40% Of Reviewed Unit Clients May Mislead On Offering “Banking” Services, FDIC Coverage
Piermont, partner to Treasury Prime and Unit, and Sutton Latest BaaS Banks Hit With FDIC Enforcement Actions
Hey all, Jason here.
Hard to believe I’ve been in Mexico for a month already! Just one more week here, before I head to the US for New York Fintech Week.
Tuesday, April 9th, I’ll be hosting a happy hour and discussion about the latest trends, challenges, and opportunities in fintech with my friends from Knot, Current, and Visa — space is very limited, so request your RSVP now.
Wednesday, April 10th, I’ll be attending and hosting two masterclasses at the Empire Fintech Conference, one with Neepa Patel, founder/CEO of Themis, and a second with Alex Johnson and Riaz Syed of Infinant — learn more and get your ticket now!
Finally, I’ve been a bit behind on my bookkeeping. Thanks to paying subscribers, I’ve made a sizable donation to the Boys & Girls Club — thanks to my former colleague and author of the Chaos Engineering newsletter Francisco Javier Arceo for the suggestion! If you have a suggestion for the next charity to support, please let me know!
If your email client clips this post due to length, you can read the full version on the web here.
If you enjoy reading this newsletter each Sunday and find value in it, please consider supporting me (and finhealth non-profits!) by signing up for a paid subscription. It wouldn’t be possible to do what I do without the support of readers like you!Another BaaS Consent Order Double Header, As Piermont, Sutton Get Enforcement Actions
The banking-as-a-service-related enforcement actions continued to pile up last week, with both Piermont and Sutton entering into consent orders with the FDIC.
Piermont and Sutton join a growing group of partner banks that have recently received consent orders, including (depending on how you define BaaS/partner bank): Blue Ridge Bank, Choice Bank, CBW, Cross River Bank, Metropolitan Commercial Bank, B2, Vast, First Federal, and Green Dot’s forthcoming order.
While both Piermont’s and Sutton’s orders touched on BSA/AML and third-party risk management, a common theme of BaaS banks subject to such enforcement actions, there are some specifics of the fact patterns and consent orders worth unpacking.
Despite Consent Order, Piermont Remains Committed to BaaS, Will Continue Working With Treasury Prime But Terminate Relationship With Unit
Piermont was founded quite recently, in 2019, and has pursued a strategy that includes partnering with fintechs, both directly and through BaaS middleware platforms Treasury Prime and Unit.
According to internal documents obtained exclusively by Fintech Business Weekly, at its peak, Treasury Prime had about 28 fintechs on Piermont, though, by January 2024, the number had declined to 19 programs.
Unit didn’t respond to questions about its relationship with Piermont, but per statements on social media from Unit investors Sheel Mohnot and Jake Gibson of Better Tomorrow Ventures, “Piermont was less than 1% of Units [sic] business,” with the duo implying that Treasury Prime was to blame for Piermont’s consent order, saying Piermont was “primarily a Treasury Prime partner, but no mention of that.”
It couldn’t immediately be discerned why Unit’s partnership with Piermont, announced in February 2022, failed to develop into a meaningful relationship for Unit, while, in an overlapping timeframe, Treasury Prime had a material number of partners on the bank. Questions to Unit on why its partnership with Piermont didn’t develop while Treasury Prime’s did went unanswered.
Piermont is the third bank partner, of the eight Unit has, to receive an enforcement action related to its BaaS activities.
Piermont’s consent order, which appears to stem from findings in its December 2022 and January 2023 reports of examination, focuses primarily on risk stemming from its third-party fintech/BaaS programs.
Piermont itself acknowledged this in a statement addressing the order, saying in part (spacing adjusted):
Piermont’s consent order stems from the bank’s BaaS activities and work with third parties. As the market has shifted, we have been aware of and responding to the changing regulatory landscape.
We have already taken important steps, including making additional investments and undertaking important strategic decisions, to address the items in the order.
According to the consent order, Piermont engaged in (emphasis added) “unsafe and unsound banking practices relating to, among other things, the failure to have internal controls and information systems appropriate for the size of the Bank and the nature, scope, complexity, and risk of its Third-Party Relationships.”
