Ms. Ann Misback
Secretary
Board of Governors of the Federal Reserve System
20thStreet and Constitution Avenue NW
Washington, DC 20551
Mr. James P. Sheesley
Assistant Executive Secretary
Legal ESS
Federal Deposit Insurance Corporation
550 17th Street NW
Washington, DC 20429
Chief Counsel’s Office
Attention: Comment Processing
Office of the Comptroller of the Currency
400 7th Street SW Suite 3E-218
Washington, DC 20219
Re: Request for Information onBank-Fintech Arrangements Involving Banking Products and Services Distributedto Consumers and Businesses—Docket No. OP-1836; RIN 3064-ZA43; Docket No.OCC-2024-0014
To whom it may concern,
On behalf of The American Fintech Council (AFC),[1] I am submitting this comment letter in response to the joint Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses (RFI) by the Board of Governors of the Federal Reserve (FRB or Federal Reserve), Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) collectively referred to as the “Joint Agencies”.
AFC’s mission is to promote an innovative, transparent, inclusive, and customer-centric financial system by fostering responsible innovation in financial services and encouraging sound public policy. AFC members are at the forefront of fostering competition in consumer finance and pioneering ways to better serve underserved consumer segments and geographies. Our members are also improving access to financial services and increasing overall competition in the financial services industry by supporting the responsible growth of lending and lowering the cost of financial transactions, allowing them to help meet demand for high-quality, affordable financial products.
Responsible bank-fintech partnerships are critical to the continued innovation in and improvement of the financial services industry.[2] As the premier industry association representing both innovative banks and fintech companies, we are uniquely positioned to discuss the questions posed by the Joint Agencies in the RFI. Our overarching aim is to pursue a pragmatic approach to regulation that will encourage responsible innovation through sound public policy. To ensure the continued development of responsible bank-fintech partnerships AFC has consistently advocated for the Joint Agencies to
1. engagein regulatory modernization that encourages competition and innovation;
2. develop a unified and consistent approach to their oversight of bank-fintech partnerships;
3. increase clarity of supervisory expectations for regulated entities engaging in novel or innovative business models and activities; and
4. avoid the development of a patchwork or inconsistent regulatory and supervisory landscape that harms consumers, industry participants, and the resilience ofthe financial services ecosystem by inadvertently encouraging regulatory arbitrage.
Though the Joint Agencies identified potential risks that could be posed by bank-fintech arrangements within the RFI and the previously issued Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services,[3] it is important to recognize that both financial institutions and their fintech partners face significant regulatory oversight both directly and indirectly. Given the existing U.S. regulatory structure, financial institutions—regardless of size, activity, or business model—hold distinct requirements and responsibilities for ensuring their engagements with fintech companies are fully compliant with existing laws and regulations.[4] However, fintech companies also have requirements and responsibilities to adhere to existing laws and regulations, and face significant oversight from both the Consumer Financial Protection Bureau (CFPB) and state regulatory agencies.[5]
Further, due to customer demand within the fintech market, both financial institutions and fintech companies face an inherent incentive to remain in compliance with all relevant laws and regulations within the parameters of their partnerships. In addition, as will be discussed further below, fintech companies have established an important role in serving consumers, particularly those in historically underserved communities, with modern, digital-first banking services. In general, through these innovative products and services, consumers have both found an ease of use not previously found in services offered by legacy financial services providers and a trust in the products and services offered. In turn, these products and services have become an integral part of the livelihoods of consumers, including those who have been historically underserved.
It is with these points and the perspectives provided below, that AFC respectfully requests the Joint Agencies to carefully consider the comments received in response to this RFI and develop a pragmatic regulatory agenda that corresponds with the perspectives and recommendations identified by the varied stakeholder groups. Regulation by enforcement, unclear supervisory expectations, and non-binding interpretive rulemakings are not the path to an effective regulatory framework that encourages responsible innovation through bank-fintech partnerships.
To summarize, in the detailed analysis presented below AFC seeks to address the questions posed in the RFI. We do this first by presenting distinctions between the various types of bank-fintech partnerships within the financial services industry, including specific analysis regarding the risk profiles of “fintech consumer” and “fintech supplier” relationships, as well as, direct and indirect bank-fintech partnerships. Next, AFC discusses the benefits of bank-fintech partnerships. As will be further evidenced below, consumers and the industry see the benefits of encouraging the further development of robust digital-first offerings through responsible bank-fintech partnerships. Then, AFC will discuss the leading risk management practices and processes identified for establishing and maintaining responsible bank-fintech partnerships, as well as leading risk management practices and processes for specific activities conducted within bank-fintech partnerships. Lastly, AFC poses multiple recommendations related to improving the oversight and supervision of bank-fintech partnerships in a manner that will ultimately encourage the continued development of responsible bank-fintech partnerships. In addition, AFC also makes several programmatic recommendations for the Joint Agencies’ consideration that are specifically geared towards developing a regulatory framework that is befitting of the modern financial services industry.
I. AFC Believes the Joint Agencies Should Further Distinguish the Various Types of Bank-Fintech Partnerships
As the Joint Agencies continue to develop their understanding of bank-fintech partnerships, it is important to recognize the impact that the facts and circumstances of a given partnership may have on the revenue structures, risk profiles, and business operations of both the financial institution and the fintech company.
Simply put, not all bank-fintech partnerships are created equally. Responsible bank-fintech partnerships do have some salient features regarding the understanding that liability for any issues within the partnership ultimately lies with the bank. Further, as noted above, both financial institutions and their fintech partners have significant requirements under existing legal and regulatory frameworks. However, many of the specific terms and conditions devised in a bank-fintech partnership are predicated on contract provisions.
In large part, this reliance on robust contract provisions between the financial institutions and fintech companies is due to common and prudent business and legal practices. However, it also belies the lack of regulatory guidance regarding specific activities that exist in bank-fintech partnerships and the array of facts and circumstances that underlie a given bank-fintech partnership. These differences are critical to the structure and viability of the partnership, as well as the actual risks that the partnership could pose to consumers or the resilience of the financial institution and fintech company. Also, each of these partnerships presents distinct opportunities and dynamics that are important to the Joint Agencies’ oversight of the partnership.
While the RFI identifies various types of bank-fintech partnerships and notes that these arrangements “vary significantly in structure and product and service offerings”, it does not substantially discuss the various dynamics that are contingent upon the specifics of the bank-fintech partnership.[6] To improve the Joint Agencies’ understanding of bank-fintech partnerships, AFC recommends that staff continue to assess how the parameters of a given bank-fintech partnership impact the viability, opportunities, risks, and dynamics of these partnerships. In an effort to assist the Joint Agencies in this endeavor, AFC has provided additional information on various types of bank-fintech partnerships below.
AFC believes that it is important for the Joint Agencies to further distinguish between the various types of bank-fintech partnerships. It is important to note that within the existing regulatory framework, regardless of the model, banks hold the ultimate liability in any bank-fintech partnership. However, there are different categories of relationships depending on a number of factors. Each of these partnership categories can present distinct opportunities, risks, and dynamics that are important to oversight activities.
a. Fintech Consumer and Fintech Supplier Partnerships
In practice, AFC distinguishes between “fintech consumer” and “fintech supplier” relationships. While partnerships related to fintech consumer and fintech supplier relationships may have exhibit similar risk profiles in traditional risk management areas, such as concentration risk, AFC believes that there remain important factors that should be considered when reviewing both fintech consumer and fintech supplier relationships. In addition, we recognize, as the joint agencies briefly did in the RFI, that partnerships may be direct or indirect in nature. However, as explained further below, AFC believes that decidedly different risk profiles exist for direct versus indirect partnerships.
Fintech consumer partnerships are when there is direct engagement of the fintech company with a consumer or business that either previously or would have previously engaged directly with a financial institution. These partnerships commonly exist in lending and payments activities and provide consumers with improved user experiences while simultaneously improving the financial institution’s customer acquisition operations. Partnerships of this type would be considered “novel” under the definition put forth by the Federal Reserve.[7] In virtue of this novel activity, fintech companies in this type of partnership will have direct engagement with consumers and the initial aspects of a financial transaction. Given the type of relationship that the fintech company generally has with customers in the fintech consumer partnership, responsible financial institutions and their fintech partners must engage in robust risk management processes and practices to ensure that consumers are properly informed about the partnership and are properly protected from harm. As will be discussed further below, AFC and its members have identified a number of leading practices to ensure the responsible development of these novel partnerships.
