The 80/20 of how to work with multiple bank sponsors.
The 80/20 principle says that 20% of your efforts targeted in the right direction manifest into 80% of your results.
- A few meaningful hours of work in the morning generate most of the value in your day.
- A few important customers or just a handful of decisions made in your product life cycle will be responsible for most of your company’s success.
- A few core exercises generate most of your muscle gains.
And so too, with fintech compliance, some targeted efforts in the right direction may dictate most of the success or failure of your program.
Becoming bank sponsor agnostic
If you work with a bank sponsor, the idea of working with more than one — or even switching to another — might seem like an absurd notion.
But, the idea of bank sponsor “shopping” is becoming more prevalent for a few reasons:
- A single bank sponsor is a single point of failure. As we discussed in “In a fintech-bank partnership, who is in charge?” post a few weeks ago, while investors are often willing to move past this risk, the question still comes up. If the bank sponsor decides to pull the plug, your product temporarily shuts down — plain and simple.
Now, you might protest and say “But we have a signed contract, my bank can’t just walk away!”
If you turn to the termination section of your agreement, you’ll see that the bank has more outs than a <insert your favorite sports analogy>.
Some common examples:
- The bank can terminate if there’s some undefined regulatory reason why the bank needs to terminate
- The bank can terminate if the fintech has a compliance failure as determined in the sole discretion of the bank
- The bank can terminate if the bank decided it has to terminate
You get the point.
- Not all bank sponsors are equal. While the bank sponsor market has been around closer to two decades now (See: WebBank-Lending club history here), it is still young and evolving. And that means there’s very little industry standard or template for a partnership. Each bank has its own personality when it comes to the use of technology, compliance requirements, risk appetite, and its willingness to cater to your desire to push the innovation envelope. You might get into a bank partnership that seemed promising at the dating stage only to have buyer’s remorse a year into the relationship.
- Becoming balance sheet lite: Working with multiple bank partners allows you to open up the floodgates more easily. A single bank might have limits on how many loans it can issue, for example, and so you may need to take on the load of some of those financial products on your balance sheet (through risk sharing or buying back loans). But if you are a product funneling customers to multiple bank partners then you have more leverage to push the financial products to your bank, and do what you do best: play the technology game.
Building an out-of-box compliance program.
To work with more than one bank sponsor, or at least be able to seamlessly move from one bank to another, you need to be able to build a robust but uniform compliance program that will work with any bank. And this is where targeted efforts will help you out.
Why?
The requirements, if you listen to regulatory guidance, of a full fledged compliance program are iterative and endless, and keeping up with all of them might be all but impossible for a start-up.
They include:
- Have an AML program where you monitor every single transaction for suspicious activity
(you rightfully ask — what do you mean by “suspicious”?)
- Have a compliance risk assessment for everything you do
(do I get to decide what is high risk or do my bank partners?)
- Do diligence on each vendor you onboard and then oversee all their activities
(I’m barely just getting a hold of my own activities, you say)
- Record and monitor every single customer interaction and respond to all customer complaints
(what is “complaint” anyway? And why entertain the haters?)
- Stating only substantiated facts in your marketing materials
(so I shouldn’t be marketing in my marketing?)
- Keep customer PII — even email addresses — encrypted at transit and in rest
(I’m not sure where my PII even sits)
- Oh, and keep tabs on all 50 states because they all have different rules for each of the above.
(Sure, why not)
In the coming posts, we’ll cover each of these areas in more detail but, in this post, we wanted to give you a snapshot where you might want to focus your efforts if you are, like most start-ups, limited in resources — in other words, how to play the 80/20.
AML/KYC matters.
Most banks have dedicated AML/BSA officers, if not entire departments, and so you can bet that this will be an area of scrutiny. This is also an area that some banks have received consent orders in the recent past, and some larger fintechs have received some hefty fines for AML failures.
Why is this such a hot area?
AML/BSA deals with money laundering as we discussed here. It’s not just about your cool idea anymore, it’s about fighting foreign adversaries, complying with international sanctions, and preventing terrorism. Serious stuff.
- Your AML policy. Having one is table stakes but it’s worth getting a compliance expert to review one so you’re not over or under committing. An AML policy can be 3 pages or 30 pages depending on your product. At some point, you’ll have to answer to everything that’s in your policy. Don’t make the mistake of just getting one off the shelf and changing the name at the top.
- OFAC screening. This involves reviewing every single customer — whether an individual or a business and its owners (for more on business diligence, see KYB 101) — against the U.S. Department of Treasury sanctions lists. The list is public and you can manually review against the list. Should you do it manually? No. It’s just not worth the risk. Accidentally onboarding a customer on the OFAC sanctions is low probability but fatal impact. Just get a reputable vendor who can give you a “yes” or “no” on each customer.