The order cites violations of the Bank Secrecy Act (BSA), a hallmark of BaaS consent orders, but also cites violations of the Electronic Funds Transfer Act (EFTA) and the Truth In Savings Act (TISA) — notable, as, to date, enforcement actions haven’t touched on consumer compliance.
Other notable aspects of the order include:
Board requirements, including supervision and direction of management, corporate governance, strategic planning, liquidity and funds management, interest rate risk, earnings, the bank’s financial condition, third-party relationships, AML/CFT program, consumer compliance risks, among other responsibilities
Board must ensure the bank has an appropriate number of officers with sufficient experience, expertise, independence, and resources
Board must ensure the bank has adequate systems such that the board can monitor and evaluate the bank’s adherence to policies and procedures
Review and assessment of data and systems, including third-party systems, to ensure they enable the bank to operate in a safe and sound manner, including compliance with applicable law and regulation, such as EFTA, TISA, and the reporting of suspicious activity and filing of BSA reports
Board must ensure activities conducted through third-parties (emphasis added) “include clear lines of authority and responsibility for monitoring adherence to applicable Bank Procedures, effective risk assessment with appropriate consideration and coordination…”
Board must assess if components of its third-party programs (emphasis added) “are appropriate for the size of the Bank, and the nature, scope, complexity, and risk of the Bank’s Third-Party Relationships and related Bank Activities…”
Review due diligence processes for assessing potential new and ongoing monitoring of third-party programs
Conduct an AML/CFT risk assessment, including assessing AML resources, implementing independent AML/CFT testing, preparation of an AML/CFT audit report, conduct AML/CFT training for all appropriate personnel, and conduct a BSA look back review through September 30, 2022
Conduct an EFTA look back review for all error disputes submitted by users since August 24, 2020, to ensure they were logged and processed in accordance with EFTA/Reg E
Board must ensure the bank has an adequate program to ensure compliance with consumer-related laws and regulations, including addressing deficiencies and weaknesses identified in the bank’s January 2023 report of examination
Training, monitoring, and testing related to consumer compliance, including EFTA and TISA
Detect non-compliance with consumer laws and regulations, including by third-parties conducting and/or performing bank activities
Revise and submit the bank’s three-year strategic plan for review and comment or non-objection
Appropriately revise and implement an interest rate risk action plan
Among other issues and requirements
Despite the setback, Piermont remains committed to the model, saying in part in its statement addressing the consent order (spacing adjusted and emphasis added):
Embedded banking is a core pillar of the bank’s business model and an area where we plan to continue making significant investments and enhancements.
Given that we don’t have restrictions on new fintech programs, we have already revamped our onboarding, due diligence, and oversight parameters, and are looking to bring on more partners to continue growing the business with this strong foundational structure.
We remain committed to serving entrepreneurs, fintechs, technology companies, and end-users in a long-term sustainable way.
As an external observer, it is difficult, if not impossible, to isolate the specific actions or inactions that led to Piermont’s consent order.
While Treasury Prime had significantly more programs on Piermont than Unit did, the question of why Unit’s relationship with Piermont failed to gain traction remains unanswered — as is the question of why Piermont is terminating its partnership with Unit, as first reported by Fintech Business Weekly, but will continue working with Treasury Prime.
Sutton’s Relationship With Cash App Appears To Catch Up With It
Sutton Bank, one of the banks behind Block’s consumer P2P platform Cash App, also reached a consent order with the FDIC that was released on Friday.
Compared to Piermont’s order, which touches on EFTA and TISA as well as BSA, Sutton’s order is relatively narrowly focused on AML/CFT risk.
Sutton’s order requires the bank to:
Develop, adopt, and implement a revised AML/CFT program that is commensurate with the bank’s risk profile
Address deficiencies and weaknesses from the bank’s January 17, 2023 report of examination
Improve the board’s supervision and direction of the bank’s AML/CFT program
Ensure the bank maintains a permanent, designated individual(s) as BSA Officer with appropriate qualifications with sufficient time, authority and resources
Conduct an independent review of the bank’s AML/CFT resources
Develop appropriate policies and procedures related to third-party risk management, including related to AML/CFT
Address identified deficiencies and weaknesses in the bank’s suspicious activity monitoring program
Develop and implement a comprehensive AML/CFT training program
Ensure compliance with CIP regulations, including in the bank’s third-party prepaid card programs
Conduct a CIP look back review through July 1, 2020
Among other requirements
Sutton’s order is widely believed to stem from its partnership with Cash App, whose lax KYC policies were documented in a research report from short seller Hindenburg in March 2023.