In contrast, fintech supplier partnerships are when the fintech has direct engagement with the financial institution to provide a business development service within an existing or new business line or function of the financial institution. These partnerships are designed to be enterprise-facing endeavors that operate in a traditional service provider relationship with the financial institution. Unlike the fintech consumer partnerships discussed above, in a fintech supplier partnership, the consumer is maintaining a relationship with the financial institution, not the fintech. Fintech supplier relationships encompass core service provider relationships with financial institutions, as well as fraud, know-your-customer (KYC) monitoring, account verification, and card payment services. Within all of these examples, innovation can and does occur. However, the benefits and risks to consumers and the partnered financial institutions are not the same as those associated with fintech consumer partnerships.
b. Direct and Indirect Bank-Fintech Partnerships
Amore familiar bifurcation of bank-fintech partnership models is the direct versus indirect model. In a direct model, the bank supplies the technology solutions and APIs required for the non-bank financial services provider to connect to the bank’s system of record or account ledger. Some banks may also offer compliance or other advisory services to their non-bank financial services customers.[8] On the other hand, in an indirect model, a third-party “middleware” provider supplies the technology and APIs required for the bank and the non-bank financial services provider to exchange data. Middleware providers may also assist non-bank financial services providers with forming relationships with sponsor banks and other technology firms that provide services such as payment processing, account holder verification, and onboarding.[9]
Both direct and indirect models can operate in a responsible manner. AFC believes that it is critically important for financial institutions and fintech companies engaging in either direct or indirect models to appropriately understand the roles and responsibilities of each entity engaged in the supply chain of the banking product or service offered through the partnership. For instance, which entity owns the responsibility for customer communication and servicing within a given partnership. In practice, AFC recognizes that there are varied and, at times, complicated dynamics that exist between the different types of bank-fintech partnership models. However, to ensure proper understanding of the roles and responsibilities of each entity engaged in a partnership, all entities are required to establish clear and distinct roles and responsibilities for compliance and risk management processes that are underpinned by the existing regulatory structure.
At no point in either a responsible direct or indirect partnership model should the roles and responsibilities of any entity be confused, outsourced, or otherwise shirked. At the core of both direct and indirect models should be a focus on ensuring consumers are properly served. To that end, as will be discussed further below, AFC believes that industry participants should engage in the leading risk management practices identified in this letter.
II. Bank-Fintech Partnerships Exhibit a Multitude of Benefits for Both Consumers and Industry Participants
Fintech companies arose out of the combination of a dearth of consumer trust in traditional financial institutions in the wake of the 2008 financial crisis and increasing demand for modern, digital-first banking services.[10] Through partnerships with innovative financial institutions, fintech companies have been able to increase access to historically underserved communities, expand offerings, and create a robust and competitive market that has the ability to mitigate certain types of contagion risks in the financial services industry. As noted in multiple reports by the U.S. Government Accountability Office (GAO), responsible fintech providers provide the opportunity for significant consumer and market benefits.[11] As we will discuss in more detail below, these benefits are not coincidental to bank-fintech partnerships, but instead, they are ancillary to the robust market that has developed over the past 15 years.
a. Responsible Bank-Fintech Partnerships Responded to Digital-First Consumer Demand
Bank-fintech partnerships developed and rapidly grew in popularity due to strong consumer demand for digital first financial products and services. Partnerships that started within one vertical, such as lending or payments services, quickly developed to include other services, such as deposit taking. The consumer demand, which has been a driving force for these innovative products and services, shows no sign of slowing, regardless of market or non-market forces and their impacts on bank-fintech partnerships.[12]
AFC recognizes that this rapid growth in the parameters of the partnerships does not come without the need to ensure that both the innovative financial institutions and fintech companies develop processes and staffing resources in key areas that are commensurate with the growth in the partnership. At no point should a financial institution grow in an unmanageable manner that places unnecessary risk on the services they provide and the consumers they serve. Todo so would be antithetical to the purpose underpinning bank-fintech partnerships, namely, to serve consumers more efficiently and effectively than has been previously done. Equally important, is the Joint Agencies’ consideration of the perspectives provided in response to this RFI so they can craft their policy efforts in a manner that will ensure the continued development of bank-fintech partnerships in a manner that benefits consumers and addresses the significant demand for improved products and services through digital-first offerings.
b. Bank-Fintech Partnerships have Increased Access to Financial Services for Historically Underserved Consumers
Through academic, industry, and government research, bank-fintech partnerships have been empirically shown to improve financial inclusion through improved services to historically underserved communities.[13] In addition, innovations from fintech companies have provided responsible alternatives to high-cost options for consumers in these communities; thus, improving the overall financial health of these consumers.[14] Instead of being forced to engage with payday lenders and check cashers, consumers have gained access to responsible term loans and high-yield demand deposit accounts. Specifically, the deposits brought into financial institutions via their partnerships with fintech companies have proved to be stable and beneficial for both the consumers and the financial institution. These products and services are a direct response to consumer demand, and their impact is most acute for those consumers historically underserved by traditional financial services participants.
Consumers categorized as “near prime” consumers are another consumer group who has uniquely benefited from responsible bank-fintech partnerships and their ability to offer expanded traditional products and services. For example, credit offerings, including credit builder products, credit cards, and term-loans, offered through the innovative services born out of the bank-fintech partnership model are able to serve an expanded consumer market making these products and services more economically viable and available to consumers. In today’s world, it is nearly impossible to function without a credit card, to either make purchases online, or offline, particularly with a trend toward cashless payments. Through responsible bank-fintech partnerships, this cohort of near prime consumers, thus helping consumers build credit, and in the process, making credit even more affordable and accessible.
c. Responsible Bank-Fintech Partnerships Expanded Offerings through Innovative Products and Services
In addition to the expanded offerings of traditional banking services—including no-fee, high-yield demand deposit accounts, term loans, and faster payments services—responsible bank-fintech partnerships have also been able to offer new, innovative products and services to consumers. For example, through bank-fintech partnerships, buy-now-pay-later (BNPL) loans and earned wage access (EWA) transactions have been able to flourish and assist consumers in developing stronger financial lives. While these two products are distinct in crucial ways, they both leverage innovative technologies to effectively serve consumers and expand available alternatives to predatory products. These products allow consumers to smooth their spending, budget more effectively, and, specifically for EWA, receive the pay they are entitled to for completed work prior to the end of an arbitrarily set pay period. In short, these innovative products and services would not be viable without the use of innovative technologies and a partnership between financial institutions and fintech companies.
d. Responsible Bank-Fintech Partnerships Increased Competition and Improved Long-Term Viability of Financial Institutions
Bank-fintech partnerships have also been crucial to improving competition in the financial services industry both domestically and abroad. According to a June 2024 literature review conducted by the Basel Committee on Banking Supervision, there is ample evidence to support the view that the rise of fintech has put pressure on the market share and pricing power of incumbent banks.[15] Ultimately, as evidenced by the aforementioned discussion on consumer demand and service to underserved populations, responsible bank-fintech partnerships have led to greater competition for banking services, particularly when gaps in the market a represent. In turn, this greater competition has led to a virtuous cycle of innovation and consumer benefit by pushing companies to continue seeking new services or providing these services in unique ways to increase their market share and effectively serve more consumers.
In addition, through this competition, community banks have experienced unique benefits. As portrayed by the sentiments of FDIC Chair Martin Gruenberg,[16] community banks and their continued involvement in the U.S. financial services industry are crucial to ensuring that the industry remains resilient and that consumers are properly served. Through partnerships with fintech companies, community banks have been able to reach far more consumers than through their traditional banking services alone. Central to many community banks is a “relationship banking” culture that meets customers on their terms and provides additional flexibilities in the products and services offered. Community banks engaged in bank-fintech partnerships bring additional benefits to consumers by providing their relationship banking style to the products and services they offer online. Further, the relationship banking ethos that underpins community banks helps to bolsters the suitability and resilience of partnering with fintech companies who seek to leverage innovative technologies and methods to offer new products and services. In turn, by pursuing these innovative products and services through responsible bank-fintech partnerships these community banks can help ensure long-term viability of their institutions and the resilience of the U.S. financial services industry.
e. Responsible Bank-Fintech Partnerships Leveraged the Core Competencies of Each Entity to Improve Services to Consumers in a Compliant Manner
Relatedly, responsible bank-fintech partnerships have been able to improve regulatory and cost efficiencies within both financial institutions and fintech companies. For years, fintech companies have leveraged their core competencies to make payments, lending, and deposit taking easier for their financial institution partners. On the financial institution side, these entities have used existing robust compliance practices and processes, as well as keen knowledge of the regulatory requirements in financial services to improve the safety and security of products and services offered in partnership with fintech companies. Thus, the bank leverages their strength in defining the regulatory guidelines for the fintech company and ensuring compliance. By creating these efficiencies, financial institutions and fintech companies are able to dedicate additional capital to their core products and services. Thus, more effectively serving consumers, especially those in historically underserved communities.
III. AFC Identified Leading Risk Management Processes and Practices in Bank-Fintech Partnerships Both Throughout the Partnership and in Specific Activities
Fintech companies and the innovative financial institutions with whom they partner have a duty to operate in a responsible manner. To AFC and its members, this means avoiding simply digitizing existing analogue predatory products and instead operating in a proactive manner to address any identified issues that might harm consumers, diminish the resilience of the financial institution or fintech company, or increase risks to the financial services system. Like any emerging industry or model, the bank-fintech partnership continues to mature in its processes and practices related to risk management. To that end, AFC and its members continue to pursue leading practices to effectively manage risks associated with bank-fintech partnerships.
