Fintechs Will Be Doomed to Repeat History Unless They Learn From It

One lesson Fintechs can learn from the prepaid industry is that financial regulators will come directly to them in the event of any violation of financial regulations. They cannot rely on bank partners or anyone else to take care of compliance for them.

We can look back a few years to see an example of how this might happen. In 2013, the Federal Deposit Insurance Corp. (FDIC) placed a consent order and assessed a civil money penalty against Achieve Financial Services LLC, a prepaid program manager.

The obvious question is – how could the FDIC do this, when Achieve was not a bank?

The Federal Deposit Insurance Act gives banking regulators the right to take action against any non-bank third party that is an “institution-affiliated party.” The definition includes:

(4) any independent contractor (including any attorney, appraiser, or accountant) who knowingly or recklessly participates in--

(A) any violation of any law or regulation;

(B) any breach of fiduciary duty; or

(C) any unsafe or unsound practice,

which caused or is likely to cause more than a minimal financial loss to, or a significant adverse effect on, the insured depository institution.

This means that like prepaid program managers so-called challenger banks or Neobanks can be subject to direct action from regulators even if they are working with a third-party bank to deliver services.

The banks already know they are not immune from regulatory scrutiny from their partners, and in the case of Achieve, the regulators also laid a consent order and civil money penalty on the issuing bank.

Fintechs who want to succeed would benefit from taking the time to read the consent order against Achieve. It details the expectations that the banking regulator had for a non-bank entity. Some of the provisions would be worth adding to a compliance program well before a consent order. A few of the actions required of Achieve include:

• Developing a risk-based compliance management system and comprehensive written compliance program;
• Including compliance matters in the communication between the board and company personnel;
• Training appropriate personnel on compliance.

As shown by the RushCard penalties in 2015, the Consumer Financial Protection Bureau (CFPB) has taken up the mantle of enforcing most consumer financial protection laws. Nonetheless, it is worth noting that the Achieve action was taken two years after the CFPB’s founding, and the actions that led to the enforcement action also took place after the CFPB was created.

Regardless of who the governing regulator is, Fintechs need to realize that once they are handling consumers’ money, they need to have in-house compliance programs. They cannot depend on third-party banks alone to comply with consumer protection and anti-money laundering rules, or the Bank Secrecy Acts, for them.

As Fintechs develop the next generation of financial services, they should look to the lessons of the prepaid industry, which has blazed a trail through these kinds of partnerships.