Bank-Fintech Contracts Must Incorporate BSA, Regulators Warn

Colby Adams
Managing Editor

Banks must sharpen their contracts with fintechs to clearly establish which of them will vet the “end users” of the latter’s products and services, screen their transactions and flag any that appear illicit to the U.S. Treasury Department, a panel of federal regulators said Monday.

The past two years have seen several smaller U.S. banks, such as Blue Ridge Bank of Richmond, Virginia, Kentucky-based First & Peoples Bank & Trust, and Choice Financial in Fargo, North Dakota, tagged with a series of consent orders for partnering with fintechs before having fully apprised themselves of the nature of their business and vulnerability to illicit finance.

Some of the fintechs in question used their new partnerships to offer banking-like services of their own to hundreds, if not thousands, of customers without vetting them for anti-money laundering purposes, leaving their banks on the hook for any infractions that followed.

Imprecise contracts between banks and fintechs sometimes give rise to violations of the Bank Secrecy Act, Koko Ives, a BSA and AML policy manager at the Federal Reserve Board, said Monday at The Assembly Fintech & Crypto in Austin, Texas.

Ives, who did not comment on a specific regulatory action during her remarks or reference a particular institution by name, said banks must establish clear lines of responsibility for BSA and AML compliance at the onset of their relationships with fintechs, which often differ from one another in terms of the type of risk they present.

“The contractual provisions that will determine how information is shared—the precision of those contractual arrangements are very important,” Ives said, adding that in certain cases, banks have sought to reduce complexity by wording their contracts in such a way as to categorize the “end users” of a fintech’s products and services as their own customers for due-diligence purposes.

Such third-party relationships have also drawn scrutiny from the Office of the Comptroller of the Currency, which, together with the Federal Reserve and Federal Deposit Insurance Corp., issued guidance in June 2023 on managing the risks they present.

“For the OCC, where we’re seeing breakdowns in these relationships is during contract negotiations, where roles and responsibilities aren’t defined,” Eric Ellis, a BSA and AML policy director at the OCC, told attendees of the ACAMS-hosted conference. “You [also] need to make sure your contract has an exit strategy.”

U.S. regulators have long held that banks must obtain the names, addresses and tax identification numbers not only of their direct clients, but also of any parties they serve indirectly by virtue of those relationships.

“What we’re really seeing is a lot of growth with our community banking organizations,” Ives said Monday. “They’ve been doubling in asset size and customer base, which has caused some problems.”

Their rapid growth and expansion into “complex, technology-driven relationships” also sometimes outpaces the expertise and experience of their own compliance officers, leaving them no longer qualified for their roles, said Ives.

Contact Colby Adams at

Topics : Fintech , Anti-money laundering
Source: U.S.: FDIC , U.S.: Federal Reserve Board , U.S.: OCC
Document Date: June 10, 2024