Are Fintechs Prepared for More Regulatory Scrutiny? Questions Fintech Boards Will Want To Ask

Key Points

• The 2024 elections may usher in laws and regulations that impact fintechs, making it important for management to identify the areas that present the greatest challenges and opportunities.
• As fintechs grow, they should consider whether they have all necessary licenses to operate and whether existing compliance and risk management infrastructure should be augmented to be “fit for purpose.”
• Bank-fintech partnerships are under the regulatory microscope. Fintechs that rely on bank partners should evaluate how their business models could be affected if partnerships are terminated or no longer available on existing terms.
• Reliance on a few counterparties and providers raises concentration risk and operational resiliency issues. Fintechs should prioritize the development and regular testing of contingency plans.

As summer winds down and the year-end comes closer in sight, boards of financial technology firms should take stock of where they are on four key areas:

• Legislative and regulatory change.
• Licensing and compliance risks.
• Bank-fintech partnership scrutiny.
• Concentration risks and operational resiliency issues.

Boards should expect that increasing interest in the fintech sector by U.S. financial regulators will spark questions — not least of all from investors — on how these areas are being addressed.

Preparing for Legislative and Regulatory Change

One of the most significant developments in financial services in the last 10 years has been the role of non-bank firms operating outside the traditional bank regulatory perimeter providing core banking and other financial services. As the fintech sector’s market share and prominence has grown, so too has the regulatory scrutiny over its various participants. The ability to anticipate and respond to regulatory change is — and will be — a distinguishing characteristic of fintechs with the most viable and successful business models.

Global regulators are increasingly concerned about the linkages between the traditional banking sector and non-bank providers of financial services. In the U.S., regulators have approached the growing fintech sector from a variety of angles, depending on each regulator’s statutory mandate: consumer protection, investor protection, cybersecurity, data privacy, antitrust/competition, anti-money laundering (AML), and the financial stability and safety-and-soundness risks arising from banks’ relationships with fintechs, among others. The development, prioritization and enforcement of certain rules may depend greatly on the political climate.

At the federal level, the White House, the full House of Representatives and 34 of the 100 seats in the Senate are up for election in November. The outcomes could result in significant changes in the leadership, personnel and priorities at the federal banking regulators, the Consumer Financial Protection Bureau, the Securities and Exchange Commission, the Federal Trade Commission and other agencies. In addition, leadership changes at key congressional committees may lead to different legislative and investigative agendas.

While the 2024 presidential and congressional elections will capture the most attention, 11 states have gubernatorial elections, the outcome of which may impact fintechs operating in or licensed by those states.

Questions that boards might consider asking include:

• What areas of our existing business will be most impacted by the 2024 elections?
• Are both adverse and opportunistic impacts being considered?
• What areas of legislative and regulatory action should be prioritized in terms of monitoring and strategic planning, both in terms of likelihood and materiality of occurrence?
• Is strategy being developed for the most likely scenarios/impacts and the most material scenarios/impacts?
• What are the proactive steps that can be taken now to manage risks and seize potential opportunities?

Assessing the Sufficiency of Licenses and Related Compliance Infrastructure

Fintechs do not operate completely outside of regulation. Their activities may implicate a number of licensing requirements. For example, a fintech engaging in consumer lending may need state-level consumer financing and other licenses (e.g., debt arranging, servicing, collection) depending on the full range of activities. Similarly, a payments-related fintech may require various state licenses for money transmission or money services business activities (e.g., remittances, currency exchange, check cashing).

Apart from licenses, fintechs also need to have a compliance infrastructure that is commensurate with the firm’s scope and complexity of activities and its overall risk profile.

Here are some questions that boards can ask:

Scoping the Status Quo

• For existing activities, do we have the licenses we need to conduct the business?
• What analysis was conducted by management and counsel to make that determination?
• Have prior analyses and determinations been periodically revisited and tested?
• Is there compliance with all minimum ongoing administrative requirements (e.g., fees, reports/filings)?
• For more substantive requirements, such as AML compliance, are the company’s compliance systems and staffing “fit for purpose,” particularly as the company has grown over time?