Risks In Bank/Fintech Partnerships Run In Both Directions
Piermont and Sutton’s consent orders add to the growing list of BaaS banks hit with enforcement actions related to their oversight of partner programs.
It remains clear that, at the end of the day, banks hold legal and regulatory responsibility for the actions their third-party vendors, including BaaS intermediaries like Treasury Prime and Unit as well as customer-facing fintechs, take on their behalf.
On the flip side, these partnerships — and the risks they come with — run in both directions, raising the question of how fintech and BaaS platforms approach doing due diligence on their bank partners.
For middleware platforms like Unit and Treasury Prime and their fintech clients, the disruption that comes with a bank partner receiving a consent order can be quite substantial, particularly if the bank chooses to exit the BaaS space, requiring customer-facing fintechs to migrate to a new bank partner — assuming they can find one to take them.
The choice of bank partners, and those banks’ approaches to compliance and what other third-parties they work with, represent a key risk to BaaS platforms and customer-facing fintechs.
A representative for Piermont Bank confirmed the bank will continue working with Treasury Prime.
A representative for Treasury Prime said, “We remain supportive of Piermont and its fintech programs as our partner relationship continues to grow.”
A representative for Unit didn’t respond to questions and a request for comment.
Have a tip about banking-as-a-service? Reach me on a confidential basis via secure messaging app Signal at +1-316-512-1571.
40% Of Reviewed Unit Clients May Mislead On Offering “Banking” Services, FDIC Coverage
Since the creation of the FDIC in 1934 following the financial collapse of 1929, no depositor has ever lost a penny of FDIC-insured funds.
So it’s understandable why upstart fintechs would want to latch on to the perceived safety that goes along with being an FDIC-insured bank, even if most depositors don’t understand the intricacies of prudential banking regulation or how deposit insurance actually works.
In fact, non-bank companies describing themselves as “banks” or offering “bank accounts” and “banking products” and misusing FDIC logos and language in ways that are likely to mislead consumers has become such a problem that regulators have begun to take action.
Chime memorably got in trouble for using the URL chimebank.com and referring to itself as offering “banking” services and “bank accounts,” with state regulators in California and Illinois reaching settlements with the company that required it to cease using the chimebank.com domain and continue to require it to include a clear, conspicuous, and proximate disclaimer that it is not a bank, and that services are provided by its bank partner(s), naming the specific bank(s).
To date, there has not been an action from federal regulators stemming from fintechs describe themselves as “banks” or offering “banking” products.
For its part, the FDIC has stepped up its policing of companies that use its logos or FDIC-insured language in violation of regulations on the matter — issuing numerous cease and desist orders to crypto and fintech firms for violations in recent years.
The FDIC also issued an updated rule — which takes effect tomorrow (with an extended compliance date of January 1, 2025) — that modernizes FDIC signage requirements and clarifies expectations around false advertising, misrepresentation of insured status, and misuse of the FDIC’s name or logo.
The rule is meant, in part, to address the rise of bank/fintech partnerships, like those facilitated by BaaS intermediaries, including clarifying how deposit insurance applies in such arrangements and the kinds of disclosures non-bank fintechs should make to avoid end-customer confusion.
The rule clarifies that:
using the FDIC’s advertising statement or FDIC associated images or terms in a way that implies a company other than an insured depository institution is insured by the FDIC is a misrepresentation, unless it is next to the name of one or more insured depository institutions
if a non-bank makes a statement regarding deposit insurance coverage, it is a material omission not to clearly and conspicuously disclose that the non-bank company itself is not FDIC-insured and that FDIC insurance only protects against the failure of an insured depository institution
if a company makes statements about “pass-through” deposit insurance coverage, it is a material omission not to clearly and conspicuously disclose that certain conditions must be met for such coverage to apply
The updated rule also requires insured depository institutions to establish written policies and procedures for how they will comply with the rule, including specifically how banks will monitor and evaluate third parties that provide deposit-related services to the bank or offer a bank’s deposit related services to others.
