March 01, 2021

Fintech Guide to Bank Partnerships: A Practical and Legal Roadmap

17 min

Over the past decade, financial technology has revolutionized how financial services are provided to consumers and businesses. Every day, new fintech companies (“fintechs”) are launched, offering a range of innovative financial services, including in areas such as banking, payments, lending, and personal finance. While the competitive landscape is diverse and evolving, the regulatory framework remains a challenge for any startup looking to offer financial services. In the United States, financial services are subject to federal and state regulation, and determining compliance requirements on a state-by-state basis, together with obtaining state and territorial licenses to provide such services, presents a significant hurdle in getting to market.

Many fintechs have looked to partner with insured depository institutions such as banks and credit unions (collectively “banks”) as a way to offer a uniform service on a nationwide basis, while mitigating the burden of complying with more than fifty different legal regimes. These partnerships sit at the heart of various cutting-edge fintech products and services, and will continue to drive the industry in the absence of a federal nondepository fintech charter preempting certain state laws, including state licensing laws. While the Office of the Comptroller of the Currency has proposed such a charter, it is controversial and its progress has stalled. Partnering with a bank or banking-as-a-service (BaaS) service provider will remain a viable and attractive near-term solution for fintechs looking to get up and running.

The benefit of partnering with a bank is that it may exempt the fintech from certain state usury, money transmission, and other regulatory and licensing requirements, while also permitting the fintech to focus on customer acquisition, user experience, and technology-assisted transactions. The tradeoff for the fintech comes in the form of the bank partner requiring the fintech to comply with various compliance and risk management practices, including requirements applicable to the bank that would not otherwise be applicable to the fintech. In addition, depending on the relationship, the fintech may also be responsible on a day-to-day basis for compliance with legal and regulatory requirements applicable to the financial products and services provided through the partnership.

In this white paper we provide a roadmap of the legal, regulatory, and transactional steps needed to develop and offer financial services through a bank partnership model, with a particular focus on lending, payments, and BaaS. In our experience counseling fintechs (and financial institutions), we have learned that setting up bank partnerships requires careful planning to ensure each of the parties is able to capture the potential regulatory and business benefits of the arrangement. In particular, negotiating and executing the agreement governing the relationship is critical, as it provides the foundation for launching a successful business, and sets expectations and rights governing legal and regulatory compliance, revenue and expenses, control of customer relationships, ownership of program data and IP, among other issues.

Overview of Fintech-Bank Partnership Considerations

Financial technology enables a wide variety of financial services, each of which is subject to a host of federal and state laws and regulations. Putting this all together into an effective partnership can be challenging. Below, we provide a guide for fintechs as they consider bank partnerships generally, as well as considerations specific to particular types of financial services.

General Considerations

While various types of financial services will be subject to specific laws and operations requirements, a fintech seeking a successful bank partnership for any type of service will need to address the considerations outlined below.

Developing a Business Plan. The first step in the offering of any new financial service is the development of an initial business plan that addresses the operational, transactional, legal, and regulatory steps necessary to launch the proposed service. This would include, for example, identifying any potentially applicable legal and regulatory compliance requirements, such as state-by-state licensing and consumer financial protection and other requirements relevant to the activities. It is important to remember that even under a bank partnership model, certain states may require loan brokers, lead generators, loan servicers, and debt buyers to be licensed.

Developing and Implementing a Compliance Management System. Separate from, but related to, negotiation of the bank partnership agreement, the fintech will need to develop and implement a compliance management system (CMS)—a comprehensive and integrated compliance program comprising written documents, functions, processes, controls, and tools to help the fintech comply with legal requirements and minimize consumer harm resulting from violations of law. This will include policies and procedures to ensure that the proposed financial services are provided in compliance with applicable federal and state laws. In fact, most bank partners will require that policies and procedures be in place before (or in connection with) executing your bank partnership agreement. The types of policies that are needed will depend on the nature of the services, but may include (a) an overall compliance management policy; (b) product-specific policies, including for loan origination and servicing, payments, etc.; (c) customer forms, disclosures, and receipts; (d) advertising and marketing; (e) privacy policy; (f) fair lending policy; (g) information and data security policy; (h) recordkeeping policy; (i) anti–money laundering policy; (j) vendor management policy; (k) audit policy; and (l) employee training policy. Below we further explore the laws, regulations, and other requirements that typically apply to different types of bank partnerships.