- Transaction monitoring. This is an area that is getting more scrutiny and it involves looking for suspicious activity on your transactions. This is an art and a science and it’s better to invest in integrating with a vendor early on who specializes in TM. And then, you should take the time to tailor rules to your business. TM is all about understanding the risk profile of your products and customer behavior.
Marketing is public.
Yes, obvious statement but deserves repeating. Your marketing materials are the microphone of your organization. Guess who might be in the audience listening? Regulators and savvy plaintiffs lawyers who are looking for foot faults. Marketing compliance comes down to using very precise word choice and proper disclosures.
- Pre-package approved marketing collateral. Spend a few days a month or quarter coming up with your marketing collateral and all potential variations of your paid ads. Get your most cynical lawyer friend to review it and look for ways it could be misinterpreted. Call that your “pre-approved” collateral and try not to deviate too much.
- Website review. Spend the money to have your website nitpicked by a fintech lawyer. It will be the first place a regulator lands.
- Be transparent. Does your product have fees? Don’t market “no hidden fees”. Are you doing a promotion for just the first 100 customers? Make sure you disclose that this is a limited time offer and tell them when it expires.
- Avoid superlatives. Don’t say “best in the industry” or “the only product to do X” or “100% guarantee”. Chances are there’s an exception somewhere and it only takes one to prove you are making a false claim. Many start-ups have gotten regulatory fines for putting on their website what might seem like very normal marketing language.
Customers are your product’s reputation
Besides marketing, the most common trap for fintechs is an unhappy customer whose complaint gets ignored or mishandled and who, in a fit of rising blood pressure, puts in a complaint on the Better Business Bureau, or worse, the CFPB complaints website. Now, you next have a regulator on a slow Friday afternoon poking around on your website (see above).
Invest early in a complaints handling process. This means:
- Figure out your multi-channel approach to customer interaction. Will you be picking up phone calls? Answering emails only? Do you have a script for every team member who interacts with a customer? Are you monitoring social media for your name?
- Have a system. Some complaints should be escalated, some should be systematically handled. Define for yourself what is a “complaint”. What may seem like just a grumpy customer is probably a complaint under the regulatory definition and needs to be monitored. Have a way to categorize complaints based on severity and issue.
- Identify trends. Patterns tell you not only what might be a red flag for regulators but what might be areas in your product where you need to play a little defense and first address before you build new features.
Product.
Ah yes, why you’re in business in the first place. Each bank partner is going to have opinions on your user flow. Some will want a checkbox here and not there, others will want you to break out your Patriot Act disclosure in a separate link, and others won’t let you get away with having your E-Sign consent embedded in your terms.
You want as much uniformity in your product as possible among different bank partners but you also won’t win every battle.
As you move from one bank partner to another, it’s helpful to have an ally on the business side of each bank partner who can vet for you, internally on their side, what battles they’re willing to give on, and which ones are absolute must-haves.
Areas that are more fact specific.
Fair lending. This means don’t discriminate based on a protected class. Sounds easy enough, of course, but most discrimination is unintentional. Here’s where you want to pay attention:
- Targeted marketing. This is tricky in fintech. We’ll cover this in an upcoming post but generally you can’t do targeted marketing based on a protected class, which includes age and gender.
- Underwriting. Using something other than FICO or financial metrics? If it seems innovative, it’s likely a proxy for a protected class and worth a gut check with a lawyer.
- Steering. When talking to customers, have scripts so you’re not unintentionally steering people to or away from your product. And better to have pre-vetted FAQs on your website rather than wing it on every conversation.
Vendor management.
- Define what is a “critical” or “non-critical” vendor. For your critical vendors, have a worksheet and diligence request list that you send. Buffer in time for diligence before you sign any vendor.
- Monitoring. You’re supposed to monitor the activities of your critical vendors but, candidly, who has the resources to be monitoring all those vendors (aside from reviewing SOC2 and other audit reports, at best). A once a year refresh on your diligence should do the trick.
There’s much more that goes into the operations of a bank partnership but hopefully this gives you a flavor of some of what is important. We’ll cover these in more detail in future posts. In an upcoming post, we’ll also cover what to do about all those pesky state variant rules and whether you should be going out and getting a ton of state licenses as you’re just starting out.
**************************
While we hope you found this post helpful, please note that the information in this post is not intended to be legal, regulatory, or relationship advice.
Fintech Law and Compliance 101 is affiliated with https://www.itsaffinity.com/ a compliance learning management platform built specifically for banks and fintechs.