As banks navigate the rapidly evolving world of fintech partnerships, questions of strategy, compliance and risk loom large. To shed light on these complex relationships, Krista Shonk, SVP and senior counsel for regulatory compliance and policy at the American Bankers Association, and Brooke Ybarra, SVP of innovation and strategy at ABA, provide insights into the opportunities and challenges banks face.
This article was published in the March-April 2025 issue of ABA Risk and Compliance Magazine. Subscribe here.
What is the primary goal banks aim to achieve through fintech partnerships, and why are these relationships becoming increasingly important
Ybarra: At its core, banks are trying to serve their customers more effectively and efficiently. And in many ways, given how customer expectations are changing, that provision of service requires greater technology than banks currently have access to or are able to develop in-house.
This has led banks to pursue relationships with all sorts of service providers, of which fintechs are a key subset. Fintech partnerships enable banks to deliver financial products and services faster, expand their geographic or digital reach, and diversify their offerings. Ultimately, fintechs play a crucial role in helping many banks meet customer needs — this is the foundation of these partnerships.
Are there different types of fintechs, and are these partnerships classified in distinct ways?
Ybarra: There are a couple of ways to think about types of bank-fintech partnerships. One classification is by the banking products involved — such as payments, lending or deposits.
Another classification is based on the structure of the partnership. At one end of the spectrum, the fintech acts as a back-end service provider, with the bank remaining front and center with the customer. At the other end, the bank operates in the background, providing infrastructure while the fintech is customer-facing.
Between these two ends of the spectrum, there are many variations and models, depending on how closely the bank interacts with the end customer, whether it’s a consumer or a business.
Has regulatory scrutiny of bank-fintech partnerships evolved, and what areas are regulators focusing on? Where do you see this going under the new administration?
Shonk: We have definitely seen an uptick in enforcement-related activity involving third-party risk management and/or fintech relationships in the last 18 months. In fact, the Goodwin law firm [goodwinlaw.com] counted over 45 cease-and-desist orders issued by regulators between June 2023 and June 2024, relating to these areas.
This heightened scrutiny is driven by a few key factors. First, banks that grow rapidly can trigger regulatory concerns about how well they’re managing the growth associated with fintech partnerships. Second, the complexity of some fintech partnerships, especially when middleware providers are involved, creates challenges in defining responsibilities and determining who the customer is. Finally, regulators have noted instances where banks lacked adequate staffing or expertise to properly oversee these relationships.
In terms of enforcement, regulators are particularly focused on whether products and services involving a fintech partnership comply with Bank Secrecy Act and anti-money laundering requirements, as well as prohibitions against unfair and deceptive acts or practices [UDAP]. Banks are responsible for deploying robust controls and oversight to ensure that their fintech partners are compliant.
As for the future, regulators are likely to continue to scrutinize bank-fintech partnerships under the new administration. Despite expectations of some deregulation, this administration’s populist approach suggests a continued emphasis on consumer protection in bank-fintech arrangements. Cases like the Synapse bankruptcy, where consumers were locked out of their funds, highlight the risks that can accompany bank-fintech partnerships and the likelihood of continued regulatory vigilance.
We’re also seeing regulatory attention on cybersecurity, customer service and complaint management in these partnerships. While the pace of enforcement might not remain as intense, banks should expect regulators to continue closely monitor third-party risk management practices.
Interestingly, media outlets have reported that the FDIC is “monitoring” fintechs that partner with banks. While the details are unclear — such as which fintechs are being monitored or what this tracking entails — it signals that regulators are paying attention to fintechs working with multiple banks across the sector and are aiming to identify potential problems before they affect banks. The extent to which other agencies are engaging in similar tracking is unclear.
How might advances in artificial intelligence impact bank-fintech partnerships, and what opportunities and risks does it present for compliance and oversight?
Ybarra: AI will likely have a significant impact on bank-fintech partnerships in several ways. In terms of practical applications, AI-based solutions offer opportunities to support bank compliance and monitoring of fintech activities. For example, AI tools can scan marketing materials to identify potential UDAAP violations. The ability to leverage AI to make that type of compliance work faster and more efficient is potentially a great opportunity.
Another example I’ve seen reported recently is the use of generative AI by a bank to monitor customer complaints related to fintech interactions. As you can imagine, monitoring solutions such as these could provide valuable insights.
On the flip side, AI also introduces risks. One major concern is when fintechs use AI models that banks may not fully understand or that provide insufficient transparency and explainability about their outputs.
Banks are thinking a lot about this as it becomes challenging for them to meet regulatory requirements for explainability. In addition, the fintechs are oftentimes either unable or unwilling to share the details of their models with the bank, which makes the compliance obligation even harder to fulfill.
