-party relationship program to ensure that it aligns with regulatory expectations and mitigates potential risks. These measures aim to reinforce the bank’s overall operational resilience and compliance with regulatory standards, thereby reducing the likelihood of future enforcement actions.
Sutton Bank: BSA Violations and AML Overhaul
Similarly, Sutton Bank, located in Attica, Ohio, has faced allegations of engaging in unsafe banking practices and violations related to the Bank Secrecy Act (BSA). According to the FDIC, Sutton Bank must overhaul its AML and counter-financing of terrorism (CFT) program to bolster compliance with the BSA within 180 days. This overhaul involves developing robust third-party risk management policies, assigning program managers for critical oversight areas, such as customer identification and transaction monitoring, and establishing board-level compliance oversight. These measures aim to address the deficiencies identified in Sutton Bank’s practices and enhance the bank’s ability to detect and prevent financial crimes.
The development of robust third-party risk management policies is a crucial aspect of Sutton Bank’s required improvements. Effective third-party risk management ensures that the bank can identify, assess, and monitor potential risks associated with its partnerships with other institutions, thereby minimizing its exposure to financial and reputational risks. Additionally, by assigning program managers for customer identification and transaction monitoring, Sutton Bank aims to strengthen its oversight capabilities and ensure that these critical areas receive appropriate attention and resources. Establishing board-level compliance oversight further underscores the bank’s commitment to improving its compliance framework and maintaining regulatory standards.
Regulatory Landscape for BaaS Partnerships
The Federal Deposit Insurance Corp. (FDIC) has ramped up its regulatory oversight on banks engaged in banking-as-a-service (BaaS) collaborations with fintech firms. Notably, Piermont Bank and Sutton Bank faced significant enforcement actions in early 2024, highlighting serious lapses in their internal controls, compliance programs, and management of third-party partnerships. This heightened scrutiny comes as financial institutions increasingly team up with fintech companies to deliver new and innovative financial products and services. Regulators have voiced concerns about potential risks tied to these partnerships, including compliance, anti-money laundering (AML) measures, and overall financial stability. The increased focus on these issues underscores the regulatory commitment to ensuring that banks maintain robust frameworks to manage risks associated with their fintech collaborations. As these partnerships become more prevalent, both banks and fintech firms must prioritize stringent compliance and effective risk management to navigate the complex and evolving regulatory landscape successfully.