In an effort to address the Risk and Risk Management questions posed by the Joint Agencies in the RFI, AFC and its members have identified leading practices that responsible banks-fintech partnerships rely upon to conduct their operations in a prudent and orderly manner. In recognition of the complexity and nuance associated with bank-fintech partnerships, AFC and its members have engaged in establishing practices and processes that consider the partnership in a holistic manner, while also developing specific practices depending on the type of partnership and activities covered under the partnership. Overall, this approach helps to ensure that both banks and fintech companies are developing effective, transparent, and resilient partnerships that benefit consumers.
a. AFC Identified Leading Practices in Throughout the Bank-Fintech Partnership
As noted in the existing interagency third-party risk management guidance, both financial institutions and fintech companies engaging in responsible bank-fintech partnerships of all types should develop robust due diligence and risk management processes and practices encompassing the entirety of the bank-fintech relationship.[17]AFC generally approved of the supervisory expectations conveyed through the Joint Agency’s third-party risk management guidance and found the guidance helpful for the continued development of responsible bank-fintech partnerships. Particularly, the provisions related to the due diligence and third-party selection, contract negotiation, and governance sections of the guidance were helpful in rebalancing industry conversations and developed a clear path forward for financial institutions and fintech companies. In accordance with this guidance, AFC members have developed specific processes and practices for partner onboarding, continued monitoring of the partnership, and the responsible dissolution or termination of a partnership should it be required.
i. Leading Practices and Processes in Onboarding a Partner
Within a bank-fintech partnership, effective onboarding processes and practices are crucial to ensuring that both parties understand the roles, responsibilities ,and business operations in the partnerships. Paramount to the effective onboarding of a potential partner, this process must take a “consumer-first" approach when determining if and how to partner. When onboarding either a new bank or fintech partner, both parties should engage in a multi-step approach to assessing the risks posed by a given partnership. This process should be methodical and replicable for each partnership arrangement, while still recognizing the distinct risk profiles associated with each partnership. Specifically, contracts between financial institutions and fintech companies must provide clear and consistent compliance roles and responsibilities for both entities. While, as noted previously, the bank holds the ultimate liability for any compliance issue from a regulatory standpoint, the contract terms must also ensure that the fintech company is held accountable and not absolved of any liability.
Within the onboarding process for either a financial institution or a fintech company in a bank-fintech partnership, AFC identified leading practices as conducting robust “suitability assessments” holistic qualitative and quantitative risk assessments; targeted secondary risk assessments (where applicable); development of clear compliance requirements; and contingency planning for effective remediation of issues, dissolution, or termination of the partnership. These practices are specifically designed to evaluate each partnership on its merits and effectively determine the actual risks posed.
Suitability Assessment. A suitability assessment starts prior to the formal due diligence process and functions as an initial check of a potential partner and how they fit with the assessing entity’s mission, risk appetite, activities, and other relevant factors. The assessing entity will review the potential partner at a high level, but holistically to understand any potential legal, compliance, reputation, and culture risks. To conduct this assessment, the assessing entity will typically engage multiple internal teams, including legal and compliance, and assess the permissibility of the activity(ies) that would be under the partnership within the given operating jurisdiction. The goal of this assessment is to flag any issues that the potential partner may pose to the risk tolerance and appetite of the assessing entity.
Holistic Quantitative and Qualitative Risk Assessment. As part of the formal due diligence process for potential partnerships, both financial institutions and fintech companies conduct quantitative and qualitative risk assessments. This assessment occurs prior to the creation of contractual partnership agreements. Building on the initial “suitability assessment”, these risk assessments are deeper analyses of the potential partner. Within these assessments, the assessing entity both quantitatively scores the potential partner, as well as qualitatively assess the information it receives from the potential partner based on internally established criteria related to the product and industry or consumers being served. Both quantitative and qualitative assessments are reviewed by established risk assessment committees comprised of relevant officials from across the assessing entity. To complete these assessments, the assessing entity will require potential partners to provide in-depth organizational and strategy documents, including financial statements, organizational charts, company policies, roadmap/strategy plans, and the company’s mission statement. Further, potential partners will be assessed through a comprehensive questionnaire covering all aspects of the potential partner’s business and operations, that, depending on the assessing entity, maybe over 200 questions.
Targeted Secondary Risk Assessment. Depending on the outcome of the quantitative and qualitative risk assessments, assessing entities may conduct additional targeted secondary risk assessments within specific identified areas of risk. These targeted secondary risk assessments involve further direct engagement with the potential partner through interviews with relevant staff at the potential partner institution by subject matter experts and risk management staff at assessing entity. The responses garnered from these interviews are then put forward before the relevant risk assessment committees at the assessing entity for review and determination if the potential partner poses a risk in the targeted area that does not fit with the assessing entity’s risk profile and appetite.
Contingency Planning. As noted in the previously issued interagency third-party risk management guidance ,contingency planning at the start of a bank-fintech partnership is a crucial risk management process. In accordance with the guidance, AFC members identified specific contingency planning regarding how to remediate identified compliance issues and processes for ensuring the orderly and consumer-protected dissolution or termination of a partnership. As discussed further below, each of these contingency plans are important for ensuring the responsible operation of a bank-fintech partnership even in the event of negative circumstances. This contingency planning takes place as part of the contract discussion in the onboarding process.
The time frame to complete the onboarding of a potential partner when using these leading practices in varies based specific facts and circumstances of the entities involved, including the maturity of a potential partner, accessibility to key data, and modifications of activities based on the findings of one of the aforementioned processes. However, based on the information provided by AFC members, at least six months are necessary to complete this process. AFC recognizes the importance of conducting all the leading practices identified above when engaging in a responsible bank-fintech partnership.
ii. Leading Processes and Practices for the Continued Monitoring of a Partnership
In addition to the robust onboarding processes implemented by both financial institutions and fintech companies, AFC members identified a number of leading practices related to continuous monitoring efforts throughout the partnership that they engage in to proactively identify and mitigate risks. While the specific practices implemented depend on the risk profile of the partnership, AFC members identified the importance of consistent engagement between both the financial institution and the fintech company to ensure that both entities are discussing any risks that might be on the horizon and are continuously monitoring their systems for potential issues.
These leading practices go beyond earlier third-party risk management guidance, which advised financial institutions to conduct a periodic risk assessment. Current leading practices instead involve a robust, ongoing risk-based assessment that continuously tracks the activities within a given partnership and how that impacts the risk profile of each entity. For example, as part of this practice, financial institutions and fintech companies require periodic, or at times, continuous data reporting by their partner. Through the use of monthly or quarterly scorecards, information conveyed and documented through formal processes on a defined schedule and used to inform both financial institutions ’and fintech companies’ continued risk assessments and defend any decisions to differentiate between the risk profiles of various partners. Risk profiles foreach partner remain fluid and consistently assessed through full formal assessments, ranging from every six months for core partnerships to 18 months for those partnerships deemed as ancillary.
In response to engagement with regulators, continued monitoring practices at both financial institutions and fintech companies go beyond the provisions established in the bank-fintech partnership agreements. Instead, both entities focus on the use of compliance and risk management scorecards disbursed at an established cadence to capture the pulse of the partnership and proactively identify any issues. AFC recognizes these leading practices and believes that responsible bank-fintech partnerships should ensure the robust development of these monitoring practices.
Also, through a systematic change management process, financial institutions and fintech companies engage in continuous monitoring of risks or issues stemming from operational, technical, legal, and regulatory changes that might impact the resilience and viability of the partnership. While the exact practices within change management processes vary by institution, AFC recognizes that developing and implementing robust change management processes is a leading practice for prudent continued monitoring throughout a bank-fintech partnership.
Further, to understand and mitigate risks throughout the “supply chain” of the bank-fintech partnership, financial institutions require fintech companies to understand the risks associated with any entities whom the fintech company partners with that might impact the financial institution. This “nth party” risk assessment, while costly for financial institutions, requires both the financial institution and the fintech company to understand any risks posed by vendors or their relationships and is akin to “know-your-customer” (KYC)practices already instituted in anti-money laundering activities. Unfortunately, in lieu of specific regulatory guidance on “nth party” risk management practices, financial institutions and their fintech partners do not have the benefit of clear and consistent supervisory expectations. Instead, these entities work with examination staff to help determine the exact processes they need to implement. Due to the varied knowledge and perspectives of examination staff, AFC recommends that the Joint Agencies consider providing further guidance on how financial institutions and their fintech partners should manage the “supply chain of banking” and “nth party” risk management processes.
iii. Leading Processes and Practices for the Remediation, Dissolution or Termination of Partnerships
Terminating a bank-fintech partnership is understood by both financial institutions and fintech companies as a last resort for issues that arise in the course of a partnership. Engaging in the termination or dissolution of a bank-fintech partnership is an inherently difficult and potentially costly endeavor. Therefore, it is a leading practice to establish intermediate steps to remediate identified compliance or other partnership issues prior to the invocation of a financial institution’s or fintech company’s termination process. Mirroring existing regulatory tools, financial institutions and fintech companies should construct appropriate escalation processes when an issue is identified. Further, there should be processes for planning and addressing the deficiencies akin to those found in the bank examination space, such as matters requiring attention, matters requiring immediate attention, and cease and desist orders. In general, this practice should help ensure that both financial institutions and fintech companies who decide to form a partnership are able to remedy any identified issues prior to invoking costly termination or dissolution processes.
