Bank Regulators Drop New Guide on “Third-Party Relationships”
Why I Invested In Baselayer, Chime Has 7m Users (So What?), Small Merchants "Sell Out" Larger Ones In Visa/Mastercard Settlement
Hey all, Jason here.
Today is both Liberation Day, which marks the end of the Nazi occupation of the Netherlands during World War II, and Cinco de Mayo (which is not Mexican independence day, btw) — though I’m guessing not too many Dutch folks celebrate Cinco de Mayo?
If you enjoy reading this newsletter each Sunday and find value in it, please consider supporting me (and finhealth non-profits!) by signing up for a paid subscription. It wouldn’t be possible to do what I do without the support of readers like you!Why I Invested in Baselayer
When I first setup my company in the Netherlands, I assumed the paperwork to incorporate and register the company would be the hard part, and that it would be smooth sailing from there.
But reality hit when I proudly walked into ABN Amro, the largest bank in the Netherlands, only to realize they didn’t want or couldn’t support me and my business as a customer. My business partners’ and my experience securing basic banking services for a newly formed business in Mexico was orders of magnitude worse.
These challenges are all too common and, with almost 5.5 million business formed last year, excessive barriers in accessing banking and credit represent a lost opportunity for financial service providers and an impediment to newly-formed enterprises focusing on establishing and growing their businesses.
While there are numerous, well-funded startups working on improving identity verification, KYC, and fraud solutions for consumers, there has been little focus on solving these challenges for businesses, which is a substantially more difficult problem. Offerings from incumbent firms like Dun & Bradstreet are, to put it politely, lacking.
Baselayer, which emerged from stealth and announced its $6.5 million seed round, helps to solve for this by providing a comprehensive platform with fully automated solutions for know your business (KYB), risk, and fraud management.
It’s no secret that fraud and financial crime risk are major problems in banking and fintech, including in the business account space, with bad actors looking to take advantage of gaps in controls. And, for too long, this has been a tolerated trade off in return for fast, “frictionless” onboarding experiences and higher conversion rates.
With Baselayer, financial firms serving business customers can get the best of both worlds: real-time searching of government data sources and intelligent AI-powered entity matching help eliminate manual reviews, enabling faster, less risky onboarding and more accurate ongoing monitoring.
In just six months of operations, Baselayer has secured nearly 30 customers with over 25 million end-customer accounts.
So it should be no surprise Baselayer’s seed round was 5x oversubscribed.
I’m proud to join Torch Capital, Afore Capital, Founder Collective, Picus Capital, Gilgamesh Ventures, and notable angel investors in supporting what promises to be a game changer in the business identity and risk management space.
Congrats to Baselayer cofounders Jonathan Awad and Timothy Hyde on the milestone!
Fed, OCC & FDIC Drop New Guide on “Third-Party Relationships”
As earlier missteps have caught up with many players in the banking-as-a-service space, both banks and middleware platforms, some have taken to blaming the lack of a clear “rule book” for such partnerships.
But such protestations strike me as either disingenuous or ill informed for a number of reasons.
First, much of financial services regulation tends to be principles-based, rather than rule-based, including policies governing how banks interact with third-party vendors, like middleware intermediaries and customer-facing fintechs or brands.
Existing regulation does not (and, indeed, cannot) explicitly prohibit the BaaS operating models originally pursued by middleware providers like Unit, Synapse, Treasury Prime, and Synctera.
Rather, it was the inability of partner banks together with their middleware providers to operate these relationships in a manner compliant with applicable regulations that has resulted in ongoing heightened regulatory scrutiny of the sector.
It is not that the regulations or expectations have necessarily changed, as some in industry believe; rather, it is that regulators are looking more closely and are more actively enforcing long-held expectations.
For example, this statement — part of an August 2000 advisory letter from the OCC — wouldn’t sound out of place in regulatory guidance released today (spacing adjusted and emphasis added):
Vendors, brokers, dealers, and agents can offer banks a variety of legitimate and safe opportunities to enhance product offerings, improve earnings, diversify assets and revenues, or reduce costs.
In most instances the fundamental risks associated with activities introduced by third parties are no greater or less than the bank would have incurred had the bank performed the activity on its own.
Those risks, however, can be excessive if management and directors do not exercise appropriate due diligence prior to entering the third-party arrangement, and effective oversight and controls afterwards.
The OCC expanded on that advisory letter in a 2001 bulletin, which emphasized that the agency’s approach and recommendations were “largely derived and adapted from supervisory principles that the OCC or the federal banking agencies have already issued.”