Preparing to Partner. Once the business plan has been developed, a fintech seeking to partner with a bank should first identify its partnership goals. What does it want from the partnership? Does the fintech want to own the customer relationship and/or the data? Does the fintech expect to diversify its business to include additional products and services in the future? It helps to be clear on these points at the outset. Prepare for due diligence. Not only should the fintech perform diligence on the potential bank partner, but it should also prepare for the bank to perform significant diligence on its business, operations, and products and services. All of this allows you to have more control over the direction of the partnership.

Finding and Selecting a Partner. The key to success in any partnership is finding the right partner. When it comes to fintech-bank partnerships, that means finding a bank that has the experience, resources, knowledge, and flexibility to help a fintech build and grow its products and services. If looking to incorporate payments into its core services, a fintech will need an acquiring bank or other acquiring partner that can help register it as a payment facilitator and provide processing and settlement functions through the card networks. Similarly, a fintech active in the small business credit industry may want to work with a bank partner with existing commercial credit programs and experience with small businesses. Once a bank with the right experience has been identified, it’s important to assess the bank’s pricing and ability to scale and help the fintech grow its business.

Structuring the Partnership to Comply with State and Federal Financial Services Law. Just as there are various types of fintechs, there are numerous federal and state laws that apply to fintech products and services. The fintech and bank will need to work together to design and implement banking, lending, and payment services that comply with applicable legal and regulatory requirements. In addition, when fintechs work closely with banks and other regulated financial services providers, they are often contractually obligated to comply with their bank partner’s regulatory requirements.

Negotiating the Bank Partnership Agreement. Once a bank partner is selected, the two sides will need to negotiate and execute a bank partnership agreement. Third-party banking relationships may be subject to the Bank Service Company Act, and, as a result, the fintech partner would be subject to the laws and regulations applicable to the bank and subject to supervision and examination by the bank’s federal regulator. In addition, banks are subject to and have in place third-party risk management programs. Thus the contractual agreement with the bank partner will need to cover such topics as due diligence, control and approval of the proposed banking and lending activities, approval of the CMS, ownership of consumer data, data privacy, and monitoring and routine audit of the activities performed in connection with the bank partnership. The negotiation will typically involve, among other considerations, drafting an MOU/term sheet and definitive agreement, tailoring the agreement to the contemplated activities, and appropriately balancing terms related to use of IP and subcontractors, representations and warranties, indemnification, term and termination, ownership of consumer data, migration of consumer relationships post-termination, and handling of consumer complaints. Banks with existing partnership programs will have a standard agreement, and certain risk tolerances that they will know conform to their regulator’s expectations.

Drafting Consumer-Facing Agreements and Disclosures, Web Portals and Apps, and Advertising and Marketing. When drafting consumer-facing agreements and disclosures for online and app use; reviewing web portals and apps for implementation and compliance with program policies; reviewing advertising and marketing materials; and advising on related contract negotiations and vendor oversight with service providers, including affiliate marketing and lead generators, lenders and digital banking service providers must comply with several federal and state consumer protection laws.

Negotiating Service Provider Agreements (Processor, Mobile Application, etc.). In many cases, a fintech will need to work with other service providers in addition to its bank partner to provide its proposed financial services. This might include, for example, executing contracts with service providers to assist with BSA/AML screening, collection services, and call center support. It is important that these relationships be established within the framework of the bank partnership model, and executed in a way that is consistent with federal and state regulatory requirements and expectations. In some cases, the bank partner may have preferred service providers that have already been approved or that have previously met its diligence requirements.

Considerations for Specific Bank Partnership Types

Notwithstanding the general considerations outlined above, each bank partnership has certain unique characteristics and requirements. In particular, the relationship should be tailored for the types of services being offered through the partnership. We provide below a discussion of certain specific considerations relevant to bank partnerships involving lending, payments, and BaaS services.

Lending

Under the bank partner lending model, the fintech typically acts as a service provider to the bank by developing the software platform through which potential borrowers apply for credit, supporting and streamlining the bank's underwriting process, or enabling electronic delivery of disclosures and credit agreements. Although the loans in these partnerships are made by the bank, the fintech often contracts to purchase and take assignment of the loans once originated or to purchase an interest in payments made on the loans.