In accordance with the Interagency Guidance on Third-Party Relationships, issued in June 2023,[18]responsible financial institutions and fintech companies have developed effective wind down procedures that eliminate interruptions to services provided by customers and are commensurate with the complexity and criticality of the partnership to the financial institution’s or fintech company’s viability. In practice, these processes are developed at the start of a bank-fintech partnership. It is important to note that within bank-fintech partnerships, neither financial institutions nor fintech companies typically want to dissolve a partnership. Often, the dissolution of a partnership is seen as a last resort, with both entities identifying and pursuing activities to mitigate any issues that may cause or contribute to the dissolution of a partnership. Financial institutions and fintech companies pursue these activities to help mitigate any disruption of service to their consumers, but also due to the significant economic impacts that the dissolution of a partnership can have on all parties involved. Thus, AFC believes it is a leading practice to identify and contractually oblige partnered entities to remediate identified compliance issues before terminating the partnership.
b. Leading Processes and Practices for Managing Risk by Partnership Type
While banks hold the ultimate liability for any violations to existing laws and regulations, fintech companies also face significant direct oversight from state regulators and indirect oversight from federal regulators via their bank partners. This approach, while imperfect at times, provides continuous regulatory oversight throughout the bank-fintech partnership. Further, it helps ensure that financial institutions and fintech companies engage in a “shared responsibility model” within their compliance activities. This shared responsibility model is bolstered within responsible bank-fintech partnership models by robust contract provisions that place specific requirements upon each entity engaged in the partnership in the event of compliance violations or examination issues. AFC recognizes the importance of the existing regulatory structure as well as the aforementioned contract provisions in upholding a shared responsibility model within a bank-fintech partnership.
As noted above, there are a number of different types of bank-fintech partnerships. Each partnership presents a distinct risk profile that examiners must understand in order to properly assess the partnership for proper risk management practices and processes. Again, financial institutions within the bank-fintech partnership hold the ultimate liability for any violations of existing laws and regulations. However, to ensure a responsible bank-fintech partnership exists, both the financial institution and fintech company must have a “shared responsibility” approach to their engagements, regardless of the type of relationship. Within this shared responsibility approach to managing risks, both financial institutions and fintech companies should standardize their approaches to the extent possible. In addition to reviewing relevant agency guidance documents, public and private standard setting organizations or consultancies may be helpful in ensuring the compliance practices established in a bank-fintech partnership are sufficient for managing the risks presented in a given partnership or activity.
As the Joint Agencies consider their regulatory agendas related to bank-fintech partnerships, it is important that they consider the specific facts and circumstances of various types of bank-fintech partnerships and operate from a risk-based standpoint. To reiterate, it is crucial that examiners and policy staff at the Joint Agencies understand the varied risk profiles that exist in fintech consumer partnerships versus those that occur in fintech supplier relationships. AFC recognizes and appreciates the importance of the third-party risk management guidance previously issued by the Joint Agencies.
To effectively expand upon this guidance, the Joint Agencies should develop guidance that is geared specifically towards different partnership types. For example, those partnerships that are direct bank-fintech partnerships versus those that are indirect and involve a “middleware” company. The Joint Agencies should tailor this guidance, and the risk management processes therein to account for the specific nature of the relationship between the financial institution and fintech company and consider such aspects of the partnership as the product flow, engagement with consumers, and access to consumers data. By engaging in such guidance efforts, AFC believes that the Joint Agencies can help encourage the continued development of responsible bank-fintech partnerships.
c. Leading Processes and Practices for Activity-Specific Risk Management in Responsible Bank-Fintech Partnerships
In addition to the aforementioned leading practices for risk management throughout a bank-fintech partnership, as well as within various partnership models, AFC and its members also identified leading practices and considerations for managing risks associated with specific activities often found in bank-fintech partnerships. Within any activity-specific risk management effort, entities must accurately assess the risk profile of a given activity and how it functions within the broader safety and soundness considerations of the entity. This means that issues such as concentration, criticality, and other common risk factors should be a part of the overarching activity-specific risk management effort. As discussed further below, data management and transfer practices, disclosure activities, and the use of artificial intelligence (AI) in financial services are all areas where AFC and its members have developed leading practices for the responsible development and deployment of these activities.
i. Leading Processes and Practices for Data Management and Transfers in Responsible Bank-Fintech Partnerships
Onesuch area where AFC members have identified leading practices is in the area ofdata management and transfers. Effectively managing and efficientlytransferring data between partnered entities is crucial to a responsible bank-fintechpartnership. Within these responsible bank-fintech partnerships, both thefinancial institutions and fintech companies establish robust practices inaccordance with leading cybersecurity practices established by the leadingstandard setting and expert groups, including the National Institute ofStandards and Technology (NIST), International Organization for Standardization(ISO), and the G7 Cyber Experts Group. Implementing these leading standards andpractices ensures that both financial institutions and fintech companies areable to effectively maintain the safety and security of their consumers’sensitive data and adhere to existing laws and regulations related to datamanagement and data transfers.
Further,as federal and state regulations have developed on issues of personal financialdata rights, AFC and its members have proactively engaged in efforts to ensurethat consumers are in control of their data and able to select the entitieswith whom they share their data.[19] AFC has consistentlyadvocated for an open banking system that ensures consumers’ rights and fostersrobust competition in the financial services industry.[20] This advocacy hasincluded recommending that industry participants avoid riskier data practices,such as “screen scraping” in favor of costlier, but safer alternatives, such asthe development of application program interfaces (APIs) and the data encryptionefforts. AFC also recognizes the importance of leveraging APIs in datatransfers between partners in a bank-fintech partnership. For example, to improvethe safety and efficiency of data transfers, financial institutions shoulddevelop APIs that allow fintech companies to transmit real-time data. This datacan then be housed by the financial institution but made available inaccordance with the CFPB’s final rule on Personal Financial Data Rights.[21] To this end, AFC membershave proactively pursued these safer data practices to ensure that consumers’data remains safe and secure in the forthcoming open banking ecosystem.
ii. Leading Processes and Practices forDisclosure activities in Responsible Bank-Fintech Partnerships
Inaddition, responsible bank-fintech partnerships are often required to developrobust disclosure activities that are clearly and consistently provided toconsumers throughout their engagement with both the financial institution andthe fintech company. These disclosures vary based on the specific activitiesinvolved but are available throughout the “supply chain of banking”. Forexample, to ensure strict compliance with the FDIC’s sign and advertisingrequirements, AFC members adopted specific processes and contractualobligations at the onboarding phase of the partnership to ensure effectivecompliance with the regulation. Further, AFC members developed specificcompliance management programs to monitor nth party compliance withthis regulation and proactively sought to remedy any potential complianceissues when identified. Engaging in such robust processes and practices helpsto effectively ensure compliance with existing regulatory requirementsregarding disclosures throughout the supply chain of banking and is a leadingpractice conducted in responsible bank-fintech partnerships.
iii. Leading Processes and Practices forArtificial intelligence in Responsible Bank-Fintech Partnerships
AIwithin financial services is another major innovation that has gainedsignificant regulatory discussion over the past several years. While themethodologies underlying AI technologies have been used in financial servicesin some form since the 1980s, technological advances both directly andindirectly related to AI have greatly increased the potential use cases andmore recent implementation of products and services that leverage thetechnology in financial services. Federal and state governments have recognizedthe potential for AI tools in financial services. Further, both federal andstate legislatures have introduced, and in some cases passed legislationrelated to AI. As discussed below, AFC and its members have identified leadingpractices for managing risks associated with AI in financial services. Moreover,AI is not a monolithic concept; in particular, though generative AI receivesmuch of the press, there are many use cases. Thus, AFC advocates, as it hasdone in the past, for policies under a risk-based framework that recognize thecontext-specific nature of a given use case for the AI technology.[22]
Inresponse to the market and non-market forces surrounding the use of AI infinancial services innovative banks and fintech companies, including AFCmembers, developed processes and practices for understanding and mitigatingrisks posed by the use of AI tools. Similar to the other processes andpractices discussed above, AFC member companies developed robust practices forthe development and use of AI tools in their products and services. As noted byOCC Acting Comptroller Michael Hsu in a June 2024 speech, “Banks, corporations,governments, and others are exploring AI use cases with the intention of usingit as a tool. AI holds the promise of doing things better, faster, and moreefficiently, yielding benefits for individuals, managers, organizations, and thepublic.”[23]Responsible financial institutions and fintech companies do not view AI toolsas a supplement for their compliance, product, or other staff. Instead, thesecompanies see AI tools as providing an opportunity to safely and responsiblycomplement the staff activities already being conducted and to develop moreefficient and effective products and services.