The 2001 bulletin reinforced the notion that a third-party undertaking activities on a bank’s behalf “should be subject to the same risk management, security, privacy, and other consumer protection policies that would be expected if a national bank were conducting the activities directly,” and suggested that banks should design a risk management process that includes:
• A risk assessment to identify the bank’s needs and requirements;
• Proper due diligence to identify and select a third-party provider;
• Written contracts that outline duties, obligations, and responsibilities of the parties involved; and
• Ongoing oversight of the third parties and third-party activities.
The OCC’s 2001 bulletin also highlights the agency’s right to directly examine and regulate third-party service providers to banks it oversees under the Bank Service Company Act, to the extent third parties are undertaking “the performance of any applicable functions of [a bank’s] internal operations.”
That August 2000 OCC letter and 2001 bulletin were rescinded and replaced by a 2013 risk management guide for third-party relationships, which, among other recommendations, suggested that:
a bank should adopt risk management processes aligned with the level of risk and complexity in its third-party relationships
a bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities
effective risk management through the life cycle of third parties includes:
alignment with the bank’s strategy
understanding inherent risks of the activity
detail in how a bank selects, assesses, and oversees third parties
proper due diligence in selecting third parties
written contracts that outline rights and responsibilities
ongoing monitoring of third parties’ activities and performance
contingency planning
documentation and reporting that facilitates oversight
independent reviews that enable bank management to assess if the bank’s processes align with its strategy and effectively mitigate risks
The 2013 risk management guide was supplemented with an FAQ in 2020 before being rescinded and replaced by 2023’s interagency guidance on risk management of third-party relationships, which sought to harmonize the OCC, FDIC, and FRB’s supervisory approach to third-party risk management.
The 2023 guidance’s principles-based approach to identifying and mitigating risks in third-party relationships is generally consistent with previous guidance dating back to the OCC’s 2000 advisory letter, if not earlier, and includes a “risk management life cycle” framework the OCC has used since at least 2013:
Guidance released in 2000, 2001, 2013, 2020, and 2023 aren’t the only sources of information on how regulators view and evaluate third-party relationships, including bank/fintech partnerships and relationships now referred to as “banking-as-a-service” or “embedded finance.”
Regulatory guidance and enforcement actions against payday lenders and their “rent a bank” partners in the early 2000s, regulatory consent orders with The Bancorp Bank, MetaBank (now Pathward) in the early 2010s, Cross River’s 2018 consent order, and CBW’s 2020 consent order, among others, all touch on risks posed by third-party relationships and provide guidance on the necessary frameworks to mitigate such risks.
Now, the OCC, FDIC, and FRB have published a new guide designed to “assist[] community banks when developing and implementing their third-party risk management practices.” The guide clarifies that (spacing adjusted, emphasis in the original):
Engaging a third party does not diminish or remove a bank’s responsibility to operate in a safe and sound manner and to comply with applicable legal and regulatory requirements, including consumer protection laws and regulations, just as if the bank were to perform the service or activity itself.
A community bank may engage an external party to conduct aspects of its third party risk management. However, the bank cannot abrogate its responsibility to employ effective risk-management practices, including when using a third party to conduct third-party risk management on behalf of the bank.
Industry stakeholders hoping for a “rule book” may be disappointed, however, as the agencies note that the “guide is not a checklist and does not prescribe specific risk-management practices or establish any safe harbors for compliance with laws or regulations.”
The guide raises potential considerations and sources of information to address such considerations across each stage of the third-party relationship lifecycle: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.
Examples of suggested areas of consideration include:
What legal and compliance requirements will apply to the prospective third-party activities?
What risk-management and governance practices (including internal controls) will be necessary to manage and mitigate the potential risks?
What interaction will the third party have with customers, and how would customer complaints be handled?
What third-party policies, processes, and internal controls support performance of the service in alignment with the bank’s expectations and standards?
Has the third party demonstrated an ability to comply with applicable laws and regulations, including anti-money laundering and countering the financing of terrorism (AML/CFT) as well as fair lending and consumer protection laws and regulations (as applicable)?
Is the third party involved in ongoing litigation or other public matters of concern?
To what extent does the contract enable the bank to obtain timely information it needs to perform adequate ongoing monitoring, demonstrate compliance with applicable laws and regulations, and respond to regulatory requests?
What continuity plans, processes, and controls will the third party maintain to ensure contract adherence, including recovery time and recovery point objectives?
Do audit and test results indicate the third party is managing risks and meeting contractual obligations and regulatory requirements effectively?
How will the termination affect the bank’s operations and its compliance with applicable laws and regulations?
How will the bank manage risks associated with the termination or migration, including the impact on customers?
How do documentation and reporting enable the bank’s board of directors to consistently oversee third-party risk management?
Has the bank accurately assessed the resources required (including level and expertise of staffing) to manage third-party risks?
And suggested sources of information include:
The bank’s human resources staff to assess whether management and staff have the expertise and capacity to manage the relationship.
