FTX Fraud & Bankruptcy: What It Means for Your Financial Institution

Sometimes smart people do stupid things. When there is money to be made, they can get caught up in the excitement of opportunity (and dare I say, greed) and close their eyes to the potential for risk. 

It’s a story we see repeated time and time again from the collapse of Enron to the mortgage crisis. The latest is the collapse of cryptocurrency exchange FTX. Its bankruptcy in November 2022 saw $2 billion in value disappear overnight and over $1 billion in client funds go missing.  

It’s not just the billions of dollars that evaporated that makes this story newsworthy — it’s whose money went missing. Hedge funds like Sequoia Capital and SkyBridge Capital and cryptocurrency exchanges like BlockFi were all burned. 

Why did this happen? It was a blatant failure in due diligence. 

Related: ABA Conference Highlights: An Often-Overlooked Aspect of Fintech Compliance Risk

What is due diligence & where did it fail? 

Due diligence refers to gaining assurance that a potential partner (whether it’s through an investment, third-party vendor, fintech partner, consultant or other party) is financially and operationally stable and compliant with all applicable laws and regulations. It’s thinking about the strategic reasons a company is considering working with an outside party and then collecting and reviewing documentation to assess whether that party can help the company achieve its goals.  

Skipping over due diligence — or engaging in performative due diligence that collects a few documents and accepts them at face value without taking a closer look — can have disastrous consequences.  

That’s what looks like happened at Sequoia. The Wall Street Journal says Sequoia was so hungry to get in on the opportunity to invest in crypto, it “Shirked traditional corporate controls such as external board oversight that are typical for such large investments.” The company has since apologized to investors and promised to improve due diligence. 

It’s a classic case of failed risk management. Before diving into a new business opportunity, a company needs to assess the risks and determine if they align with the company’s risk tolerance as set by the board. But in this case the company was so worried about the fear of missing out (FOMO), it tossed out the controls without considering what it would mean for risk exposure. Perhaps the partners knew the board would ask difficult questions or be uncomfortable with the risk and say no. But this is one case where asking for forgiveness instead of permission backfired. 

If companies like Sequoia had dug into FTX, they might have uncovered issues that would have given them pause.  

For example, the FDIC issued a cease and desist letter against FTX in August 2022 for “false and misleading statements” claiming deposits were covered by FDIC insurance. Not many fintechs have received cease and desist letters from the FDIC, which should have been a red flag for regulatory compliance. The letter refers to a tweet from the then-president of FTX, suggesting a poor culture of compliance.  

Meanwhile, FTX’s financials — including at its venture capital firm — were lacking. Documents from the bankruptcy revealed that most of its companies didn’t have quarterly financial statements — and the statements that did exist weren’t audited, reports Coindesk. (For its part, Sequoia said FTX mislead the company and going forward it will be able to audit financial statements for all investments, even start-ups.)  

You would think stories like these would be a due diligence wake-up call, but these situations keep occurring. Remember Elizabeth Holmes and Theranos. At one point her biotechnology company was worth $4.5 billion. Now Holmes is sentenced to serve more than 11 years in prison for defrauding investors and lying about the success of her company’s blood testing technology. I wonder how many FTX investors watched The Dropout on Hulu marveling that any investor would be so naive.  

Related: Is Your FI Thinking About Cryptocurrency? Here Are Key Risks to Consider 

A renewed focus on fintech due diligence 

While individuals may forget cautionary tales, the regulatory agencies don’t. The collapse of Enron brought us the Sarbanes-Oxley Act. The financial crisis and subsequent failure of over 400 banks resulted in an increased focus on risk management from regulatory agencies and examiners. 

The FTX bankruptcy has resulted in congressional hearings and increased scrutiny of cryptocurrency and whether it needs to be regulated. 

But perhaps more immediate for banks, credit unions, mortgage companies, and fintechs, it adds urgency to regulator efforts to increase third-party service provider management (including due diligence and oversight) of fintechs. 

A November 2022 Treasury Report found that the fintech industry requires greater oversight to protect consumers and the market for competitive, sustainable financial services products and services. It breaks its recommendations down into three categories: 

• A clear and consistently applied supervisory framework for bank-fintech relationships.  
• Robustly supervision of bank-fintech lending relationships for compliance with consumer protection laws and their impact on consumers’ financial well-being. 
• Support innovations in consumer credit underwriting designed to increase credit visibility, reduce bias, and prudently expand credit to underserved consumers. 
  

Related: Why Financial Institutions Need a Vendor Onboarding Process

Meanwhile, Federal Reserve Governor Michelle Bowman has announced the Fed plans to publish a whitepaper on community bank-fintech partnerships next year that will outline “effective practices for managing those arrangements.” 

In a September 2022 speech by Acting Comptroller Michael Hsu, he noted similarities between the shadow banking system that contributed to the 2008 financial crisis and “the complex de-integration of banking services in areas like online and mobile payments, lending, and deposit-taking activities.”  

“My strong sense is that this process, if left to its own devices, is likely to accelerate and expand until there is a severe problem or even a crisis,” Hsu says. 

The OCC is “working on a process to subdivide bank-fintech arrangements into cohorts with similar safety and soundness risk profiles and attributes” to “enable a clearer focus on risks and risk management expectations.” The agency also plans to open an Office of Financial Technology in early 2023 to “provide strategic leadership, vision, and perspective for the OCC’s financial technology activities and related supervision.”  

NCUA Chairman Rodney Hood is also pressing the issue. In a November 2022 speech he said, “As a regulator, I remind credit union leaders: do your due diligence. When you’re talking to these fintech providers, probe them on their commitment to financial inclusion to make sure that they share the industry’s ethic of service and social impact. 

“And probe them on other critical questions: Have they thought through the challenges related to data security and consumer privacy, and do they have adequate protections in place? Is what they’re pitching consonant with your institution’s existing compliance responsibilities under Know Your Customer and the Bank Secrecy Act requirements, as well as other pertinent regulations? Are the algorithms powering their products and services helping to promote equity and inclusion, or do they simply reinforce old biases? 

“These are all pertinent questions. Let’s really press these founders on the strengths and weaknesses of their products. Not to antagonize them but to ensure that they’ve taken into account the realities of what it means to work in the financial services space.” 

Hood’s advice is applicable to every financial institution looking to partner with a fintech. Due diligence means asking probing questions. It’s going beyond kicking the tires to really look under the hood to understand what kind of partnership you’re getting. 

Don’t wait for examiners to ask about your due diligence and vendor management process. Now is the time to make sure your vendor management program has a robust initial and ongoing due diligence program.