Unit and Its Bank Partners Know, Or Should Have Known, “Banking” And FDIC Claims Are An Area Of Potential Risk
Despite ample regulatory activity related to how fintechs market themselves to end users — and now three of its bank partners receiving regulatory enforcement actions — numerous fintech clients of banking-as-a-service intermediary Unit continue to misleadingly describe themselves as offering “banking” services or accounts, without adequate disclosures clarifying their underlying bank partner(s), misrepresent deposit insurance coverage, or both.
This isn’t the first time a Unit client has used this kind of misleading language on its website, in its app, or in advertisements.
In July 2023, Fintech Business Weekly profiled Unit and Blue Ridge client Maza, which, at the time, described itself as a “US banking service” that was “associated with Visa and the FDIC” — even suggesting users could contact the FDIC themselves to “confirm association.”
Maza also used misleading language claiming to be “powered by Visa, FDIC” and “secured by Visa and the FDIC.”
Maza misused FDIC logos and, for its ITIN offering, falsely claimed to offer an “IRS guarantee.”
After inquiries sent to Unit, Maza, and Blue Ridge Bank, many of the problematic statements were quickly removed.
It isn’t clear if Unit or its bank partners reviewed their compliance management systems or adjusted any policies or procedures as a result of the Maza incident.
Unit didn’t respond to questions, including whether or not it and its bank partners reviewed and/or made any changes to their approach to consumer compliance after being made aware of Maza’s use of deceptive claims.
20 Unit Clients Out Of 50 Reviewed Have Potentially Misleading “Banking” or Deposit Insurance Claims
To identify Unit client programs, Fintech Business Weekly reviewed clients mentioned on Unit’s website and marketing materials and searched for programs that included disclosures mentioning “Unit Finance” and one of Unit’s bank partners, which include:
Blue Ridge Bank
Choice Bank
Five Star Bank
i3 Bank
Pacific West Bank
Piermont Bank
Thread Bank
TransPecos Bank
Of the 50 programs found and reviewed, 20 partners, or 40%, have potential problems with how they described offering “banking” services, deposit insurance, or both:
Unit didn’t respond to a question asking how many total deposit programs it supports across its bank partners; the proportion of programs with problematic marketing language may be lower than 40%, if there are compliant deposit programs Fintech Business Weekly’s review didn’t find.
Blue Ridge, Which Has Received Two BaaS-Related Enforcement Actions, Has Multiple Programs With Potential Problems
Though Unit ostensibly has eight bank partners, Blue Ridge, Choice, and Piermont are in the process of breaking ties with the middleware platform.
However, these transitions take time — as of writing, 17 of the 50 reviewed programs remain on Blue Ridge — including four with problematic “banking” or FDIC language.
For example, Letter describes itself as offering “modern private banking,” including offering checking accounts and future plans to offer investment products, lending (including against crypto), and financial advice — without disclosing anywhere on the page detailing its “deposit” offering that it isn’t, in fact, a bank:
Letter also describes its accounts as FDIC insured, without naming the underlying insured depository institution or providing any additional context or disclaimers, including the typical $250,000 maximum for insured deposits:
Stake, another Unit and Blue Ridge client that targets renters, also describes itself as offering “banking,” without a proximate clarification of who its underlying bank partner is, and makes aggressive use of FDIC language and its logo, without specifying the insured depository institution:
Blue Ridge and Unit client Levro, which offers “global banking,” international payments, and foreign exchange also fails to proximately, clearly, and conspicuously disclose its underlying bank partner:
Even relatively mature companies, like Invoice2Go, which is part of publicly traded BILL, aren’t immune to these missteps — it describes itself as offering “small business banking,” without making clear that it isn’t, in fact, a bank and who the underlying bank partner is:
Thread Bank, Now A Key Unit Bank Partner, Also Has Numerous Problematic Programs
As Blue Ridge winds down its BaaS and fintech programs, Unit has come to depend more heavily on Thread Bank.
Of the 21 reviewed programs on Thread, 12 of them had potentially deceptive “banking” and/or FDIC-related claims.
