In the FDIC’s latest monthly update on enforcement decisions and orders, the agency published recent consent orders it entered against both a New York-based and an Ohio-based bank, the latest in the agency’s series of enforcement actions against bank-fintech partnerships. The orders did not impose any fines or civil penalties but require corrective actions by the banks and their boards.

The FDIC’s consent order against the New York bank alleged violations of the Bank Secrecy Act (BSA), as well as violations of the Electronic Funds Transfer Act (EFTA) and the Truth In Savings Act (TISA). Although the consent order did not detail how the bank violated these statutes, the consent order focused on strengthening the bank’s oversight of its fintech partners. Under the consent order, the bank is required to, among other things:

• increase oversight of the bank’s third-party relationships to ensure adequate data collection and risk assessment practices;
• revamp its AML program;
• review accounts and transactions to ensure proper suspicious activity reporting;
• review EFTA error disputes to ensure proper logging and processing; and,
• identify and address violations of consumer laws and regulations, such as EFTA and TISA, including those committed by third parties conducting and/or performing bank activities.

The Ohio bank’s consent order, issued jointly by the FDIC and Ohio’s Division of Financial Institutions, focused on the bank’s compliance deficiencies associated with its prepaid card partnerships. Among other provisions, the order requires the bank to:

• enhance its AML/anti-terrorist financing program to include appropriate assessment and oversight of third parties to whom the bank has outsourced any responsibilities;
• review and enhance suspicious activity monitoring and reporting process for the prepaid card program; and,
• within 90 days, collect all required customer information for prepaid card customers since July 2020 and outline circumstances and timeframes for closing non-compliant accounts to adhere to the customer identification program regulations.

The orders were initially issued in February 2024 but made public on March 29 as part of the agency’s regular update on enforcement activity.

Putting It Into Practice: The FDIC’s consent orders highlight the agency’s view that banks do not have adequate oversight over their fintech partners, leading to what it views as unsafe and unsound banking practices. The FDIC has been laser-focused on whether institutions have appropriate internal controls and the level of board and management oversight. Banks that grow too quickly will find themselves on the agency’s radar. (See blog posts on similar consent orders in the past here and here). These consent orders, once again, emphasize the necessity for banks to reassess their fintech partnerships and current risk management practices against the prudential regulator’s final interagency guidance.