Third-Party Relationships

In the possible final stage of the Alpine Securities saga (as we blogged about here, here and here), Judge Clark Waddopous of the United States District Court for the District of Utah issued an opinion granting the Securities and Exchange Commission’s (“SEC”) motion to dismiss the amended complaint filed by plaintiff brokerage firm Scottsdale Capital Advisors (“SCA”).

SCA’s suit, distilled greatly, challenged the SEC’s authority to enforce, administer and interpret the Suspicious Activity Report (“SAR”) regulations issued under the Bank Secrecy Act (“BSA”) and incorporated into the securities laws. What makes this case interesting is that the SEC did not impose penalties for failure to comply with the SAR requirements against SCA; rather, the agency sought penalties against SCA’s contractual partner, Alpine Securities Corporation (“Alpine”), a Salt Lake City-based brokerage firm. SCA became involved because it agreed to act as an introducing broker-dealer for transactions cleared through Alpine. SCA’s amended complaint alleged that it had suffered harm as a result of the SEC’s improper enforcement action against Alpine.

The ultimate reason the Court dismissed the suit is because SCA had to show standing under the Administrative Procedures Act, 5 U.S.C. §§ 550, et seq., (“APA”) and failed to satisfy this requirement because there was neither a “final agency action” nor an “injury” for APA purposes.

The opinion is important because all types of financial institutions covered by the BSA routinely enter into contracts with third parties (which themselves may or may not be covered by the BSA) involving the fulfillment of anti-money laundering (“AML”) compliance requirements.  These relationships can involve fintech-bank partnerships, third parties tasked with collecting customer information, and much more.  As the opinion reflects, if a regulator goes after an entity’s contractual partner for alleged AML failures, that entity can suffer downstream consequences – including a contract and indemnification dispute – with little to no ability to affect the regulator’s actions through the APA.

Continue Reading  Another Chapter in the Alpine Securities Saga:  District Court Grants Motion to Dismiss Complaint Challenging AML Enforcement Action Against Contractual Partner

On September 17, 2024, the FDIC board approved a notice of proposed rulemaking that would increase recordkeeping obligations for bank deposits received from third party, non-bank companies that accept those deposits on behalf of consumers and businesses.  The FDIC announcement is here; a related statement by FDIC Chairperson Gruenberg is here.

Agency officials

The federal banking regulators (The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation) issued on July 25 a lengthy joint statement outlining the potential risks that financial institutions face in arrangements with third parties to deliver bank deposit products and services. 

On July 3, the Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking (NPRM) as part of a broader initiative to “strengthen, modernize, and improve” financial institutions’ anti-money laundering and countering the financing of terrorism (AML/CFT) programs. In addition, the NPRM seeks to promote effectiveness, efficiency, innovation, and flexibility with respect to AML/CFT programs; support the establishment, implementation, and maintenance of risk-based AML/CFT programs; and strengthen the cooperation between financial institutions (“FIs”) and the government.

This NPRM implements Section 6101 of the Anti-Money Laundering Act of 2020 (the “AML Act”).  It also follows up on FinCEN’s September 2020 advanced notice of proposed rulemaking soliciting public comment on what it described then as “a wide range of questions pertaining to potential regulatory amendments under the Bank Secrecy Act (‘BSA’) . . . . to re-examine the BSA regulatory framework and the broader AML regime[,]” to which FinCEN received 111 comments.

As we will discuss, the NPRM focuses on the need for all FIs to implement a risk assessment as part of an effective, risk-based, and reasonably designed AML/CFT program.  The NPRM also focuses on how consideration of FinCEN’s AML/CFT Priorities must be a part of any risk assessment.  However, in regards to addressing certain important issues, such providing comfort to FIs to pursue technological innovation, reducing the “de-risking” of certain FI customers and meaningful government feedback on BSA reporting, the NPRM provides nothing concrete.

FinCEN has published a five-page FAQ sheet which summarizes the NPRM.  We have created a 35-page PDF, here, which sets forth the proposed regulations themselves for all covered FIs.

The NPRM has a 60-day comment period, closing on September 3, 2024.  Particularly in light of the Supreme Court’s recent overruling of Chevron deference, giving the courts the power to interpret statutes without deferring to the agency’s interpretation, this rulemaking, once finalized, presumably will be the target of litigation challenging FinCEN’s interpretation of the AML Act. 

Continue Reading  FinCEN Issues Proposed Rulemaking Aimed at Strengthening and Modernizing AML Programs Across Multiple Industries

The U.S. Department of the Treasury (“Treasury”) has released a Request for Information on the Uses, Opportunities, and Risks of Artificial Intelligence (“AI”) in the Financial Services Sector (“RFI”).  Written comments are due by August 12, 2024. 