For instance, Highbeam purports to offer banking services for ecommerce brands, including up to $3 million in FDIC insurance coverage, without proximate clarifications that it isn’t a bank or who the underlying insured depository institution is:
Covercy, which claims to offer banking services for commercial real-estate companies, markets that it enables users to open bank accounts for each property “quickly and easily,” and touts that “all funds in the Covercy wallet are FDIC insured by” an unspecified “banking partner” — for customers who pay for the “Pro” plan:
Likewise, Baselane, targeting landlords, describes itself as “banking” and touts up to $3 million in FDIC insurance, without proximately specifying the underlying insured depository institution, including in social media advertisements launched earlier this month:
TopKey, targeting businesses, describes itself as a “complete banking solution” that is “safe and secure,” as its data is encrypted and “FDIC insurance is available for funds on deposit,” without proximately specifying its bank partner:
i3, Five Star, Pacific West, and Piermont Programs Also Have Issues
Onyx Private, which targets consumers and businesses (and recently announced it will shut down and pivot to B2B), describes itself as offering a “bank account” and fails to specify its insured depository partner institution. Onyx partners with i3 Bank via Unit:
Novel, which partners with Five Star via Unit, even answered a customer inquiry on Facebook approximately a year ago by falsely stating that “Novel is a Bank” —
Family spending-and-budgeting app Envelope, which partners with Pacific West through Unit, repeatedly describes itself as offering “banking,” including on its website and in its app store description, without proximate clarification that it isn’t a bank and who its underlying bank partner is:
Arise Money, partnered with Piermont through Unit, describes itself as “a new way to bank” and as being “on a mission to make banking* better,” without proximate disclosures that it isn’t a bank. The company also bizarrely claims to have “invented” earned wage access.
Finally, remittance provider Sendwave, which also offers consumer deposit accounts through Unit with Piermont reached a consent order with the CFPB in October 2023 over violations of the remittance rule and Dodd-Frank’s prohibition of UDAAP.
According to the consent order, Sendwave made false and misleading statements that transfers had “no fees,” when this wasn’t the case; made false and misleading statements about transfers being “instant”; improperly required users to waive their rights under EFTA/Reg E; failed to develop required policies and procedures for error resolution; and provided disclosures that did not comply with EFTA requirements, among other issues.
Unit Appears To Have Failed To Address Known, Inherent Risks In Its Operating Model
Last July, when the issues with Unit/Blue Ridge client Maza came to light, I wrote:
Maza’s Problems Demonstrate Inherent Risks in BaaS Models… that such obvious and egregious problems existed live in production — apparently for more than a year — call into question Unit and Blue Ridge’s ability to operate partner programs in a safe, sound, and compliant manner.
Further, Maza highlights a fundamental problem with BaaS models: the company appears to have no on-staff personnel with legal or compliance experience.
No matter how robust Unit and Blue Ridge’s compliance management system, if their consumer-facing client doesn’t know or understand the compliance processes they’re supposed to be following, it seems borderline impossible to have adequate controls in place.
Despite being made aware of the issue nine months ago, twenty Unit programs across six of its bank partners have potential consumer compliance issues — suggesting that Unit and its bank partners seem to have a systemic problem monitoring and ensuring the compliance of their partner programs.
Since the Maza story, Unit has pivoted to describing itself as facilitating “direct” relationships between its clients and its bank partners — but the company still says it “streamlines” compliance for its customer-facing clients and provides “managed services,” including marketing oversight, to its bank partners.
Regardless of any changes Unit has made to its model, what was true before remains true now: at the end of the day, fintech programs and Unit are considered third-party vendors to Unit’s bank partners — the banks, ultimately, hold legal and regulatory liability for what they do (or don’t do) on the banks’ behalf.
While copywriting issues like using “banking” and FDIC language and the inclusion and placement of clarifying disclosures may feel pedantic, it comes with the territory of operating and offering products in the highly regulated financial services space.
A representative for Unit did not respond to questions or request for comment by the time of publication.
A representative for i3 said, “We work with our partners and review all customer facing material to ensure it is within expectations.”
A representative for Choice said, “To ensure compliance with appropriate regulations, Choice Bank’s BaaS business maintains a multi-layered approach to reviewing BaaS partner websites and advertisements of Choice-related products.”