Compliance Requirements. A fintech active in the lending space through a partnership with a bank should develop a CMS that includes, among other components, policies and procedures for compliance with the relevant requirements of the following laws:

Federal

  • Consumer Financial Protection Act
  • Section 5 of the Federal Trade Commission Act
  • Truth in Lending Act
  • Equal Credit Opportunity Act
  • Fair Credit Reporting Act
  • Fair Debt Collection Practices Act
  • Real Estate Settlement Procedures Act
  • Service Members’ Civil Relief Act
  • Bank Secrecy Act/Anti-Money Laundering/OFAC

State

  • State lender and consumer financial services laws
  • State broker licensing laws
  • State loan servicer laws
  • State UDA(A)P laws (“Mini-FTC Acts”)

Bank Partner Origination Issues. With the exception of certain consumer protection statutes, most banks are exempt from the application of state laws, including usury and licensing laws. As a result, where a partnership is properly structured and the bank is the lender, the loans are not subject to state usury law and the fintech is not required to obtain state lending licenses. However, this model has been challenged in several states, creating certain risks with regard to the extent to which the fintech partner may, in fact, be subject to state licensing and usury laws.

  • True Lender: Bank partner lending models in the U.S. have faced legal challenges in recent years based on "true lender" theories, which argue that the fintech (and not the bank) is the true lender in the transactions, and therefore bank preemption of state lending laws should not be available. In reviewing such arguments, courts look to which party had the "predominant economic interest" in the transaction, based on factors such as (i) the length of time the bank held the loans on its books; (ii) whether the fintech took assignment of some or all of the loans; and (iii) whether the bank had a material risk of loss on the loans or if its risk was mitigated or guaranteed by the non-bank partner. If the fintech were found to be the true lender and bank preemption does not apply, the fintech may be in violation of state licensing and usury laws in connection with the loans. The Office of the Comptroller of the Currency (OCC) has issued a rule clarifying that if a federally chartered bank is named as the lender in the loan agreement or funds the loan, it is the “true lender.” However, the vast majority of bank partners in the space are state-chartered banks regulated at the federal level by the Federal Deposit Insurance Company (FDIC). For these state-chartered banks, the FDIC has indicated that, unlike the OCC, it does not have the authority to determine which party in a bank partnership is the “true lender,” as that is a matter of state law.
  • Valid When Made: In addition to the bank partner model, numerous primary and secondary market transactions rely on the ability of banks to sell or assign loans. The ability of an assignee to continue charging the interest rate that was legal when the bank originated the loan is called "valid-when-made." In May 2015, the Court of Appeals for the Second Circuit, covering New York, Connecticut, and Vermont, ruled in Madden v. Midland that a secondary market purchaser of bank credit card debt could not continue to charge the contract rate of interest imposed by the bank that initially extended credit. The Second Circuit held that the interest rate, which was permissible for the bank under preemption laws, was not permissible for the non-bank debt buyer because it exceeded New York usury laws. The Madden case has been criticized for its invalidation of the long-standing valid-when-made doctrine, and the OCC and FDIC have published rules seeking to resolve the issue.

Licensing. Even where a fintech is not required to obtain state lender licenses to make loans, its relationship with a lending bank partner may require that it maintain licenses to broker or service loans. Fintech companies should be aware of an increasing number of states that require a license to negotiate, arrange, or generate leads for loans made by banks.

Operational and Business Issues. In addition to the compliance issues above, there are numerous other issues to resolve between the parties, including:

  • Responsibility for:
    • Marketing the loan program
    • Application intake and review
    • Customer Identification / KYC
    • Distribution of loan proceeds
    • Current and special loan servicing
    • Fraud prevention and monitoring of suspicious activity
    • Customer service
  • Data ownership, use, and sharing ownership of customer relationships
  • Loan or receivables purchase and assignment transactions between the parties
  • Other secondary market transactions
  • Termination, wind-down, and options to transfer the loan program to another bank
  • Exclusivity terms
  • Audit rights
Payments

Generally, in the United States, only depository financial institutions may directly access the federal wire system, submit entries to the national automated clearinghouse (ACH) system, issue network-branded payment cards, or acquire and process transactions made using those cards. While various arrangements permit non-bank entities to participate in these systems—including third-party sender and third-party service provider arrangements for ACH transactions; payment processor, payment facilitator, and digital wallet arrangements for processing card transactions; and partnerships for card issuing—each requires the non-bank to be sponsored by a depository institution.

Compliance Requirements. A fintech active in the payments space through a partnership with a bank should develop a CMS that includes, among others, policies and procedures for compliance with the relevant requirements of the following laws:

Federal

  • Consumer Financial Protection Act
  • Section 5 of the Federal Trade Commission Act
  • Electronic Fund Transfer Act
  • Truth in Lending Act (credit card issuing)
  • Bank Secrecy Act / Anti-Money Laundering/OFAC

State

  • State Money Transmission Laws
  • State Tax Remittance Laws

Network Rules. In addition to federal and state laws applicable to payments activities, fintechs active in this space must comply with the rules governing the applicable network in which they are participating. Although they are not laws, the operational rules of the card and ACH networks are imposed by contract, initially in their agreements with banks, and then pushed downward in agreements between banks and payment companies. These rules define particular classes of non-bank payments companies, govern the appropriate processing of payment and return transactions, and impose data security requirements, among other obligations. Failure to comply with network rules may subject a payments fintech to fees and penalties imposed by the networks, contractual liability, and, ultimately, being barred from participation in network payment activities.