ActingComptroller Hsu noted that “[f]or banks interested in adopting AI, establishingclear and effective gates between each phase could help ensure that innovationsare helpful and not dangerous. Before opening a gate and pursuing the nextphase of development, banks should ensure that proper controls are in place andaccountability is clearly established.”[24] In accordance with therisk management principles noted by the Acting Comptroller, AFC membersestablished AI-specific risk management frameworks that seek to mitigategeneral risks associated with AI technologies, as well as those that might beassociated with a specific use case.
AFCagrees with this pragmatic approach to managing risks associated with AItechnologies to ensure their responsible deployment in financial services.Ensuring the proper development of “gates” within the development anddeployment of AI technologies is a prudent process that AFC members alreadyinstitute, and both financial institutions and fintech companies across theindustry who are using or considering AI technologies should implement. Inaddition, AFC concurs with Acting Comptroller Hsu’s perspective of a “sharedresponsibility model” for ensuring the proper operations, maintenance, andsecurity of AI technologies.[25] As previously noted, financial institutionshold the ultimate liability in a bank-fintech partnership. However, in practiceAFC believes that a “shared responsibility model” related to AI is a leadingpractice.
Inpractice, these efforts ensure that both financial institutions and fintechcompanies do not allow AI tools to develop beyond the knowledge andcapabilities of employees who are using these tools. Specifically, AFC membershave established robust risk management practices specifically designed for thenuances and complexities associated with the use of AI. AFC believes that thisapproach towards managing risks associated with AI is a leading practice forthe financial services industry. Consequently, those financial institutions andfintech companies operating in a responsible bank-fintech partnership shouldcollectively engage in the development of these risk management practicesthroughout the partnership to ensure that the deployment of AI tools does notpresent an undue risk to consumers, the partnership, or the financial servicesindustry.
Further,AFC concurs with Acting Comptroller Hsu that the remit of the recentlyestablished U.S. Artificial Intelligence Safety Institute within NIST is wellsuited to help develop the proper general guidance on issues, such asaccountability and explainability, that the Joint Agencies can apply to afinancial services context through subsequent guidance. Thus, we believe thatit is prudent for the Joint Agencies to engage in a concerted effort tocollaborate with the relevant federal and state agencies to provide suchguidance and ensure that the responsible use of AI is encouraged.
AFCstrongly advocates for the development of policies that recognize the contextspecific nature of AI and provides the ability for innovative financialinstitutions and fintech companies to use AI as a tool to improve the productsand services offered for the benefit of consumers. We believe that it isessential to foster responsible innovation and competition in the use of AI,and in doing so, regulatory bodies should review and modernize their regulatoryframeworks to provide clear guidance, particularly by promoting a risk-basedapproach to regulation, and ultimately by ensuring that guidelines are specificenough to address the complexities of AI systems while being flexible enough toaccommodate diverse applications.
IV. AFC Recommends Multiple Reforms tothe Joint Agencies Examination Efforts and Other Activities to Encourage ResponsibleInnovation
AFC and its members advocate for clear and consistent “rules of the road” for industry participants to use when developing innovative products and services or engaging in a responsible bank-fintech partnership. In direct response to questions posed in the RFI,[26] we have provided a set of recommendations regarding regulatory and programmatic efforts that the Joint Agencies could consider to improve the oversight of and engagement with responsible bank-fintech partnerships. AFC believes that, if implemented correctly, these recommendations will serve both macroprudential and microprudential policy aims of the Joint Agencies.
a. AFC Recommends Additional Examination Staff Education and Funding
Through AFC’s membership and discussions across the industry, we have learned that examiner knowledge and understanding of bank-fintech partnership models, as well as the innovative products and services offered through them varies substantially. Bot h federal and state examiners are crucial to ensuring a safe and sound financial services industry that serves consumers effectively. However, due to the varied understanding of bank-fintech partnership models and the risks associated with them, AFC believes that significant education and reform efforts are needed. While many examination staff work diligently to understand the nuances associated with bank-fintech models, at worst, we have heard that examination staff fundamentally misunderstand the risks associated with bank-fintech partnerships and therefore misapply the risk-based examination framework in their examinations. Further, we have heard that these examiners pursue unproductive lines of inquiry into the activities of the financial institution that are akin to “fishing expeditions” and result in high time and monetary costs to the financial institution.
AFC recognizes and appreciates the efforts to improve the examination of bank-fintech partnership models pursued by the OCC and Federal Reserve through the establishment of the Office of Financial Technology and Novel Activities Supervision Program, respectively. Given the continued growth of digital-first offerings through bank-fintech partnerships, it is incumbent upon the Joint Agencies to ensure that they are dedicating adequate funding to the staffing and development of programs designed to examine bank-fintech partnerships, such as OCC’s Office of Financial Technology and the Federal Reserve’s Novel Activities Supervision Program and Office of Innovation.
Some of the Joint Agencies have already recognized the importance of dedicating adequate funding to the staffing and development of programs designed to examine bank-fintech partnerships and emerging technologies. For example, Within OCC’s Congressional Budget Justification the agency noted “adapting to digitalization” as a priority to meeting its mission of “ensuring that national banks and federal savings associations operate in a safe and sound manner, provide fair access to financial services, treat customers fairly and comply with applicable laws and regulations.”[27] Specifically, the OCC identified additional focus on banks’ relationships with fintech companies. AFC is aligned with the agency’s priority in adapting to digitalization in order to meet its mission. These efforts are a positive step towards ensuring that emerging issues within the modern banking system are properly understood by examination teams.
While it is crucial that agencies support the continued development of the subject matter experts found in the Office of Financial Technology and Novel Activities Supervision Program, AFC believes that it is equally important to ensure that all examiners at the Joint Agencies have the requisite knowledge to engage effectively with financial institutions under their jurisdictions who are engaged in bank-fintech partnerships. AFC recognizes that the OCC and the Federal Reserve have engaged in specific efforts to improve their understanding—both in policy and examination engagements—of bank-fintech partnerships through the establishment of their Office of Financial Technology and Novel Activities Supervision Program respectively. However, specifically regarding examinations, while these staff have been helpful in assisting examination teams understand the nuances associated with bank-fintech partnerships, there is no substitute for the continued development of the examination teams tasked with overseeing a given innovative financial institution. To ensure that OCC meets its aforementioned priority, and the other prudential regulators meet similar goals, it is crucial that the Joint Agencies’ frontline examination staff have the requisite education to effectively engage with financial institutions pursuing bank-fintech partnerships.
The frontline examination staff who consistently engage with a specific regulated financial institution, including those engaged in bank-fintech partnerships ,typically have the best understanding of the operations, activities, and procedures of that financial institution within the examination division of a prudential regulator. However, these staff may not have the contextual sophistication necessary to make critical determinations of actual risks associated with a given partnership. The subject matter experts within the Office of Financial Technology and Novel Activities Supervision Program assist in bridging the gap for the frontline examination staff. However, it remains critical that these frontline examination staff have the requisite understanding of bank-fintech models in aggregate to make prudent determinations within the examination.
Asa practical matter, AFC respectfully recommends that the Joint Agencies engage with private sector entities to craft examiner education programs, syllabi, and course materials related to examining bank-fintech partnerships. Regulators’ engagements with private sector entities have proved helpful for finding solutions to pressing policy issues. For example, in April 2022, the FDIC and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network(FinCEN) collaborated with private sector entities in a Tech Sprint to “develop solutions for financial institutions and regulators to help measure the effectiveness of digital identity proofing—the process used to collect, validate, and verify information about a person”.[28]The solutions developed during the Tech Sprint proved helpful to both FDIC and FinCEN staff by identifying areas that the regulators could further develop in their programmatic and regulatory agendas. AFC believes that the Joint Agencies could find a similar benefit from engagement with private sector entities on the development of craft examiner education programs, syllabi, and course materials related to examining bank-fintech partnerships.