After the time of publication, a representative for Five Star said, “Five Star Bank has a robust enterprise risk management framework and focuses on BaaS partners that share our core values, fit our risk appetite and lead with compliance. All partners we work with through our BaaS offering are subject to the same level of prudent operational, compliance and risk oversight and controls.”
A representatives for Piermont declined to answer questions or provide a statement.
Representatives for Thread, Pacific West, TransPecos, and Blue Ridge didn’t respond to requests for comment or were unreachable.
Trade Groups Seek To Block Colorado DIDMCA Opt Out, or, How Do You Define Where An Online Loan Is Made?
Riddle me this: how do you define what state a loan applied for online is “made in”?
A small but growing number of jurisdictions are choosing to opt out of a provision of 1980’s Depository Institutions Deregulation and Monetary Control Act, which, among other things, sought to normalize certain privileges between nationally-chartered banks and their state-chartered counterparts.
In passing DIDMCA, Congress gave states the right to opt out of a provision that allows state-chartered banks to charge rates and fees permitted by their home state on a nationwide basis, with respect to loans “made in” the state opting out.
Colorado recently passed a law joining Iowa and Puerto Rico exercising that opt out right, positioning the legislation as necessary to protect vulnerable Coloradans from usurious out-of-state lenders, including fintech lenders that partner with out-of-state banks.
Despite the opt out, out-of-state state-chartered banks (and fintechs that partner with them) can continue to lend in Colorado — up to its usury cap, which ranges from 8% to 45%, depending on the type of loan, the amount, and the nature of the transaction.
For example, private label credit cards can charge a maximum of 21%, and personal loans can charge a maximum of 21% or 36% on the first $1,000 lent, 21% on $1,001-$2,999, and 15% on the balance of $3,000 or greater.
Now, three trade groups, the National Association of Industrial Bankers, the American Financial Services Association, and the American Fintech Council, have filed suit against Colorado, seeking a declaratory judgment and injunctive relief.
Specifically, the groups’ suit argues that Colorado exceeded the authority granted to it by Congress in DIDMCA.
The suit argues that (emphasis added):
Under federal law, a loan is only “made in” a state other than the state where a bank is chartered when all the key functions associated with originating the loan— including the bank’s decision to lend, communication of the loan approval decision, and disbursal of loan proceeds—occur in that other state.
Colorado is ignoring this definition of where a loan is “made” in order to impose its state interest-rate caps on all consumer borrowing in the state, the suit argues.
The suit further argues that allowing Colorado to do this violates the Supremacy Clause and interferes with interstate commerce:
First, Colorado’s opt out is preempted by DIDMCA and violates the Supremacy Clause of the United States Constitution by attempting to expand the federally granted opt-out right to loans not actually “made in” Colorado under federal law.
Second, the opt out violates the Commerce Clause because it will impede the flow of interstate commerce and subject state-chartered banks to inconsistent obligations across different states, creating a significant burden on interstate commerce.
According to the trade groups, because, even in Colorado’s interpretation, the DIDMCA opt out only applies to out-of-state state-chartered banks, nationally-chartered banks, protected by the National Bank Act, would still be free to offer identical products at rates exceeding Colorado’s rate and fee caps.
This would, the case argues, result in reduced competition in the state, particularly in credit at rates above Colorado’s usury cap — resulting in fewer choices and, potentially, higher rates and fees from the national banks that could continue to serve higher-risk Colorado borrowers.
The suit asks the federal district court in Colorado to declare the state’s opt out and its Uniform Consumer Credit Code as invalid, violating federal law, and unenforceable, with respect to loans not “made in” Colorado, as defined by federal law.
Other Good Reads
A Huge Merchant Settlement Lands (CardsFTW)
The Risky End State for Consumer Lending (Fintech Takes)
Robinhood’s Credit Card Offers 3% Cash Back. Can It Last? (New York Times)
25 Years for Sam Bankman-Fried (Citation Needed)
About Fintech Business Weekly
Looking to work with me in any of the following areas? Email me.
Vendor, partner & investment opportunity advice and due diligence
Fintech advising & consulting
Sponsoring this newsletter
News tip or story suggestion — reach me on Signal at +1-316-512-1571