The bank’s technology infrastructure and staff to assess how readily it could integrate with a third party to support the new activity.
Independent reviews of the effectiveness of those policies and procedures, including AML/CFT.
The third party’s staffing levels and qualifications to assess whether the third party’s resources can fulfill its obligations to the bank, including those of principals and other key personnel related to the activity.
Internet searches of the third party’s company name to determine whether it has been partnered with institutions subject to consent orders related to third-party transactions or conducts business with companies that misrepresent deposit insurance coverage.
Contract provisions outlining the bank’s access to the third party’s audit, testing, and self-assessment reports for ongoing monitoring.
Audits and reports to confirm the third party’s compliance with all applicable laws and regulations.
Public filings, news articles, social media, and customer feedback about experiences with the third party.
Assessments of the bank’s systems, processes, and human resources to determine whether the bank has the capability, resources, and time to transition the activity to another third party or bring the activity in-house with limited disruption to the bank’s operations.
The bank management’s periodic reporting to the board of directors on third parties that support higher-risk activities, including critical activities.
Imagine If Banks Had Asked These Questions About Their BaaS & Fintech Partners To Begin With?
One wonders if anything would have turned out differently, had banks like Sutton, Blue Ridge, or Evolve asked these kinds of questions before agreeing to let firms like Cash App, Unit, or Synapse perform critical, regulated functions on their behalves.
The latest guidance is helpful to the extent that it reiterates and provides additional context and examples of what has long been both the law and the position of federal banking supervisors: ultimately, regulatory liability lies with the chartered institution.
Still, current regulatory guidance could, perhaps, be improved by distinguishing between different types of third-party relationships.
For instance, third-parties providing services to a bank — like a cloud computing provider, card printer, or mailing house — vs. third-parties that are operating through or on behalf of the bank, as middleware intermediaries historically have and customer-facing fintechs or brands continue to do.
And those hoping for a rule book specifying “do’s and don’ts” of banking-as-a-service may need to resign themselves to the realities of principles-based regulation and draw insight from how regulators are messaging on these matters: through guides, like the one released last week, and, yes, from public enforcement actions.
We Now Know Chime Has Seven Million Users. How Does That Stack Up?
Earlier this year, industry vet Ron Shevlin made waves when he suggested neobank Chime had 38 million users, and that “about half,” which would be around 19 million, considered Chime to be their “primary” account.
The number, based on Cornerstone’s survey research, sounded implausibly high, given it would mean 15% of US adults had a Chime account and more than 7% of US adults considered it their primary account but, absent concrete numbers from the source, many took the number at face value.
Now, in an exclusive with Forbes (paywalled), Chime cofounder and CEO Chris Britt reveals the neobank has “seven million customers using its cards for $8 billion a month in transactions.”
Of the seven million, “most” have a recurring direct deposit linked to their Chime account, the company says.
Other interesting nuggets from the piece include that Chime earned $1.3 billion in revenue in 2023, that the company still has about $900 million in cash from prior fundraises, and that it is gearing up to offer 3-6 months installment loans of up to $1,000 at rates up to 36% APR.
Industry watchers zeroed in on the number of users, revenue, and monthly card spend. So, how do those stack up to companies serving a similar segment of consumers, like Block’s Cash App, Dave, MoneyLion, and Varo?
First, it’s worth noting there are numerous caveats and that none of these are a perfect comparison. Cash App is, first and foremost, a peer-to-peer payment app, which is also part of Block’s larger product-and-service ecosystem.
Dave and MoneyLion both initially focused on cash advance products, adding neobanking functionality later; MoneyLion also operates an affiliate marketing platform, offering third-party products, users of which the company includes in its metrics, though they may not have a direct or ongoing relationship with MoneyLion.
Varo, bank charter notwithstanding, is arguably the best comp for Chime.
Additional caveats and clarifications on the metrics above: Chime’s estimated valuation is from the Forbes piece; Cash App’s valuation on a standalone basis isn’t known, so I’ve omitted it here; Varo’s $1.8 billion valuation is based on the $50 million round led by Warburg Pincus in February 2023; and total VC raised is based on Crunchbase data.
The preoccupation with number of “users” or “active users” is particular to fintech — this isn’t a metric you frequently tend to hear about in bank earnings calls. Given fintech’s roots in VC and, well, tech, the preoccupation with user numbers makes enough sense — the historic startup playbook for consumer apps has been to get big, fast, and worry about monetization and unit economics later.
But in financial services — or any business, really — number of users, as a standalone data point, is a vanity metric.
Lacking other context, like cost of acquisition and revenue per user, a user number means little.
Particularly when many fintech companies, including Chime, have historically spent lavishly on marketing, including on referral bonuses costing the company as much as $200 per new user acquired.
