Will the CFPB Examine Fintechs Soon?

Many fintech companies expect the financial institutions and middleware BaaS aggregators they partner with to bear responsibility for compliance. But as a recent proposal from the Consumer Financial Protection Bureau (CFPB) reminds us, fintechs can’t absolve themselves of this responsibility. They need to take ownership of compliance. 

In this post, we look closer at how the CFPB’s proposed rule would impact its supervisory authority over fintechs and how it squares with overall compliance trends and expectations in the fintech market.

Table of Contents

A closer look at the CFPB fintech proposal
Regulators wary of fintech partnerships
Fintechs must focus on compliance in 2024
Laying the foundation for coming compliance exams

A closer look at the CFPB fintech proposal

In November 2023, the CFPB released a proposed rule defining larger participants in the general-use digital consumer payment application market. Under the proposal, fintechs offering products like digital wallets, payment apps, and peer-to-peer (P2P) apps that process 5 million payments yearly would be subject to CFPB oversight.

While this doesn’t include any new compliance requirements, it would empower the CFPB to ensure these companies comply with existing consumer protection requirements, including unfair, deceptive, and abusive acts and practices (UDAAP), consumer data privacy protections under the Gramm-Leach-Bliley Act (GLBA), and the Electronic Funds Transfer Act (EFTA).

Fintechs have already seen what can happen when they violate UDAAP. In 2021, the CFPB fined digital loan providers $11.5 million for misleading borrowers. Just days before the CFPB released its fintech proposal, the Federal Trade Commission (FTC) entered a proposed $18 million settlement with a digital lender for failing to disclose terms to consumers and making it difficult to cancel monthly subscriptions. In 2022, the CFPB fined a fintech that offers an automated saving tool $2.7 million for misrepresenting the effectiveness of the algorithm it used to decide how much money would be moved to savings.

Fintechs are particularly susceptible to UDAAP violations from marketing and advertising campaigns, especially those targeting vulnerable populations.

Regulators wary of fintech partnerships

A Virginia-based bank with close to 50 Banking-as-a-Service (BaaS) relationships dumped at least 12 fintechs following a 2022 consent order from the Office of the Comptroller of the Currency (OCC).  

The OCC discovered that many of the bank’s fintechs engaged in unsafe and unsound banking practices related to the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) and information security. 

In May 2023, a trailblazing New Jersey bank serving fintechs found itself on the wrong side of a consent order from the Federal Deposit Insurance Corporation (FDIC). Several of its fintech partners engaged in unsafe and unsound fair lending practices. 

While the FDIC consent order focused on fair lending, its provisions indicate regulators’ expectations for bank-fintech partnerships. 

The order’s provisions require the New Jersey bank to:

• Engage an independent third party to ensure fintech products comply with applicable laws and regulations. 
• Conduct a risk assessment of current third-party/fintech products. 
• Develop internal risk controls for third-party partnerships, review them periodically, and adjust them as necessary. 
• Create policies and procedures for the assessment of third-party risk.

Most damaging to the bank and its fintech partners, the consent order requires the bank to obtain pre-approval from the FDIC before onboarding new fintechs. With a business model that relies on financial technology, the consent order significantly restricts the profitability of the bank and its fintech partners.

Fintech partner's marketing materials got a Washington bank in trouble, it announced earlier this year. An FDIC consent order said the bank “engaged in unsafe or unsound banking practices [and] deceptive and unfair acts and practices in or affecting commerce,” through its fintech’s marketing practices. It will also require regulator approval before entering into new fintech partnerships.  

Agency crackdowns on fintech relationships give financial institutions the jitters. FIs may pull back on their fintech partnerships in response to elevated regulatory scrutiny. They may decide the risk of fintech partnerships is not worth the reward.

Fintechs must focus on compliance in 2024

The CFPB’s proposed rule offers further evidence that if fintechs want profitable relationships with financial institutions, they must prioritize compliance. 

Compliance oversight for fintechs will not be a one-and-done process. 

When examiners begin digging into a financial institution’s compliance record, they frequently look back years to make their case. The DOJ recently settled with a Los Angeles bank for $31 million for fair lending violations between 2017 and 2020. There is no statute of limitations for enforcement actions. 

If the CFPB gains supervisory authority over fintechs, its examiners will ask your company tough questions. They will expect good answers. Although financial technology firms understand they must comply with applicable laws and regulations, fintechs haven’t undergone examinations like their traditional banking counterparts. 

Compliance exams are intimidating. Below are the steps your fintech can take to become exam-ready in 2024.

Laying the foundation for coming compliance exams

If fintechs want to prepare for increased regulatory scrutiny and potentially costly enforcement actions, they should take the following steps: 

Conduct a compliance risk assessment: Fintechs must understand their regulatory risks. A compliance risk assessment identifies internal controls and weaknesses. Financial technology companies may use compliance management software tools or hire consultants to conduct these risk assessments. 

Build a strong compliance monitoring system: Examiners will want to ensure the strength of your compliance management system. How are you monitoring compliance risk? Do your people undergo training? How does your company verify the completion and effectiveness of this training? It’s not enough to simply have a compliance program – examiners need assurances that your compliance program works.   

Identify a person to communicate with regulators: You want to make it easy for regulators to perform an exam. Designating a point person to handle examiner questions makes the process more efficient. This individual may be your Chief Compliance Officer (CCO) or a compliance manager. 

Fintechs cannot afford to wait until the CFPB’s proposed rule takes effect before developing a sound compliance management system. Even if your company falls below the 5 million payments processed threshold, creating a culture of compliance takes time and effort. It’s not something you can put in place overnight. 

As the digital consumer payment market grows, regulators and bankers will only increase the pressure on fintechs to improve their compliance controls and management. By failing to prepare for these changes, fintechs are preparing to fail.

What Examiners Want in Compliance