With the above detailed perspectives in mind, we respectfully recommend that the Joint Agencies pursue significant education efforts for their examination staff specifically designed to educate these staff on the various types of bank-fintech models, activities conducted within the models, and leading risk management processes. Specifically, with the assistance of private sector entities, AFC believes that the agency should develop and implement additional training programs related to the bank-fintech partnership to understand the entire “supply chain of banking” and the relationships that exist between the various entities.
i. AFC Recommends Additional Activity-Specific Guidance Tailored to Bank-Fintech Partnerships
As noted above, AFC consistently advocates for clear and consistent “rules of the road” for industry participants to use when developing innovative products and services or engaging in a responsible bank-fintech partnership. A central part of this advocacy is pursuing explicit supervisory expectations through agency guidance for products, services, or other activities that operate in a distinct manner within bank-fintech partnerships from traditional offerings. Since many of the existing laws and regulations governing the financial services industry were promulgated prior to the development of bank-fintech partnerships as we have defined them in this response, it is incumbent upon the Joint Agencies to review existing regulations and, where necessary, provide additional guidance to industry participants who pursue bank-fintech partnerships.
AFC recognizes the importance and benefit of the Joint Agencies’ previous guidance on third-party risk management. However, now that the Joint Agencies have established adequate agency guidance for the overarching risk management framework within bank-fintech partnerships, AFC believes that the Joint Agencies should pursue the issuance additional activity-specific guidance. AFC believes that there are many areas that could benefit from additional guidance that is tailored to various bank-fintech partnership models. For example, agency guidance related to fintech lending operations—akin to the inactive FDIC Financial Institution Letter FIL-50-2016—deposit rule classifications, and open banking standards for business accounts are several areas where the Joint Agencies could greatly improve industry understanding of supervisors ’expectations through the issuance of agency guidance.[29]
ii. AFC Recommends Increased Federal Collaborationwith State Regulators
AFC has consistently advocated for a unified and consistent approach to their oversight of bank-fintech partnerships. This perspective extends to examination practices at the federal and state levels. For example, AFC has supported the Conference of State Bank Supervisors’ efforts to streamline and unify licensing and examination activities for nonbank payments providers, such as the effort to develop a comprehensive single exam for nationwide payments firms.[30] Critical to establishing a unified and consistent approach to the oversight of bank-fintech partnerships is concerted coordination between federal and state examiners.
Within bank-fintech partnerships, uncoordinated examination efforts between federal and state regulators can place an undue burden on both entities within the partnership. Within the existing regulatory framework, financial institutions are subjected to examinations by the federal regulator under whom they are chartered and their home state regulator. Meanwhile, fintech companies are subjected to examinations by any state regulator within the state that the fintech company has a license. For many fintech companies who operate nationally, this can be up to 54 jurisdictions.[31] Operationally, within both federal and state examinations, examiners often require documentation held at and engagement with the entity outside of their direct examination. In turn, compliance teams at both financial institutions and fintech companies can be inundated with examination requests at a cadence that is overly burdensome.
While AFC recognizes and appreciates the importance of ensuring that both federal and state examination teams are provided with the documents and engagements they need to ensure that the regulated entity is conducting safe, sound, and consumer protected activities, we believe it is crucial to ensure that examination teams are effectively coordinating to ensure they recognize the interconnectedness of bank-fintech partnerships and are not being overly burdensome to entities who decide to pursue this business model.
iii. AFC Recommends Developing Programs to Incentivize Proactive Identification and Remediation of Compliance Issues in Bank-Fintech Partnerships
AFC members endeavor to consistently operate in a safe, sound, and responsible manner. While compliance issues occur, AFC and its members maintain a strong commitment to providing innovative products and services responsibly. In an effort to encourage these practices across the broader financial services industry, AFC believes that the Joint Agencies should develop programs that incentivize banks and fintech companies to proactively identify and remediate compliance issues. Based on conversations with our members, we have understood that there is a distinct desire to pursue proactive identification and remediation of issues. The impetus for pursuing these proactive measures is because it ultimately benefits both the consumer and the resilience of the partnership.
Specifically, as discussed above, financial institutions and fintech companies invest significant financial and reputational capital into the development and success of a partnership. Dissolution of these partnerships, while important to plan for, presents a significant cost to both the financial institution and the fintech company. AFC members recognize this fact and therefore pursue proactive identification and remediation of compliance issues.
However, the current examination culture within the Joint Agencies is not conducive to these efforts. As evidenced by the recent slew of enforcement actions against financial institutions engaged in bank-fintech partnerships, examiners have pursued a “regulation by enforcement” regime that disincentivizes the proactive identification and remediation of compliance issues in a bank-fintech partnership. By disincentivizing proactive identification and remediation of compliance issues, the Joint Agencies have injected additional risk into the financial services industry by pushing regulated entities to hide potential issues from examination teams. To avoid this issue, AFC believes that the Joint Agencies should pursue programs that incentivize the proactive identification and remediation of compliance issues within bank-fintech partnerships. This effort will require agencies to reevaluate examiner culture and engagement with regulated entities to ensure that the relationship is collaborative as opposed to adversarial while maintaining a prudent amount of professional skepticism. Ultimately, this change in perspective could benefit both the regulators and regulated entities and improve the safety and soundness of the financial services industry.
iv. AFC Recommends the Joint Agencies Leverage Supervisory Technology in Examinations
Through the adoption of regulatory technology or “regtech” tools, innovative financial institutions and fintech companies sought to improve their internal and external regulatory processes. Regtech tools have been used to improve fraud detection practices, KYC activities, and regulatory reporting, among other activities. Financial institutions leverage the aforementioned fintech supplier partnerships to build these improved processes, resulting in significant cost savings and efficiencies.
While these regtech tools have proved beneficial for financial institutions and fintech companies, there are also significant opportunities the Joint Agencies to identify and implement supervisory technology or “suptech” tools to improve oversight and examination processes. Globally, suptech tools have been a key area of potential innovation for regulators. Both academic institutions, suchas the University of Cambridge via its Suptech Lab, and international organizations such as the International Monetary Fund and the Bank for International Settlements have recognized the importance of improving regulatory activities through the use of suptech tools.[32]
According to the Bank for International Settlement’s Financial Stability Institute, when pursued with a distinct strategy by an agency, suptech tools have been extremely helpful for improving supervision of regulated entities within a number of jurisdictions.[33] Specifically, the reportfound that suptech tools have improved efficiencies in their regulatory engagements. Further, the report noted that “[s]ome suptech tools are now critical to supervisory processes “[s]uptech tools should have a natural plac ein supervisory processes and address specific pain points”.[34]
Given the preponderance of evidence regarding the importance of suptech tools, AFC believes that it is imperative that the Joint Agencies follow their international counterparts and engage in a concerted manner to adopt suptech tools. Therefore, AFC respectfully recommends that the Joint Agencies identify and implement relevant suptech tools to improve their oversight activities of regulated entities. By implementing suptech tools, AFC believes that examiners can more efficiently and effectively examine regulated entities and lower thecosts associated with an examination for both the agency and the regulated entity.
v. AFC Recommends the Joint Agencies Constructively Engage with Private Sector Entities to Encourage Standards for Responsible Bank-Fintech Partnerships
In addition to the specific recommendations related to agency activities to remedy differences in examiner knowledge regarding bank-fintech partnerships and the services offered through them, AFC recognizes the importance of industry participants proactively engaging in efforts to standardize their processes andto adopt leading practices established by public or private standard setting organizations. Increasing the standardization of processes and practices by industry participants can greatly assist in the continued maturation of bank-fintech partnership models and improve their engagement with examiners both at the federal and state levels. In general, AFC believes that this standardization is best suited for industry-led efforts that constructively engage with regulators. AFC recognizes that to create a robust and competitive financial services industry that effectively serves consumers, especially those who have been historically underserved, regulators must ensure that they do not overly systematize a financial institution’s or fintech company’s risk appetite, profile, or assessment process in a manner that would exclude consumers from accessing legitimate banking products or services. However, existing risk assessments do not have the benefit of clear supervisory expectations regarding scoring parameters or thresholds. Therefore, AFC recommends that the Joint Agencies engage constructively with private sector entities, to develops coring parameters and thresholds for activities within bank-fintech partnerships that properly meet supervisory expectations and encourage responsible innovation.
b. AFC Recommends the Joint Agencies Engage in Programmatic Reforms to Encourage Responsible Bank-Fintech Partnerships
Beyond the supervision-related recommendations discussed above, AFC also recognizes the importance of additional programmatic efforts that the Joint Agencies could conduct to encourage responsible innovation through bank-fintech partnerships. To that end, we have developed several recommendations for the Joint Agencies’ consideration.
i. AFC Recommends the FDIC Immediately Reconstitute its FDITech Office to its Originally Intended Purpose
AFC has consistently conveyed its concerns regarding the FDIC’s more recent posture towards innovation.[35] Central to our concern is the change that the FDIC took towards its FDITech Office. In accordance with are commendation from the GAO, the FDITech Office was established in 2019 to serve as a central point of contact for the industry and engage in collaborative efforts to promote economic inclusion, consumer protection, competition, and identification of risk.[36] This effort was in line with the offices of innovation established by the other prudential regulators. Critical to both the GAO recommendation and the original establishment of the FDITech office was the office’s ability to serve as a clear point of contact for innovative industry participants.