Facing the Future

• For future activities, what licenses do we need, particularly for new geographic markets and product/customer segments?
• Is the company appropriately monitoring when states create new licensing requirements? For example, several states have adopted or are considering adopting licensing requirements for “earned wage access” products that enable consumers to access their wages before their scheduled payday.
• Does management have a robust new business approval process that incorporates legal, compliance and other risks?
• Has legal counsel assisted in assessing licensing risks and related issues?
• What changes to existing systems should be made for the company to obtain new licenses?
• Do legal and compliance/risk management functions have adequate resources?

Navigating the Scrutiny of Bank-Fintech Partnerships

The growth story of many fintechs involves traditional banks. Over the last several years, fintechs have increasingly entered into partnerships with banks to provide access to deposit accounts, payments services and lending products. Partnering with a bank enables fintechs to provide such products and services through the bank and sometimes without the need for separate licenses. For banks, particularly smaller ones, partnering with a fintech can help expand their geographic reach and increase revenue by leveraging the fintech’s technology and other expertise. These partnerships are sometimes referred to as “banking-as-a-service” (BaaS) or “embedded finance,” depending on the structure and parties involved.

Regardless of what it is called, banking regulators are ramping up the scrutiny on bank-fintech partnerships. In 2024, the Federal Deposit Insurance Corporation and other federal banking regulators entered into several consent orders with banks relating to their fintech partnerships. These orders principally focus on banks’ risk management programs and compliance with applicable laws — notably AML and consumer regulatory requirements — and require comprehensive data collection and risk assessments relating to existing and future partnerships. In some cases, banks have been required to obtain regulatory approval prior to offering new products and entering into new business arrangements. The orders follow the release of guidance in 2023 by the federal banking regulators on third-party risk management.

Fintechs have increasingly partnered with banks to provide access to deposit accounts, payments services and lending products. Banking regulators are now ramping up the scrutiny of these relationships.

In July 2024, the federal banking regulators released a joint statement and request for information on banks’ partnerships with third parties. The release highlighted certain “elevated risks,” including those associated with rapid growth, from BaaS arrangements. In addition, customer confusion on whether a fintech is an insured depository institution, as well as misleading statements by fintechs on deposit insurance coverage, were cited as concerns.

A central issue raised by the release is the allocation of roles and responsibilities between banks and fintechs and whether such roles are clearly defined. Fintechs should expect banks to place greater priority on contractual accountability as well as tougher diligence on fintechs’ capacity and practices relating to compliance management, customer onboarding, transaction monitoring, complaint handling and other matters.

For fintechs that use or rely on bank partnerships, here are some questions to ask:

• How are these recent developments being evaluated by the company’s management and legal and compliance functions?
• What are the ways in which the company’s business model could be affected? If one take-away is that increased scrutiny of BaaS arrangements will lead to more costs and obligations being shifted to fintech partners, has there been an assessment of the potential economic impact under various scenarios?
• How is the company preparing for tougher negotiations with banks?

Managing Concentration Risks and Striving for Operational Resiliency

The intensifying scrutiny of bank-fintech partnerships raises the broader issue of concentration risks and whether fintechs are adequately assessing and mitigating these risks. For fintech boards, some questions to consider are:

• Does the company have a plan if its existing bank partnership(s) ended?
• Should the company diversify its bank partners?
• Can the company “go it alone” and, if so, how?

Apart from bank-fintech partnerships, fintechs often rely on other counterparties to function, including technology and other critical service providers. For fintech boards, some fundamental questions are:

• Would the company’s operations would be sufficiently resilient if certain services were disrupted or terminated?
• What is being done to assess and mitigate the risk of certain services being temporarily or permanently unavailable or unreliable?

The global IT outage on July 19, 2024, relating to a software update from CrowdStrike, a firm with widely used cybersecurity products, put these questions in sharp relief. Boards should ensure that contingency planning is prioritized and that plans are regularly tested to identify and address deficiencies.

View other articles from this issue of The Informed Board

• AI Safety: The Role of the Board in Assessing and Managing AI Risk
• The Age of the Algorithm: Understanding the Rewards and Risks of Algo Pricing 
• Multinationals Face Challenges as They Prepare To Comply With the EU’s Sustainability Reporting Law
• Podcast: What Goes On Inside Your Boardroom? Investors Want To Know

See all the editions of The Informed Board

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.