That said, the increased scrutiny on bank-fintech partnerships is encouraging the fintech community to better understand the regulatory obligations banks face. This greater awareness helps justify the rigorous due diligence and monitoring processes banks must implement, ensuring the safe and compliant delivery of banking products and services.
How does the use of AI in fintech partnerships intersect with fair lending risks, and what opportunities does it present for improving compliance?
Shonk: Building on Brooke’s point, banks need to understand how their fintech partners use AI and the fair lending risk that it may present. If these models are being used to make credit decisions, target customers for marketing, or similar purposes, it’s critical that they don’t create issues that could result in discriminatory outcomes that lead to a fair lending violation.
That said, AI can also play a positive role in addressing these concerns. As Brooke mentioned, AI can be used to review marketing materials, flagging language or approaches that might raise compliance issues. This flips the narrative to show how AI can help banks proactively address fair lending risks, making compliance efforts not just more efficient but also more effective.
What unique risks have emerged in bank-fintech partnerships focused on deposit generation, and how are regulators addressing these challenges?
Shonk: We have seen a number of banks partner with fintechs for the purposes of increasing their deposits. And we’ve seen unique risks emerge in these partnerships in two key areas.
First, there’s the issue of ledgering. In some partnerships, the fintech acts as the customer-facing entity, even though the bank holds the customer’s funds. Problems have arisen when account ledgering information maintained by the fintech or its middleware provider is incomplete or inadequate.
Second, there has been consumer confusion around deposit insurance, which in some cases was caused by misleading or inaccurate information provided by a fintech. While deposit insurance applies in the case of a bank failure, recent collapses of fintechs or middleware providers resulted in consumers being unable to access their funds. In this case, FDIC insurance did not apply because the partner banks remained solvent.
The FDIC has been actively addressing these issues, including by issuing new deposit insurance signage and advertising rules as well as rules regarding the misrepresentation of deposit insurance and misuse of the FDIC’s name and logo.
What factors contribute to successful bank-fintech partnerships, and how do different business models affect risk?
Ybarra: When we think about the spectrum of bank-fintech business models, the end of the spectrum where the bank is closest to the customer tends to involve less risk compared to models where the bank is more removed. There are successful examples on both ends of this spectrum, but many banks are most comfortable performing traditional banking functions, which keeps them front and center with the customer.
In addition, in direct partnership models, the bank works directly with the fintech without relying on middleware or other intermediaries. This setup often simplifies the relationship and mitigates risk.
Shonk Another important risk mitigation strategy is sharing and learning from leading practices. Regulators play a key role here, and last July’s interagency Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services is an excellent resource. It catalogs risk mitigation strategies observed by regulators, particularly in deposit-focused fintech partnerships. Banks interested in leveraging fintech partnerships for deposit products should review this document as a helpful starting point. [See occ.treas.gov/news-issuances/news-releases/2024/nr-ia-2024-85a.pdf.]
Are you seeing a shift in how banks are approaching partnerships after what happened with the Synapse failure?
Ybarra: Yes, we’ve seen a couple of key shifts. First, some banks have exited the space entirely, deciding not to pursue or continue bank-fintech partnerships.
Second, there’s been a noticeable move toward those more direct partnership models we discussed. More and more, banks are viewing fintechs as digital branches or customer acquisition channels rather than as partners using the bank’s infrastructure to independently acquire customers and deposits.
How are you seeing a shift in how banks are approaching these relationships given the heightened regulatory scrutiny?
Shonk: here is a sense in the industry that regulators view some bank-fintech partnerships as risky, even though they publicly support innovation and acknowledge the need for banks to modernize. Based on conversations with examiners, some of our members believe that regulators are approaching these relationships with heightened scrutiny and skepticism.
This has led some banks — especially those in the exploratory phase — to reassess whether to move forward with a fintech partnership. They’re asking, “Is the regulatory scrutiny worth it? What are we really going to gain from this partnership?” Their conclusions will vary from bank to bank. The type of partnership and the bank’s long-term goals will play a role in determining how a bank decides to proceed.
For some banks, these partnerships are a key business line, and they have invested in the requisite infrastructure and expertise and are prepared to handle the higher level of regulatory attention. However, other banks have determined not to pursue the relationship in the current regulatory environment.
While this is some of the fallout we’ve seen, it’s important not to view these partnerships entirely negatively. Ultimately, regulators will ask a lot of questions about how the bank manages fintech relationships. Some banks may be comfortable with that, while others may determine that they need to strengthen their procedures and controls before moving forward.