However, more recently, the FDIC reconfigured the FDITech Office from its original externally focused operation to an internally focused endeavor. While we recognize that the agency is within its authority to determine the proper remit for its offices, AFC believes that, relative to its fellow prudential regulators, the FDIC’s decision negatively impacts regulated entities under the agency’s authority and creates the potential for further mischaracterization of bank-fintech partnerships within the agency’s examinations, as well as regulatory arbitrage within the industry. Consequently, AFC reiterates its previous recommendations for the FDIC to reconstitute its FDITech Office as a centralized office fo rindustry engagement and expand its remit to align with the other prudential regulators’ efforts.
ii. AFC Recommends the Joint Agencies Encourage the Modernization of Core Service Providers
As previously noted, fintech supplier partnerships operate differently than fintech consumer partnerships. Relatedly, innovation within these partnerships has also operated differently than their consumer partnership counterparts. Core service providers and their offerings represent an area that is greatly in need of modernization within the fintech supplier partnership space. Unlike the competition that exists in the fintech consumer partnership model, there is a dearth of competition related to core service providers and their offerings. Unfortunately, due to the high costs associated with building technologies and services that are currently provided by the existing core service providers, many small financial institutions are unable to move away from the core service providers. Though some innovation does occur within the core service providers’ offerings, there are not the requisite market forces to encourage substantial innovation by the entities in a manner that would allow for the customizations needed for innovative financial institutions to offer additional products and services. Therefore, AFC believes that in order to help core service providers innovate in a more robust manner, the Joint Agencies should pursue efforts that will encourage the modernization of these providers and those fintech partnerships that allow banks to innovate around the core platforms.
iii. AFC Recommends that the Joint Agencies Encourage the Use of Alternative Data in Lending for the Benefit of Consumers
As previously noted, one of the primary benefits of bank-fintech partnerships is the ability to serve historically underserved communities through innovative products and services. Part of the innovation that allows these partnerships to improve the financial lives of those previously left out of financial services is the use of “alternative data” to improve the underwriting and lending decision making of innovative financial institutions and fintech companies. The term “alternative data” is ill-fitted to what is actually being used within an underwriting model or lending decision. Alternative data is simply “alternative” because has not historically been included in credit reports. Data that would be considered “alternative” includes rental and utility payment data, which has historically not been included in credit reports—though this is changing due to innovations in the credit reporting space—but would include mortgage payment data. Significant evidence points to the benefit of including alternative data in underwriting models and lending decisions.[37] Therefore, to help build a more inclusive financial services industry, AFC recommends that the Joint Agencies pursue efforts that will encourage the use of alternative data in lending.
* * *
AFC appreciates the opportunity to comment on the Joint Agencies’ Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses. It is our sincere hope that the Joint Agencies will use the perspectives provided within this letter to craft a pragmatic, effective, and efficient regulatory agenda and framework regarding bank-fintech partnerships. As previously noted, we believe that the Joint Agencies should carefully consider the comments it receives in response to the RFI and craft their regulatory agendas based on the perspectives and recommendations provided by the various respondents. By pursuing such an approach, AFC believes that the Joint Agencies will identify and engage in a pragmatic regulatory agenda that encourages responsible innovation through bank-fintech partnerships and increases the resilience of the financial services industry. AFC welcomes continued engagement with the Joint Agencies on how to implement regulations, guidance, and programs that encourage the development of responsible innovation through bank-fintech partnerships.
Sincerely,
Ian P. Moloney
SVP, Head of Policy and Regulatory Affairs
American Fintech Council
[1] American Fintech Council’s (AFC) membership spans EWA providers, lenders, banks, payments providers, loan servicers, credit bureaus, and personal financial management companies.
[2] Unless specifically noted, for the purposes of this comment letter, the term“bank-fintech partnerships” encompasses financial institutions of all types,including credit unions and community development financial institutions, aswell as the myriad of fintech companies, such as those that assist financialinstitutions with lending, payments, and deposit taking activities, as well asthose that offer compliance services, fraud detection, or other enterpriseapplications.
[3] Board of the Governors of the Federal Reserve System, Federal Deposit Insurance Corporation,Office of the Comptroller of the Currency, “Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services(Jul. 25, 2024), available at https://www.occ.treas.gov/news-issuances/news-releases/2024/nr-ia-2024-85a.pdf.
[4] For example, banks’BSA Officers, in virtue of their role, take on a personal liability to ensurethe bank adheres to Bank Secrecy Act requirements.
[5] Consumer FinancialProtection Bureau, “Supervisory Authority Over Certain Nonbank Covered PersonsBased on Risk Determination; Public Release of Decisions and Orders”, Fed. Reg.87, no. 83 (Apr. 29, 2022): 25397.
[6] Office of the Comptroller of the Currency, Treasury; Board of Governors of the Federal Reserve System;and Federal Deposit Insurance Corporation, “Request for Information onBank-Fintech Arrangements Involving Banking Products and Services Distributedto Consumers and Businesses”, Fed. Reg. 89, no. 147 (Jul. 31, 2024): 61577.
[7] Among other things, the Federal Reserve defines “novel activities’ as “Complex,technology-driven partnerships with non-banks to provide banking services”whereby “a non-bank serves as a provider of banking products and services toend customers, usually involving technologies like application programminginterfaces (APIs) that provide automated access to the bank’s infrastructure”.See, Board of Governors of the Federal Reserve System, “SR 23-7: Creation ofNovel Activities Supervision Program”, (Aug. 8, 2023), available at https://www.federalreserve.gov/supervisionreg/srletters/SR2307.htm.
.
[8] Alloy Labs, TheNew Nomenclature Behind the BaaS Partnership Boom, available at https://mcusercontent.com/f2abc2968daf71bdb44774fc4/files/f495d138-cfe6-ab78-1a9c-8af18d0dc98d/The_New_Nomenclature_Behind_the_BaaS_Partnership_Boom.pdf.
[9] Ibid.
[10] U.S. Department ofthe Treasury, A Financial System That Creates Economic Opportunities: NonbankFinancials, Fintech, and Innovation, (July 2018), available at https://home.treasury.gov/sites/default/files/2018-08/A-Financial-System-that-Creates-Economic-Opportunities---Nonbank-Financials-Fintech-and-Innovation_0.pdf.
[11] U.S. GovernmentAccountability Office, Financial Technology: Additional Steps by RegulatorsCould Better Protect Consumers and Aid Regulatory Oversight, GAO-18-254,(Mar. 22, 2018), available at https://www.gao.gov/products/gao-18-254; and U.S.Government Accountability Office, Financial Technology: Products HaveBenefits and Risks to Underserved Consumers, and Regulatory Clarity Is Needed,GAO-23-105536, (Mar. 08, 2023), available at https://www.gao.gov/products/gao-23-105536.
[12] Propson, Drew,Emina Ajvazoska, Felipe Ferri de Camargo Paes, Stanley Mutinda, Dana Salman,Jill Lagos Shemin, Krishnamurthy Suresh, et al., The Future of GlobalFintech: Towards Resilient and Inclusive Growth, (Jan. 2024), availableat https://www.jbs.cam.ac.uk/faculty-research/centres/alternative-finance/publications/the-future-of-global-fintech-towards-resilient-and-inclusive-growth/.
[13] Chernoff, Alan andJulapa Jagtiani, The Role of Bank-Fintech Partnerships in Creating a MoreInclusive Banking System, WP 23-21, Federal Reserve Bank of Philadelphia,(Oct. 2023) available at https://www.philadelphiafed.org/the-economy/banking-and-financial-markets/the-role-of-bank-fintech-partnerships-in-creating-a-more-inclusive-banking-system; Dolson, Erik andJulapa Jagtiani, Which Lenders Are More Likely to Reach Out to UnderservedConsumers: Banks versus Fintechs versus Other Nonbanks?, WP 21-17, FederalReserve Bank of Philadelphia, (Apr. 2021), available at https://www.philadelphiafed.org/consumer-finance/which-lenders-are-more-likely-to-reach-out-to-underserved-consumers; Lung, Harrison, Whyfinancial inclusion is the key to a thriving digital economy, WorldEconomic Forum, (Jul. 29, 2024), available at https://www.weforum.org/agenda/2024/07/why-financial-inclusion-is-the-key-to-a-thriving-digital-economy/; and Salman,Sabry, The role of banks in FinTech partnerships, Barclays InvestmentBank, (Sep. 18, 2023) available at https://www.ib.barclays/our-insights/3-point-perspective/the-role-of-banks-in-fintech-partnerships.html.