Industry reaction to the limited data points revealed in the Forbes piece was generally positive, with some hoping Chime could be a blockbuster IPO validating the now démodé US consumer fintech sector.
Chime is unquestionably a better product for low-income consumers than what has historically been offered by moneycenter banks — the “no-fee” proposition and pioneering 2-day early pay resonated with disaffected consumers used to getting hit with overdraft, minimum balance, and NSF fees (Chime does charge out-of-network ATM fees and encourages users to “tip” for its no-fee overdraft.)
But as other startups copied these features, and as big banks responded to the shifting competitive environment (and regulatory pressure), Chime’s differentiation has eroded. Major banks like Capital One now offer no-fee accounts that offer 2-day early pay and no-fee overdraft but also boast features Chime doesn’t offer, like physical branches, Zelle, and a larger ATM network.
This is all to say, if the question is, is Chime a fintech “success story,” I’ll opt to wait until we have the fuller picture of the company’s business provided by an S-1, if and when it IPOs, before passing judgment.
Small Merchants “Sell Out” Larger Merchants in Visa/Mastercard Settlement, Walmart Argues
In the latest twist in litigation that dates to 2005, the National Retail Federation and the Retail Industry Leaders Association, Walmart, and Target are seeking to block a proposed settlement that would resolve the nearly 20-year-old class action suit against Visa and Mastercard.
The proposed settlement would reduce interchange fees by 0.04 percentage points for three years and ensure an average rate at least 0.07 percentage points below the current average for at least five years.
Visa and Mastercard also would agree to allow merchants to offer discounts or assess surcharges and cease imposing “anti-steering” rules.
But large merchants aren’t happy, arguing the named plaintiffs in the case, which are smaller businesses, don’t adequately represent larger merchant members of the class, like Target and Walmart.
The larger merchants argue the concessions on interchange are borderline meaningless, especially to larger merchants, as they may have business models or contractual constraints that prohibit them from taking advantage of elements of the relief contemplated by the settlement, because default interchange rates disallow large merchants from negotiating directly with card issuers, and that the settlement would do nothing to prohibit networks from raising other fees.
Large merchants, like Walmart, seem to particularly dislike the “honor all cards” requirement, which the settlement would leave in tact. Walmart argues in its filing that (emphasis added) “the Small Local Merchants possess antagonistic interests that caused them to sell out the interests of the Large National Merchants in obtaining relief from the anticompetitive Honor All Cards rules.”
Target raised similar issues in its own filing, saying that “[t]he Class that was supposed to dismantle the [Honor All Cards and default interchange] Rules now, incredibly, has agreed to an affirmative statement that Defendants have a “right” to set prices for thousands of member banks.”
The settlement, should it be accepted by the court, would prevent Target from separately pursuing its own claims for the underlying causes of action, leading to Target arguing that the “settlement also does not dismantle the unlawful horizontal agreement imposed by the HAC rules; instead, class members will be forbidden to challenge those rules for five years, destroying the Target Plaintiffs’ statutory right to an injunction against these rules if they prevail at trial.”
Additionally, Target’s filing characterizes the proposed settlement as blessing Visa and Mastercards “brazen price fixing,” saying, “It bears emphasis: what the class touts as “rate relief” is a brazen price fixing agreement that the Defendants—and the Class—want the Court to immunize from antitrust consequences.”
For its part, the filing by industry trade groups the National Retail Federation and the Retail Industry Leaders Association also raises the Honor-All-Cards and default interchange issues, saying that “the proposed settlement agreement fails to redress the core of Defendants’ antitrust violations: the Honor-all-Cards and Default Interchange rules.”
FT Partners: Monthly Deal Activity & Insights
Deal flow has picked up from the winter lull, with April notching $4.7 billion in global fintech funding announcements across 313 deals, in a hopeful sign that the funding environment, especially for earlier-stage fintechs, has stabilized.
Other Good Reads
FDIC Argues Silicon Valley Bank's Parent Company “Aided and Abetted and Conspired” in Breaches of Fiduciary Duties by SVB Directors (Bank Reg Blog)
Stripe: Always Forward (Batch Processing)
Are Community Banks Getting Squeezed Out Of Existence? (Ron Shevlin/Forbes)
I Believe The Merchants Are Our Future (Fintech Takes)
The State of Crypto Is Anything But Strong (Bloomberg Businessweek)
Federal prosecutors are examining financial transactions at Block, owner of Cash App and Square (NBC News)
About Fintech Business Weekly
Looking to work with me in any of the following areas? Email me.
Vendor, partner & investment opportunity advice and due diligence
Fintech advising & consulting
Sponsoring this newsletter
News tip or story suggestion — reach me on Signal at +1-316-512-1571