News

U.S. regulators warned banks Monday that they expect them to not only vet the prepaid card providers, banking-as-a-service providers and any other third-party providers they directly serve, but also identify any customers they indirectly serve because of those relationships.

As part of their customer identification programs, or CIPs, banks must already collect the names, addresses and tax identification numbers from clients when onboarding them, an obligation that the Federal Deposit Insurance Corp. took pains to “reemphasize” in guidance on March 28. The same obligations apply when banks engage with clients through intermediaries.

Smaller banks that partner with third parties to reach more clients and secure new streams of revenue can undermine their CIPs if they fail to assess and manage the financial crime-related risks they present, Lisa Arquette, a senior regulator with the FDIC, told attendees of The Assembly Hollywood in Florida.

“In many instances the unregulated third parties have streamlined their [customer-onboarding] approach and … are not in compliance with regulatory requirements,” Arquette said.

Arquette voiced the FDIC’s concerns over third-party risk shortly after her agency ordered Sutton Bank of Atticah, Ohio, to “compile a complete inventory of third-party relationships” and ensure that the lender’s “prepaid third-party program managers” begin collecting the full names of customers when onboarding them.

The FDIC did not identify Sutton’s Bank’s third-party partners by name, but the lender is known to issue prepaid cards on behalf of Cash App.

In February, two former employees of Cash App alleged in complaints to the Treasury Department’s Financial Crimes Enforcement Network, or FinCEN, and Securities and Exchange Commission, or SEC, that the platform’s customer-verification methods do not protect against money laundering and terrorist financing.

Cash App partners with several banks to provide “banking as a service,” or BaaS, to its own, direct clients, but Sutton, which counts nine branches, all in Ohio, is the only lender that issues its prepaid cards. Tiny, one-branch Lincoln Savings Bank in Iowa meanwhile handles deposits for loading and reloading those cards with funds.

“We know that large banks generally do not partner with fintechs,” Constantine Lizas, former lead counsel for the FDIC, told ACAMS moneylaundering.com prior to the industry conference in Florida. “On some level, this is probably because large banks are competitors with fintechs. Also, fintechs likely have more leverage in their relationships with smaller banks.”

Clients seeking prepaid cards from Cash App need only supply a name, zip code and email address or phone number, a relative dearth of information that does not appear to meet the federal government’s minimum requirements vis-a-vis customer identification.

“Banks will be 100 percent responsible for any customers they bank, regardless of who brought them into the bank,” said Robert Pasley, former assistant director of enforcement and compliance with the OCC. “It’s nice to have somebody beat the bushes and find customers on your behalf, but you may end up paying if that service … wasn’t done properly.”

Pursuant to its consent order with the FDIC, Sutton Bank must perform a “CIP lookback review” of all customers onboarded through the lender’s third-party relationships since July 2020 to ensure it knows their true identities.

Sutton and Cash App did not respond to requests for comment.

Piermont

Piermont Bank, a small lender in Manhattan that describes itself on its website as a “hybrid bank” that “blends the best of banking and agile fintechs,” also drew censure from the FDIC this year for third party-related due-diligence failures.

A 35-page consent order dated Feb. 27 directs Piermont Bank to ensure it can accurately identify all new and existing customers, including those associated with third-party relationships, it “has reason to believe pose a heightened risk” of illicit finance.

The consent order further requires Piermont, which did not respond to a request for comment, to review all transactions conducted since Sept. 30, 2022, for indications of financial crime.

Prior to tagging Piermont and Sutton with consent orders, the FDIC targeted Choice Financial Group of Fargo, North Dakota, First & Peoples Bank & Trust of Russell, Kentucky and Blue Ridge Bank, of Richmond, Virginia, with enforcement actions in December for failing to manage the risks posed by their third-party partners.

Piermont and Blue Ridge at times used the same banking software platform, Unit, to partner with fintechs.

Third-party relationships have also drawn state-level scrutiny.

In October, New York’s Department of Financial Services fined Metropolitan Community Bank, or MCB, $15 million for indirectly enabling fraudsters to steal $300 million in direct-deposit payroll and COVID-19 assistance by handling transactions for MovoCash, a prepaid-card provider.

Three months before MCB incurred the fine in New York, the FDIC, OCC and Federal Reserve warned banks in jointly issued guidance that third-party relationships in no way “diminish or remove” their obligations to comply with laws and regulations against financial crime.

“Even if there’s not a direct customer relationship with the originator of the transaction … there’s still a responsibility there,” Suzanne Williams, deputy associate director of the Federal Reserve Board, told attendees of the conference in Florida on Monday. “What might make it more difficult for banks … is that they don’t have a direct interaction with the ultimate customer.”

Contact Chelsea Carrick at ccarrick@acams.org