[14]Dunn, Andrew andNadia Van De Walle, Fintech as a Solution for Employee Financial HealthFindings from Five: Exploratory Studies, Financial Health Network, (Mar.2023), available at https://cfsi-innovation-files-2018.s3.amazonaws.com/wp-content/uploads/2021/03/23024025/FSL_IE-Report-WashU-Final.pdf; Cornelli, Giulio,Jon Frost, Leonardo Gambacorta, and Julapa Jagtiani, The Impact of FintechLending on Credit Access for U.S. Small Businesses, WP 22-14, FederalReserve Bank of Philadelphia, (Apr. 2022), available at https://www.philadelphiafed.org/the-economy/banking-and-financial-markets/the-impact-of-fintech-lending-on-credit-access-for-us-small-businesses; and Dunn, Andrewand Heidi Johnson, Building Consumer Savings with Fintech Innovations:Savings are a critical component of financial health, and new approaches canencourage consumer savings, Financial Health Network, (Jul. 2022) availableat https://finhealthnetwork.org/wp-content/uploads/2022/07/Building-Consumer-Savings-with-Fintech-Innovations-2022.pdf.
[15] Bogaard, Hein,Sebastian Doerr, Nicole Jonker, Hua Kiefer, Onur Koltukcu, Calixto Lopez, JoseR H Ornelas, et al., Literature review on financial technology andcompetition for banking services, Working Paper 43, Bank for InternationalSettlements, (Jun. 7, 2024), available at https://www.bis.org/bcbs/publ/wp43.pdf.
[16] Federal DepositInsurance Corporation, FDIC 2022-2026 Strategic Plan: The FDIC and theBanking Industry: Perspective and Outlook, (Last updated: Feb. 8, 2022).
[17] The Board ofGovernors of the Federal Reserve System, the Federal Deposit InsuranceCorporation, and the Office of the Comptroller of the Currency, Treasury,“Interagency Guidance on Third-Party Relationships: Risk Management”, Fed. Reg.88, no. 111, (Jun. 9, 2023): 37920.
[18] Ibid.
[19] See, ConsumerFinancial Protection Bureau, “Required Rulemaking on Personal Financial DataRights”, Last accessed Oct. 23, 2024, available at https://www.consumerfinance.gov/personal-financial-data-rights/.
[20] See, AmericanFintech Council, “Comments Regarding Proposed Required Rulemaking on PersonalFinancial Data Rights CFPB-2023-0052”, (Dec. 29, 2023), available at https://www.fintechcouncil.org/advocacy/comment-letter-responding-to-the-proposed-required-rulemaking-on-personal-financial-data-rights-implementing-section-1033; and AmericanFintech Council, “Statement from American Fintech Council (AFC) Senior VicePresident, Head of Policy and Regulatory Affairs, Ian P. Moloney, on theConsumer Financial Protection Bureau’s Personal Financial Data Rights FinalRule”, Oct. 22, 2024, https://www.fintechcouncil.org/press-releases/statement-from-american-fintech-council-afc-senior-vice-president-head-of-policy-and-regulatory-affairs-ian-p-moloney-on-the-consumer-financial-protection-bureaus-personal-financial-data-rights-final-rule.
[21] See, ConsumerFinancial Protection Bureau, “Required Rulemaking on Personal Financial DataRights”, Final Rule, (Oct. 22, 2024), available at https://files.consumerfinance.gov/f/documents/cfpb_personal-financial-data-rights-final-rule_2024-10.pdf. At the time ofsubmission for this comment letter, the CFPB’s final rule had been issued butnot yet published in the Federal Register.
[22] American Fintech Council, “Comments Regarding Request forInformation on Uses, Opportunities, and Risks of Artificial Intelligence in theFinancial Services Sector”, (Aug. 12, 2024), available at https://www.fintechcouncil.org/advocacy/federal-ai-letter; and American Fintech Council, “Statement fromAmerican Fintech Council (AFC) Senior Vice President, Head of Policy andRegulatory Affairs, Ian P. Moloney, on the Department of the Treasury’sApproach to Artificial Intelligence”, Sep. 25, 2024, https://www.fintechcouncil.org/press-releases/statement-from-american-fintech-council-afc-senior-vice-president-head-of-policy-and-regulatory-affairs-ian-p-moloney-on-the-department-of-the-treasurys-approach-to-artificial-intelligence.
[23] Acting Comptrollerof the Currency Michael J. Hsu Remarks in Support of the 2024 Conference onArtificial Intelligence and Financial Stability “AI Tools, Weapons, andAccountability: A Financial Stability Perspective” June 6, 2024.
[24] Ibid.
[25] Ibid.
[26] See, Request forInformation on Bank-Fintech Arrangements, Risk and Risk Management question 16and Trends and Financial Stability question 4.
[27] Office of theComptroller of the Currency, Congressional Budget Justification and AnnualPerformance Plan and Report FY 2025, available at https://home.treasury.gov/system/files/266/21.-OCC-FY-2025-CJ.pdf, Page 3.
[28] See, FederalDeposit Insurance Corporation, “FDIC and FinCEN Launch Digital Identity TechSprint”, Jan. 11, 2022, https://www.fdic.gov/news/press-releases/2022/pr22003.html. While the TechSprint was announced in January 2022, it took place on April 4, 2022. See,Financial Crimes Enforcement Network, “FDIC FinCEN Digital Identity Tech Sprint- Key Takeaways and Solution Summaries”, Sep. 9, 2022, https://www.fincen.gov/news/news-releases/fdic-fincen-digital-identity-tech-sprint-key-takeaways-and-solution-summaries.
[29] Federal DepositInsurance Corporation, FIl-50-2016, “Examination Guidance for Third-PartyLending” (July 29, 2016). This proposed examination guidance was not finalized.
[30] Conference ofState Bank Supervisors, “State Regulators Roll Out One Company, One Exam forNationwide Payments Firms”, Sep. 15, 2020, https://www.csbs.org/regulators-announce-one-company-one-exam-for-payments-companies.
[31] State regulatoryfinancial services licensing jurisdictions include all 50 states, the Districtof Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands.
[32] See, theUniversity of Cambridge’s Cambridge Suptech Lab, https://lab.ccaf.io/; BIS InnovationHub, “BIS Innovation Hub expands suptech and regtech research to includemonetary policy tech”, Last updated Mar. 21, 2024, https://www.bis.org/about/bisih/topics/suptech_regtech.htm; and TobiasAdrian, Financial Counsellor and Direct, Money and Capital Markets Department,IMF, “AI and Regtech”, Speech, VirtualWorkshop on AI & Finance, Oct. 29, 2021, available at https://www.imf.org/en/News/Articles/2021/10/29/sp102921-ai-and-regtech.
[33] Prenio, Jermy, Peeringthrough the hype - assessing suptech tools' transition from experimentation tosupervision, Bank for International Settlements, FSI Insights No. 58, (Jun.14, 2024), available at https://www.bis.org/fsi/publ/insights58.pdf.
[34] Ibid, Pages 14-15.
[35] See, Ian P.Moloney, on behalf of the American Fintech Council, to the Honorable Martin J.Gruenberg, Federal Deposit Insurance Corporation, Feb. 2, 2024, https://www.fintechcouncil.org/advocacy/american-fintech-council-shares-letter-to-fdic-on-thoughts-towards-innovation; and The HonorablePhil Goldfeder, on behalf of the American Fintech Council, to the HonorableMartin J. Gruenberg, Federal Deposit Insurance Corporation, Apr. 19, 2024, https://www.fintechcouncil.org/advocacy/federal-advocacy-letter-to-fdic-on-regulating-innovation.
[36] Ibid, GAO-18-254.See also, U.S. Government Accountability Office, Financial Technology:Agencies Can Better Support Workforce Expertise and Measure the Performance ofInnovation Offices, GAO-23-106168, (Sep. 6, 2023) available at https://www.gao.gov/assets/gao-23-106168.pdf, Page 27.
[37] See, FinRegLab, AlternativeData and Market Dynamics in MSE Lending in Kenya: Market Context Report,(Mar. 2024), available at https://finreglab.org/research/alternative-data-and-market-dynamics-in-mse-lending-in-kenya/;Cochran,Kelly Thompson, Michael Stegman, and Colin Foos, Utility,Telecommunications, and Rental Data in Underwriting Credit, FinRegLab andUrban Institute, (Last updated: Mar. 2022), available at https://finreglab.org/research/utility-telecommunications-and-rental-data-in-underwriting-credit/; FinRegLab, DataDiversification in Credit Underwriting: Research Brief, (Oct. 2020), availableat https://finreglab.org/research/data-diversification-in-credit-underwriting/; FinRegLab, TheUse of Cash-Flow Data in Underwriting Credit: Market Context & PolicyAnalysis, (Feb. 2020), available at https://finreglab.org/research/the-use-of-cash-flow-data-in-underwriting-credit-market-context-policy-analysis/; and FinRegLab, TheUse of Cash-Flow Data in Underwriting Credit: Small Business Spotlight,(Sep. 2019), available at https://finreglab.org/research/the-use-of-cash-flow-data-in-underwriting-credit-small-business-spotlight/.
.svg)
.svg)
About the American Fintech Council: The mission of the American Fintech Council is to promote an innovative, responsible, inclusive, customer-centric financial system. You can learn more at www.fintechcouncil.org.
.webp)