AI is a broad topic and the term is sometimes used indiscriminately; as the RFI suggests, most AI systems being used or contemplated in the financial services sector involve machine learning, which is a subset of AI.  The RFI implicitly concedes that Treasury is playing “catch up” and quickly needs to learn more about AI and how industry is using it.  The RFI discusses a vast array of complex issues, including anti-money laundering (“AML”) and anti-fraud compliance, as well as fair lending and consumer protection concerns – particularly those pertaining to bias.

Continue Reading  Treasury Issues Request for Information on Use of AI in Financial Services

On May 3, 2024, the Board of Governors of the Federal Reserve System (the “Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) jointly released the “Third-Party Risk Management: A Guide for Community Banks” (the “Guide”), presenting it as a resource for community banks to bolster their third-party risk management programs, policies, and practices.

The Guide serves as a companion to the Interagency Guidance on Third-Party Relationship: Risk Management issued in June 2023 (on which we blogged, here).  It also relates to the OCC’s Fall 2023 Semiannual Risk Perspective, which emphasizes the need for banks to maintain prudent risk management practices – including practices tailored to address Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships.

The Guide acknowledges the widespread collaborations between community banks and third-party entities, and recognizes the strategic importance for such partnerships to improve competitiveness and adaptability. These collaborations provide community banks with access to a diverse array of resources, such as new technologies, risk management tools, skilled personnel, delivery channels, products, services, and market opportunities.

However, the Guide underscores that reliance on third parties entails a loss of direct operational control, thereby exposing community banks to a spectrum of risks.  Banks are still accountable for executing all activities in compliance with applicable laws and regulations.  “These laws and regulations include . . . those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering).”  Accordingly, the Guide emphasizes that the engagement of third parties does not absolve a bank of its responsibility to operate in a safe and sound manner and to comply with regulatory requirements, “just as if the bank were to perform the service or activity itself.”  The Guide sets forth this concept in bold, on the first page. 

The Guide’s emphasis on governance practices highlights the critical role of oversight, accountability, and documentation in ensuring regulatory compliance and safeguarding the interests of both banks and their customers.   Although the Guide styles itself as offering a framework tailored to the specific needs and challenges faced by community banks, it also offers direction to all financial institutions in regards to effective third-party risk management. 

Continue Reading  Federal Banking Agencies Issue Guide to Third-Party Risk Management Practices for Community Banks

In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders (here and here) with two banks who partner with fintechs to offer “banking as a service” (BaaS) related to safety and soundness concerns relating to compliance with the Bank Secrecy Act (BSA), compliance with applicable laws, and third-party oversight. 

BaaS refers to arrangements in which banks integrate their banking products and services into the services of non-bank third-party distributors and the distributors deliver the integrated banking services directly to the customer.  A common example of BaaS is banks’ delivery of lending services through fintech partners’ digital platforms.  BaaS has gained popularity in recent years as the bank partner can generally roll out banking services to customers at a much faster pace and for lower costs than traditional banking products and services.

These two consent orders do not arise in a vacuum.  In June 2023, the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements.  The guidance explained that supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.  At that time, we noted that we expected increased regulatory attention to bank/fintech partnership programs like the BaaS relationships addressed here.  Although these FDIC consent orders did not specifically cite to the interagency guidance, the guidance presumably was used to support the third-party oversight criticisms in the supervisory examinations of the two banks.

Continue Reading  Recent FDIC Consent Orders Reflect Ongoing Scrutiny of Bank Relationships with Fintechs

In its Fall 2023 Semiannual Risk Perspective, published on December 7, the Office of the Comptroller of the Currency (“OCC”) reported on key issues facing the federal banking system.  In evaluating the overall soundness of the federal banking system, the OCC emphasized the need for banks to maintain prudent risk management practices. The key risk themes that the OCC underscored in the report included credit, market, operational, and compliance risks. 

Of particular note was the discussion on the Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships.  We also will discuss briefly certain other compliance and operational risks highlighted by the OCC.

Continue Reading  OCC Risk Perspective Report Focuses on Third-Party Relationships with Fintechs

The OCC, FDIC, and Federal Reserve Board have issued a guide that is intended to assist community banks in conducting due diligence when considering relationships with financial technology (fintech) companies (Guide).

The issuance of the Guide follows the agencies’ July 2021 release of proposed interagency guidance for banking organizations on managing risks associated with third-party