We Should Regulate Banking, Not Just Banks

In the last two decades, virtually all new banking products have been brought to market by nonbanks, and most of that innovation has been delivered through partnerships with a bank. Federal banking regulators have responded, training significant and increasing focus on those arrangements. Since 2021, they have proposed or finalized no fewer than 18 regulations and guidance documents, created two new supervisory programs focused on partnerships, and brought 39 public enforcement actions involving banks that partner with fintechs. The FDIC just proposed two rule changes targeted at fintech program deposits, and agency heads have given numerous speeches on the topic. Now Congress is getting into the mix, holding hearings and firing off letters on the topic.

It is easy to see in this flurry of activity a plan, a plot, a scheme to shadow ban fintech partnerships. Is this Operation Chokepoint 2.0? 

I don’t think so.

When looking at the totality of what regulators have done in the past four years, it is hard to detect a grand strategy. I see: a range of competing agendas, yes, but mostly a regulatory system trying to catch up to the transformation underway, perhaps in denial about the nature of that transformation. The result is a doubling down on the tools they have always used even as they become increasingly ill-suited to the task. 

Banking in the Digital Age: Unbundled and Embedded

The business of banking is generally defined to include taking deposits, making loans, and facilitating payments. From the customer’s perspective, it doesn’t matter who provides those services–“banking” includes anything that allows them to receive, store, move and borrow money. The transformation underway can be summarized as follows: Banking is becoming unbundled and embedded:

• The average consumer has approximately 5-7 financial accounts, and increasingly has more than one checking account.

• Nearly half of all new “checking” accounts are opened at a fintech – PayPal and Chime alone account for 20% of all new account openings. 

• Roughly one-third of all GenX, Millennial, and GenZ customers consider a digital bank or fintech account to be their “primary” checking account. 

Financial services of all kinds are increasingly embedded directly into commercial activity. This makes sense when you step back and realize that financial services are a means to an end–we don’t consume financial services for the sake of it. While this was always true, digitization of both commerce and banking has made it easier to combine the two and achieve greater convenience for the customer.  

Indeed, the Request for Information (“RFI”) recently issued by the bank regulators suggests regulators view this transformation itself as a risk, warning that “bank-fintech arrangements also may introduce potential risks through business and legal structures that … unbundle traditional banking products and services (particularly payments)” (emphasis added). 

New Paint on an Old House

To their credit, regulators have been on a multi-year campaign to understand this transformation, most recently through the RFI, seeking answers on questions that cover almost every aspect of bank-fintech relationships. The Joint Statement accompanying the RFI highlights a number of examples of operational risks and incentive misalignment that reflect a nuanced understanding of how these arrangements work and where the pitfalls are. Through public and private engagement, and dozens of focused exams, regulators have developed a deeper understanding of bank-fintech partnerships. 

The problem is we continue to apply a model that was designed for a different kind of relationship, where the bank was the application layer and the technology provider was the infrastructure layer. No matter how many times they update third-party risk management guidance, it will not encompass the wide variety of potential bank-fintech arrangements, nor will it address the fundamental difficulty of trying to regulate an entire fragmented sector indirectly by deputizing the banks. 

The RFI contains an important clue as to why bank-fintech arrangements are a challenge to manage using TPRM processes. These arrangements, the agencies note, “may present the full spectrum of risks facing banks.”

So, this isn’t really a TPRM issue–it’s much broader than that. And yet, the regulators continue to double down on deputizing banks, through their third-party risk management processes, to police all of embedded finance.

This approach reflects a mental model of one-way service provider relationships: Everyone other than the bank is a contractor or subcontractor to the bank. Embedded finance turns that relationship on its head, or at least complicates it significantly: The bank is providing critical infrastructure to a nonbank that is delivering financial products and services out to the marketplace. 

This view of banks as infrastructure is almost entirely absent in the guidance and enforcement actions noted above. Indeed, only two of the public enforcement actions–those involving Piermont Bank and Evolve Bank (which was issued subsequent to the Synapse failure)--made mention of systems of record or ledgering. Even operational risk more generally has rarely been the focus of enforcement actions. 

