Lineage Bank - Lessons for Banks of all Stripes by Stephen Curry

On February 23rd, the Federal Deposit Insurance Corporation (FDIC) announced a consent order with Tennessee-based Lineage Bank regarding its third-party risk management program and financial technology (fintech) partners. This order underscores the regulatory attention on BaaS banks and fintech clients, signaling concerns about potential risks in the financial system.

In the past decade, significant advancements have occurred in payments technology, with ACH payment rails serving as a cornerstone of modernization. Despite the convenience these financial apps and technologies offer consumers, they pose unseen risks in transactions and financial flows. Regulators are acutely aware of these risks due to findings in their examinations of banks during the last nine months and are now taking steps to address vulnerabilities. In an era of increased regulatory ferocity, banks need to pay close attention to these developments. I anticipate that dozens of banks will be getting orders on these topics in the coming months.

Based on what we have seen in our practice, fintechs and their technology vendors often lack the robust controls and effective risk management practices that have been developed in the banking industry. Banks have tended to underestimate these risk factors when assessing fintech relationships, often leading to unrealistic expectations of their operational resilience. Some fintechs also experience volatile funding, have opaque operations, or excessive leverage. In some cases, while a fintech may have risk management in place, the underlying data management discipline is deficient, rendering risk management ineffective. Irrespective of the maturity of risk management in a fintech, the sponsoring Bank retains the second line oversight responsibilities. In some cases, Banks lack the resources to provide appropriate oversight of the risk management activities supposedly performed by fintechs.

This Consent Order serves as a reminder for banks to approach third-party risk assessments with the same diligence applied to typical credit risk evaluations. Another significant concern with non-banks is their ability to meet customer redemptions promptly. Whether dealing with fintechs, money market funds, or hedge funds, the rapid movement of money can present challenges. Few non-bank financial institutions maintain adequate liquidity during peak flow requirements. Liquidity problems can quickly escalate during market stress, as witnessed in the FTX, Signature Bank and SVB collapses, and banks and fintechs without the appropriate controls and resources can find themselves stranded.

To address these issues, banks should consider several diligence considerations when assessing fintechs and vendors:

1. Assess Key Control Roles: Evaluate the qualifications and experience of key personnel. Monitor for departures and turnover.

2. Board-Level Control: Ensure appropriate oversight and control procedures at the Board level.

3. Cash Flow and Funding Plans: Analyze cash flow requirements and funding to finance operations.

4. Risk Management Framework: Review risk management practices and review complaints, especially in areas that contributed to past incidents.

5. Segregation of Funds: Ensure proper segregation of customer funds from company funds, and verify appropriate internal controls.

6. Cash Management Processes: Scrutinize cash management processes for transparency and control. Request copies of internal and external audits.

7. ACH & Wire Transfer: Take nothing for granted; ensure the Bank maintains controls and close oversight over all payments processing.

8. Liquidity Management: Assess liquidity management practices and identify vulnerabilities.

9. Information Security: Review data handling practices for security and compliance, as well as data quality and accuracy. Banks must have visibility to customer and transaction data to comply with BSA requirements.

10. Technology Performance Tracking: Evaluate technology performance and related contingency plans.

11. Proof of Reserves and Liabilities: Require evidence of reserves and liabilities through audits.

12. Regulatory Compliance: Ensure compliance with relevant regulations and industry standards. Validate and test customer verification procedures as well as ongoing customer and transactions sanction screening.

13. Legal Agreements: Establish clear service level requirements, periodic representations and warranties, and termination rights.

Internally, banks should involve the board in third-party risk management, maintain robust policies and controls for ACH & wire transfers, closely monitor performance, develop exit strategies, conduct stress tests, validate risk management processes, diversify relationships, establish security operations centers, and implement incident response escalation processes. That's a lot, perhaps by design. It will become increasingly difficult for BaaS to be a small side business for banks. The cost of building the appropriate risk and compliance oversight will likely driver mergers in between BaaS banks, and lead to further consolidation in the fintech arena. Smaller fintechs which cannot absorb these costs are likely to go out of business in 2024.

In conclusion, as fintechs continue to reshape the financial landscape, regulators are bringing intense scrutiny to ensure banks recognize and manage the associated risks diligently. It's essential for banks to treat these partnerships with the same level of scrutiny applied to credit risks, ensuring effective risk mitigation and regulatory compliance.

This presentation is being furnished on a confidential basis to provide preliminary summary information. The information, tools and material (collectively, information) contained herein is not directed to or intended for distribution or use by any person or entity who is a citizen or resident of or located in any jurisdiction where such distribution, publication, availability or use would be contrary to law or regulation or which would subject Endurance Advisory Partners, LLC, to any registration or licensing requirement within such jurisdiction.

The information presented herein is provided for informational purposes only and is not to be used or considered as an offer to sell, or buy securities or other financial instruments, or any advice or recommendation with respect to such securities or other financial instruments. The information may not be reproduced in whole or in part or otherwise made available without the prior written consent of Endurance Advisory Partners, LLC. Information and opinions presented have been obtained or derived from sources believed to be reliable, but Endurance Advisory Partners, LLC makes no representation as to their accuracy or completeness. Endurance Advisory Partners, LLC, accepts no liability for any loss arising from the use of the information contained herein.

This information is subject to periodic update and revision. Materials should only be considered current as of the date of the initial publication, without regard to the date on which you may access the information. Endurance Advisory Partners, LLC, maintains the right to delete or modify the information without prior notice.

Under no circumstances and under no theory of law, tort, contract, strict liability or otherwise, shall Endurance Advisory Partners, LLC be liable to anyone for any damages resulting from access or use of, or inability to access or use, this information regardless of whether they are dire, indirect, special, incidental, or consequential damages of any character, including damages for trading losses or lost profits, or for any claim or demand by any third party, even if Endurance Advisory Partners, LLC knew or had reason to know of the possibility of such damages, claim or demand.