FDIC issues notable consent order on fintech vendor risk management

The order against First Northwest Bancorp includes thoughtful provisions about third-party relationship management, especially with a fintech provider.

We can all be forgiven for missing this one late in the day on the Friday after Thanksgiving. But better late than never as the case is quite instructive in terms of the third-party risk management guidance the regulator shares in its consent order, particularly as the advice pertains to a fintech vendor.

On November 24, First Northwest Bancorp (FNWB) released an 8-K disclosing that First Fed Bank and the FDIC entered into a consent order. FNWB is a publicly traded company and the parent of First Fed Bank, a $2.1b asset state nonmember bank based in Port Angeles, Washington.

First Fed Bank agreed to the terms of the consent order without admitting or denying the FDIC’s allegations. 

Join venture gone awry

The consent order revolves around First Fed Bank’s joint venture agreement and vendor relationship with a digital financial wellness platform that offers personal financial services to the general public called Quin Ventures.

Through a marketing and banking services agreement, Quin promoted the services offered through the digital financial wellness platform and First Fed Bank provided banking services to the customers who used the platform, according to the bank’s 8-K filing in 2021.

In its first paragraph of the consent order, the FDIC says it determined that “in connection with [First Fed Bank’s] relationship with Quin Ventures,” the bank engaged in:

  • Unsafe or unsound banking practices;
  • Unfair or deceptive acts of practices (UDAP) violations;
  • Violations of the Truth in Lending Act;
  • Violations of the Real Estate Settlement Procedures Act;
  • Violations of the Electronic Fund Transfer Act; and
  • Violations of Section 18(a)(4) of the FDI Act — the law that prohibits making false or misleading representations about deposit insurance coverage and misuse of the FDIC’s logo.

The consent order does not recite the facts underlying all of these findings, although if you read the description of the alleged UDAP violations, the FDIC offers a couple of clues.

It says the bank made “implied claims that credit products with non-optional debt cancellation features were unemployment insurance, approving consumers who did not qualify for the debt cancellation feature, and misrepresenting the fees and benefits for those products.”

FDIC vetting of new products and partnerships

In addition to mandating post-settlement undertakings such as fostering greater board and management oversight over third-party risk management, beefing up training programs, and maintaining more appropriate staffing levels, the consent order includes some key provisions about new products, new partnerships, and other third-party relationships.

Under the consent order, First Fed Bank must within 30 days submit to the FDIC a list identifying:

  • all credit or deposit products being offered by or through the bank; and
  • any entity other than First Fed Bank that is offering bank products.

Any bank product not on the list (or any bank product offered or to be offered by a third party not identified on the list as currently offering that bank product) is a “new bank product,” and any third party not included on the list is a “new third party.”

Before First Fed Bank will be permitted to:

  1. execute a binding commitment or agreement with a new third party;
  2. allow a new third party to offer a bank product through, or in conjunction with the Bank; and/or
  3. offer a new bank product, either directly or indirectly,”

it must obtain a written non-objection from the FDIC.

To receive that non-objection, First Fed Bank must, “at a minimum” and among other things, conduct an “initial thorough and well-documented review and assessment of the risks associated” with the new bank product or new third party, as applicable.

First Fed Bank must also in its request for non-objection describe in appropriate detail “the procedures, processes, and/or other actions the Bank will take to ensure compliance with consumer protection laws and satisfactorily mitigate any risks identified” in that risk assessment.

Oversight of third parties mandated

The consent order includes requirements intended to enhance First Fed Bank’s oversight of third-party relationships, requiring the bank to implement policies and procedures that, at a minimum, establish:

  • A comprehensive process for:
    • risk assessment and due diligence in selecting third parties;
    • structuring, review and approval of third party contracts; and
    • ongoing oversight and management of the relationship;
  • A process for the bank to review and approve copies of all third-party marketing materials, including promotional materials, advertising and telemarketing scripts whether delivered through direct mail, the internet, electronically, telephonically, social media platforms, mobile devices or any other type of media;
  • Appropriate recordkeeping;
  • Monitoring of marketing and solicitation programs;
  • Processes around managing regulatory inquiries, customer complaints, and legal actions;
  • Review of third-party service provider policies and procedures to determine those policies and procedures comply with consumer protection laws; and
  • Procedures for “appropriate corrective and preventive action” when noncompliance by a third party is identified.

First Fed Bank must perform semi-annual due diligence to ensure that third parties have in place an adequate training program to ensure that their employees comply with consumer protection laws.

And the bank’s compliance officer must semi-annually submit a report to the bank’s board and senior management assessing “whether third parties are complying with those laws.

Compliance considerations

At the end of the securities filing it released on November 24, which summarizes the consent order, FNWB said (in part):

“The Company’s Board of Directors and executive leadership are committed to compliance and have invested significant resources into resolving the matter. After self-reporting to the FDIC in 2022, the Bank added resources to its compliance and control functions and the Bank is continuing to allocate resources to enhance its compliance management system and controls. This proactive approach allows the Company to more effectively manage both the prior and ongoing costs of stronger compliance and control measures.”

FNWB makes loans through numerous partnerships with fintech companies, as the consent order notes. Given this, the order can be considered a warning to other banks that their bank-fintech partnerships are likely to receive increased scrutiny from regulators. 

And although the order is focused on fair lending compliance, many of the requirements imposed on the bank by the order are likely to be indicative of FDIC expectations for how banks should be addressing other consumer protection risks associated with bank-fintech partnerships.

A financial services firm using a fintech partner must have assurance the partner can onboard, monitor, investigate, and report customer and employee activity in alignment with regulatory expectations. It is important to analyze risks that the partnership might introduce into the organization’s ecosystem, both initially and on an ongoing basis.

First Fed Bank must, “at a minimum” conduct an “initial thorough and well-documented review and assessment of the risks associated” with the new bank product or new third party.

That means businesses have an established protocol around how it will oversee the third party and be able to vouch for the provider’s technology and its effectiveness and suitability, plus the provider’s compliance program sufficiency.

And they must create clearly defined roles, expectation and escalation processes for the people charged within the business for overseeing the vendor’s actions, promises, technology and interactions with the bank’s customers

There also must be incentives for speaking up when something looks amiss and a clear path for ending any fintech vendor relationships that deviate from compliance expectations.