Licensing. As in the lending space, state licensing requirements may also apply to non-bank payments companies. Forty-nine states and the District of Columbia require a license to engage in “money transmission,” typically defined as the receipt of funds for the purpose of transmitting. For various payments models that may involve a fintech receiving funds from one party for the purpose of transferring them to another, licensing may be required. For example, this may include card payment facilitators, ACH third-party senders, bill payment providers, and payroll companies, depending on their funds flow structure, to name a few.

Operational and Business Issues. In addition to the compliance issues above, there are numerous issues to resolve between the parties, including:

  • Responsibility for:
    • Marketing payments services
    • Merchant account application intake and review
    • Customer Identification / KYC
    • Unauthorized use, fraud prevention, and monitoring of suspicious activity
    • Customer service
  • Data ownership, use, and sharing
  • Ownership of customer relationships
  • Termination, wind-down, and options to transfer services to another bank
  • Exclusivity terms
  • Reserve account requirements
  • Minimum processing volume requirements
  • Audit rights
  • Non-solicitation terms
BaaS

In addition to partnerships to offer credit and payments products, in recent years banks and fintechs have partnered to offer deposit accounts and other traditional banking products to consumers and small businesses. These partnerships, often referred to as “Banking as a Service” (BaaS), often include a credit or payments component as well.

Compliance Requirements. A fintech active in the BaaS space through a partnership with a bank should develop a CMS that includes, among others, policies and procedures for compliance with the relevant requirements of the following laws:

Federal

  • Consumer Financial Protection Act
  • Section 5 of the Federal Trade Commission Act
  • Truth in Savings Act
  • Electronic Fund Transfer Act
  • Bank Secrecy Act / Anti-Money Laundering/OFAC
  • Expedited Funds Availability

State

  • State Escheatment Laws
  • State Funds Availability
  • State fee limitations

Deposit Account Agreement. As part of offering deposit accounts through a BaaS arrangement, customers will need to enter into a deposit account agreement (DPA) with the bank partner. Although many provisions of the DPA may be identical to the bank’s standard agreement, it will need to be revised to accurately describe the involvement of the fintech, provide appropriate disclosures, and identify the appropriate contact information customers can use to report errors, give notice of unauthorized transactions, and access other customer service functions. The DPA may also need to be revised for any differences between the bank’s existing products and services and those available through the BaaS offering. For example, any limitations on the customer’s use of their account should be clearly disclosed.

Operational and Business Issues. In addition to the compliance issues above, there are numerous issues to resolve between the parties, including:

  • Responsibility for:
    • Marketing deposit accounts and other products
    • Account application intake and review
    • Customer Identification / KYC
    • Unauthorized use, fraud prevention, and monitoring of suspicious activity
    • Customer service
  • Data ownership, use, and sharing
  • Approved customer deposit methods (ATM, ACH, third-party loads, etc.)
  • Access to bank APIs and related service level agreements
  • Ownership of customer relationships
  • Termination, wind-down, and options to transfer accounts to another bank
  • Exclusivity terms
  • Minimum account opening and/or volume requirements
  • Audit rights
  • Non-solicitation terms

Conclusion

While there are tremendous business opportunities for fintechs that partner with banks to provide financial services, there are also significant business, legal, and regulatory challenges. For startups and established players alike, the key to success is balancing innovation and operational considerations with compliance and risk management.

* * * * *

Venable – an Am Law 100 firm – has a long history of serving the fintech and banking industries, with dozens of lawyers experienced in advising financial services clients on regulatory compliance, business transactions, litigation, intellectual property, privacy and data security, and other legal and regulatory issues. Our attorneys provide comprehensive yet practical advice rooted in our understanding of the ever-changing regulatory and enforcement climates. Our client list spans the breadth of worldwide leaders in payments and fintech, from established players to start-ups and entrepreneurial market disrupters.

If you have questions about launching a new financial services product, or partnering with a bank to do so, please reach out to the authors for a consultation on how best to achieve your business goals while effectively managing legal and regulatory costs and risks.