What should banks consider when entering fintech partnerships, particularly in terms of upfront investment and potential regulatory impacts, like CRA ratings?
Shonk: Banks should not view fintech partnerships as plug-and-play. Regardless of the promises a fintech makes, these relationships require significant upfront investment. Banks need staff with the expertise to manage these partnerships hands-on. Insufficient management and oversight has been a deficiency that regulators have highlighted in multiple enforcement actions.
In addition, banks need to have a clear understanding of the upfront investments that will be required, such as staffing, legal expertise, technology and consultants. Community banks, in particular, should have realistic expectations about the value proposition and timeline for profitability.
There’s also a sleeper issue in this space related to regulatory compliance. Specifically, we’ve seen instances where a fintech partner engaged in UDAP activity, and the bank’s CRA rating was downgraded as a result.
These interconnected risks and downstream impacts are critical for banks to consider as they evaluate these partnerships.
What key considerations should banks keep in mind regarding data ownership, privacy, and compliance when entering into fintech partnerships?
Ybarra: Bank-fintech partnerships raise a lot of questions around data ownership, use, privacy, and access. These are key issues banks must address when drafting contracts, particularly regarding who owns what data and who is going to have access to it.
There are also various compliance obligations tied to different types of data. For example, fintechs might collect data through other products related to the bank’s customers, which adds another layer of complexity. These data-related concerns are particularly relevant now, including topics like AI, section 1033 rulemaking, customer requests for data availability, and privacy laws requiring data deletion.
While the full scope of these issues is too extensive to cover here, it’s clear that data considerations must be a critical component of any agreement between banks and fintechs.
How are banks navigating data ownership and privacy issues in fintech partnerships, and what specific challenges have emerged in contract negotiations?
Shonk: Banks of all sizes, from the largest institutions to the smallest community banks, are increasingly consulting both inside and outside counsel on privacy and data-sharing issues in their fintech partnerships.
These topics have become a heavily negotiated part of contracts with fintechs. For illustrative purposes I can give you two quick examples of data issues that have bubbled up, but there are likely thousands of these issues.
One common issue is when a fintech collects substantial information about an individual before they become a bank customer. This might include data on the customer’s browsing activity on the fintech’s website or other information about that customer. Negotiating who owns and can access that data is a critical point for banks to consider.
Another situation involves cases where both the bank and the fintech separately own the same data. These negotiations can be particularly challenging, requiring processes to clearly separate — or “wall off” — the fintech’s platform from the bank’s proprietary information.
These are just a couple of data and privacy-related matters that banks should consider when negotiating with fintech partners.
What resources or support does ABA offer to help banks navigate third-party risk management and fintech partnerships?
Shonk: Banks should join the working groups we’ve established. These are collaborative forums where banks can discuss issues related to third-party risk management.
We have a third-party risk management working group and a new fintech working group, both of which provide opportunities for peer banks to share insights and ask questions. Participation in these groups is open to all ABA members, and we encourage bankers to get involved and join our Zoom calls. There’s really nothing like talking through an issue or a question with a group of peer bankers.
Another valuable resource is ABA’s enforcement actions database. While it primarily tracks consumer compliance-related enforcement actions, we’ve recently added tracking for third-party risk management topics. Given the heightened regulatory scrutiny surrounding fintech partnerships — and the anticipation that this scrutiny will continue — I strongly encourage bankers to access this database regularly to track trends in TPRM enforcement. [See aba.com/banking-topics/compliance/enforcement-action-database.]
We also offer webinars that are designed to help banks navigate the complexities of third-party risk management and fintech relationships effectively.
ABA RESOURCES
Comment letter to OCC Board and FDIC
aba.com/advocacy/policy-analysis/letter-to-occ-board-and-fdic
Staff Analysis: Bank-Fintech RFI
aba.com/advocacy/policy-analysis/staff-analysis-bank-fintech-rfi
ABA Webinar: Navigating Third Party Risks in Banks and Fintech
aba.com/training-events/online-training/navigating-third-party-risks
ABA Resource: Fintech Policy
aba.com/advocacy/our-issues/fintech-policy
ABA Topic: Innovation and Fintech
aba.com/banking-topics/technology/innovation-fintech
ABA Discussion Group: Bank Risk Exchange
aba.com/experts-peers/discussion-groups/bank-risk-network
ABA Committee: Third-Party Risk Peer Groups
aba.com/experts-peers/committees-councils/third-party-risk-peer-groups
Interagency Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services
occ.treas.gov/news-issuances/news-releases/2024/nr-ia-2024-85a.pdf
ABA’s Enforcement Action Database
https://www.aba.com/banking-topics/compliance/enforcement-action-database