Meanwhile, the fintechs developing, marketing, operating, and servicing financial products have no direct relationship with the regulator making decisions about their program. In fact, those companies are generally prohibited by strict laws from having any direct knowledge of the regulatory issues impacting their partner banks. They are asked to provide information or documents to respond to regulatory inquiries without knowing what the questions actually are, or having any other context, and relying on the bank to communicate the answers to regulators. The supervisory game of telephone puts all parties in a difficult bind, and virtually ensures miscommunication.

Embedded finance is stretching the TPRM model past its breaking point.

In Search of New Models

In the collapse of Synapse, which led to $160 million being frozen for months, regulators see validation of their worst fears about the complex supply chains of embedded finance – what happens when players outside the regulatory “perimeter” are allowed to dabble in financial services. The heartbreaking personal stories of people unable to access their savings have received the attention of politicians in DC, further raising the stakes in this act of the years-long fintech drama.

The urgent task facing the industry (and, I hope, regulators) is to rebuild trust in the partnership model. If consumers can’t distinguish between banks and fintechs, the industry needs to make sure consumers are protected regardless. 

This will be painful, because as a first step it requires acknowledging that third-party risk management, the primary tool regulators have historically used to manage relationships between banks and technology companies, is not sufficient. Instead, regulators and the industry will need to work together to develop operating models, systems, and processes that will reliably deliver on promises to customers that their money is safe.

A starting point for this work might include:

• Every bank should be required to regularly test their record keeping systems with fintechs to ensure they are accurate and to prove FDIC insurance eligibility). As we learned the weekend SVB failed, uncertainty about which customers meet the technical requirements for deposit insurance can be paralyzing. And Senators Warren and Van Hollen are right that the FDIC logo should not be used if steps have not been taken to ensure eligibility for insurance. The FDIC’s September 17 proposal to require stringent record-keeping for custodial accounts would go a long way toward addressing this.

• To protect customers in the event a fintech fails, it must be clear that the funds belong to the end customer (not the fintech’s bankruptcy estate), and the bankruptcy court must have processes to quickly recognize that and restore access to the affected consumers. When crypto lender Celsius failed, courts recognized the bankruptcy remoteness of custodial accounts, albeit after a longer wait than would likely be deemed acceptable for a bank account. 

• Banks must have the ability to take over or transfer control of accounts so they can continue to operate, and must maintain clear plans for doing so in the event the fintech fails. 

These changes are highly technocratic and require detailed contingency planning by banks and fintechs, clear account titling conventions, and possibly bankruptcy reforms. But with $54 million of customer funds still stuck at two Synapse partner banks, now is the time to start working on them. These are all areas where the industry can and should develop its own standards to propose to regulators. 

In the longer term, we will need to re-architect the regulatory system–expand the “regulatory perimeter”–to encompass this new fragmented world. Structurally, there are a few options, some of which are in the works: 

• The CFPB has authority to identify “larger participants” in any market and directly supervise them. Indeed, they might do so in the market for payments later this year. This could help to level the playing field for good actors, but would address just a fraction of the problem. 

• We could also create charters that provide viable pathways for fintechs to become “banks” themselves–but under a regime that recognizes their unique business models. Something like a payments charter would be a welcome, and long-overdue step, and would provide a directly-regulated alternative to the partnership model for many fintechs.

• Bank regulators could directly supervise fintechs under the Bank Service Company Act. Regulators have historically declined to extend their remit beyond the service providers that serve hundreds or thousands of banks – there are economies of scale in regulation too, after all. But legally they can go further.

Interestingly, the OCC seemed to come to this conclusion back in 2001. Recognizing that what it then called “franchise” arrangements posed unique strategic and operational risks to banks, the OCC suggested (in guidance that has since been rescinded) the answer would likely be more direct supervision of the nonbanks: 

The most practical option that would go the furthest in addressing the gaps in today’s supervisory regime would be to incorporate fintechs and tech platforms directly into banks’ supervisory processes. That would give them a seat at the table, and give examiners a more direct view into the supply chain. 

Let’s go build new regulatory models and industry standards that recognize the transformation underway in banking before it’s too late. This is where I would start. 

The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.

Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at [email protected].