FDIC consent order with Cross River Bank indicates increased scrutiny of bank-fintech partnerships

The FDIC recently announced that it has entered into a consent order with Cross River Bank (CRB or the Bank) to resolve FDIC allegations that the bank engaged in unsafe or unsound practices related to its fair lending compliance. (The consent order was issued in March 2023 but not made public until late last month.) Because the bank is a “bank as a service provider” that makes loans through a number of partnerships with fintech companies, the consent order is widely considered a warning to others banks that their bank-fintech partnerships are likely to face increased scrutiny from regulators. Additionally, while focused on fair lending compliance, many of the requirements imposed on the bank in the consent order are likely to be indicative of FDIC expectations of how banks should address other consumer protection risks associated with bank-fintech partnerships.

Key provisions in the consent order require the bank to:

  • Provide the FDIC with a list of each product currently offered for credit by, through or in connection with the bank (CRB credit product) and identify any entity other than the bank that currently offers a CRB credit product (third party) and the CRB credit products it offers. (“Credit” has the meaning of such term in rule B.)
  • Obtain the FDIC’s written non-objection before making a binding commitment or agreement with a new third party, allowing a new third party to offer a credit product through or in connection with the Bank or offer a new CRB credit product, either directly or indirectly. (A “New Third Party” and a “New CRB Credit Product” are respectively a Third Party and a CRB Credit Product that are not on the list of the current list of Third Party and CRB Credit Products.)
  • Engaging an independent third party acceptable to the FDIC to assess whether the Bank’s information relating to each CRB credit product, third party and CRB credit model appropriately allows the Bank to determine and monitor such CRB credit products, third parties and CRB credit. Models comply with current laws and regulations for fair lending. (“Information” is defined to mean data, documents, records and any other information in any medium or form. “CRB Credit Model” is defined to mean any model or system, including variables or weightings, used or based on in connection with with a CRB credit product.) The independent third party must also assess whether the bank’s information systems enable the bank to access, collect and analyze the information necessary to monitor, in a timely manner, each CRB credit product, each third party, and any CRB credit models and ensure that each such CRB credit product is offered, and each third party and CRB credit model operates, in compliance with applicable fair lending laws and regulations. (“Information Systems” is defined to mean the networks, systems, devices, software, hardware and other information resources, tools, mechanisms and/or countervailing controls used by the Bank to collect, process, maintain, use, share, disseminate, or dispose of information relating to a CRB credit product, a third party or CRB credit model.)
  • Conduct a risk assessment of all CRB credit products and third parties on applicable lists to identify fair lending risks, including any risk associated with an “application” or “credit transaction” as defined in Regulation B, carried out by, through or in connection with with the Bank, and engage an independent third party acceptable to the FDIC to conduct a fairness study of lending resources. The study must assess (i) the bank’s size and growth plans; (ii) the current and expected number of CRB credit products and respective volumes, third parties and merchants offering one or more CRB credit products through or in connection with a third party; (iii) the volume of decisions taken by the Bank or on behalf of the Bank by a third party in connection with an application, including credit guarantee practices, a CRB credit transaction or any CRB decisions; and (iv) the Bank’s use of non-employee resources, including software, automated systems and other technology. (“CRB Decisions” are decisions made in connection with the marketing of a CRB Credit Product, including the terms and conditions described in the marketing of a CRB Credit Product.) The independent third party report must identify any need for non-employee fair lending resources. and improvements recommended to ensure fair lending compliance, identify the type and number of managers needed to supervise bank personnel responsible for fair lending compliance, and identify the type and number of bank personnel positions needed for compliance with the consent order and fair lending compliance.
  • Develop fair lending internal controls that must be reviewed periodically on a risk basis but no less than annually and adjusted as appropriate. The controls must include fair lending policies and procedures designed to (i) address and mitigate any risks identified in the fair lending assessment, (ii) require appropriate oversight and monitoring of all decisions made in connection with the marketing of a CRB credit product, including the terms and conditions described in the marketing of a CRB credit product, (iii) ensure fair lending compliance, and identify statistically significant differences involving a prohibited basis (as defined in Rule B). The policies and procedures must determine whether disparities are the result of actions or practices inconsistent with fair lending laws and regulations, and determine appropriate corrective or remedial actions and mitigation measures to prevent recurrence. The controls must also ensure fair lending training for board members and managers and personnel with roles and responsibilities relating to CRB credit products and must ensure satisfactory monitoring of CRB decisions, credit products and third parties for fair lending compliance. The consent order lists detailed minimum requirements for training and monitoring.
  • Engage an independent third party acceptable to the FDIC to assess fair lending compliance for each third party that offers a CRB credit product for a period of six months or more during a specified time frame. The bank must develop a written plan to address any recommendations in the independent third party’s report regarding actions to be taken where a third party does not comply with fair lending laws and regulations.
  • Develop policies and procedures to conduct periodic, but no less than annual, reviews of whether each third party offering CRB credit products for a period of more than six months during a calendar year prior to the review offered the products in compliance with fair lending laws and regulations. The bank must also develop internal controls for third-party compliance that include policies and procedures designed to ensure fair compliance with third-party lending. The detailed minimum requirements for such policies and procedures are set out in the Consent Order and include due diligence requirements for new third parties and new CRB credit products.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *