Breaking: Thread Bank Latest BaaS Enforcement Action

Thread, Previously Known As Civis, Has History Of Regulatory Actions

Hey all, Jason here.

Yes, again, on a Friday — FDIC enforcement actions are typically made public on the last Friday of the month. For those hoping for deeper analysis of the Evolve hack, stay tuned for Sunday’s newsletter. In the meantime, you can keep up with the latest by following me on X and LinkedIn.

If you enjoy reading this newsletter each Sunday and find value in it, please consider supporting me (and finhealth non-profits!) by signing up for a paid subscription. It wouldn’t be possible to do what I do without the support of readers like you!

Thread Bank Latest BaaS Enforcement Action

Thread Bank, another popular partner bank, has become the latest to receive an enforcement action from its primary federal regulator, the FDIC.

The bank supports at least 35 fintech programs, most of which offer business bank accounts, both directly and via middleware intermediary Unit.

This makes the fourth bank associated with Unit to get an enforcement action. Previously, Blue Ridge Bank, Choice Bank, and Piermont have all received consent orders, though, it’s worth noting, each of those banks worked with other fintech partners besides Unit, and it isn’t clear to what extent, if any, Unit contributed to those banks receiving enforcement actions.

After Blue Ridge’s enforcement actions, many of the Unit programs that had been on Blue Ridge migrated to Thread.

Thread’s Troubled History Of Enforcement Actions

Thread Bank wasn’t always known by that name — until around 2022, before a new management team took over, the bank was known as Civis.

The bank has a history of regulatory issues. In 2015, in received a cease and desist order from the FDIC, stemming from unsafe or unsound banking practices relating to weaknesses in capital, asset quality, liquidity, and earnings.

Civis was required to formulate and submit for the FDIC’s review and comment a written profit plan, including a realistic budget, designed to improve the bank’s profitability.

The bank was further instructed to develop and submit to the FDIC for review and comment a three-year strategic plan, including an assessment of the bank’s financial condition and an operating plan that formed the basis for projected income and expenses.

The cease and desist also required Civis to increase is Tier 1 Leverage capital ratio to 8% or greater and maintain a Total Capital ratio of 12% or greater by issuing new equity, the contribution of cash from existing shareholders, receipt of income tax refund, or other approved methods.

The bank was prohibited from declaring or paying any dividends, which would reduce its capital ratios, without regulatory approval.

The FDIC also took issue with Civis’ lending practices, requiring it to charge off assets or portions of assets classified as “Loss” by the FDIC or Tennessee state regulator and prohibited it from extending credit to certain borrowers.

Additional requirements of the 2015 order included:

• maintaining reasonable allowances for loan losses

• maintaining a loan review committee

• formulating a plan to manage concentrations of out-of-area retained and unguaranteed SBA and USDA loans

• reviewing and making necessary revisions to its asset-liability and liquidity management plans

• seeking regulatory approval before entering any new line of business

• standing up a committee to oversee compliance with the cease and desist order, which was required to have at least four non-employee directors

Yet less than six months later, Civis received a type of emergency order known as a Prompt Corrective Action (PCA).

That order deemed Civis to be undercapitalized, as its capital levels were:

• Leverage Capital Ratio 4.23%

• Tier 1 Capital Ratio 6.23%

• Common Equity Tier 1 Capital Ratio 6.23%

• Total Capital Ratio 7.48% (per the 2015 cease and desist order, this metric need to be 12% or higher)

Despite being notified by the FDIC on February 25, 2016, that it intended to serve it with the PCA, the bank did not respond in the required timeframe.

The prompt corrective action required Civis to:

• increase its capital to an “adequately capitalized” level

• submit a capital restoration plan

The order specified that if the bank wasn’t able to improve its capital position, it would need to immediately take steps to be acquired by or merge with another institution.

Civis/Thread Bank Capital Ratios Over Time. Source FDIC year end call report, except for Q1’24.

Despite this mandate, Civis failed to remediate its inadequate capitalization and received a second prompt corrective action in June 2018. That order noted that, as of the end of Q1’18, Civis had the following capital ratios:

• Total Capital Ratio is 5.90%

• Tier 1 Capital Ratio is 4.64%

• Common Equity Tier 1 Capital Ratio is 4.64%

• Tier 1 Leverage Capital Ratio is 3.08%

The 2018 PCA noted the bank was significantly undercapitalized and warned that “[t]he Bank’s capital condition continues to rapidly deteriorate.”

According to the order, “Bank management has not demonstrated the ability to return the Bank to a safe and sound condition.”

Civis Becomes Thread — And Grows Quickly

In mid-2021, Civis announced a $47 million recapitalization, led by Patriot Financial Partners and Hermann Companies. Following the recapitalization, the outstanding regulatory actions were terminated as of November 2021.

With the recapitalization came a new management team — and a new strategy.

Chris Black, previously a senior executive at Franklin Synergy Bank, joined as CEO of Civis, soon to be renamed Thread. John Bearden, previously of Renasant Bank, joined as Chief Banking Officer.

If Franklin Synergy sounds familiar, it may be because that bank was founded by the same family, the Herringtons, that would go on to acquire Lineage Bank, which earned a consent order stemming from its partnership with now-bankrupt middleware intermediary Synapse.

The new management team leaned in to tech, with new CEO Chris Black telling local paper the Rogersville Review in 2021 (emphasis added) “[W]e’re technology-focused bankers with a lot of technology driven investors, so a lot of exciting things are in the works, which we think will be an amazing opportunity for our customers, both present and hopefully many future customers,” and new Chief Banking Officer Bearden emphasizing how the new team would “remov[e] a lot of friction in the business.”

In 2022, the bank, renamed Thread, was profiled in The Financial Brand, which wrote at the time that “Thread will be selective and only work with partners that have a leveraged distribution platform coupled with a customer base that will benefit from having banking products and services deployed into that platform.”

Black told the site that (emphasis added) “[w]hat really matters is transparency, integrity, partnership and risk management.”

Thread partnered with BaaS intermediary Unit and developed its own, direct relationships and quickly grew — currently, Thread appears to support at least 35 programs, based on reviews of site terms and conditions.

Of the 35 identified programs, at least 23 appear to be through Unit, based on disclosures on their sites.

Thread’s fintech partnerships have enabled it to grow astonishingly quickly: the bank’s assets grew by more than 630%, from less than $100 million to over $720 million in from the end of 2020 to Q1’24, based on FDIC call reports.

But Thread, together with Unit, appear to have failed to scale controls to keep up with the rapid growth.

Despite the growing size of its balance sheet — and the sprawling complexity of the programs it supported — Thread only added 28 incremental employees from the end of 2021 through Q1’24. Thread currently employs just 65 people, according to its most recent call report.

A review of Thread and Unit’s shared programs initially conducted this March found that more than half had an easily identifiable potential compliance issue with how the customer-facing fintechs describe their products and/or deposit insurance coverage:

A majority of Unit/Thread program had or have easily identifiable potential compliance risks in how they describe the product using terms like “bank” or “banking” and/or FDIC deposit insurance coverage. Analysis as of March 2024.

Thread and Unit client Covercy described its offering as “CRE Banking,” without proper disclosures, and markets “FDIC insured wallets” — if users pay for a “Pro” plan. Image from March 2024, though potential compliance problems still exist on the site as of today, June 28, 2024.

And, despite the rapid growth in programs and its balance sheet, Thread Bank has struggled to make a profit, posting losses in 2021, 2022, and 2023. The bank did turn a $256,000 profit in Q1’24, according to its most recent call report:

Data from FDIC call reports as of year end, except Q1’24.

What’s In The Consent Order?

The latest enforcement action is relatively brief, at just ten pages. While it is less far-reaching than other recent enforcement actions against BaaS banks, it touches on many of the common themes, and appears to incorporate lessons learned from the still-ongoing Synapse bankruptcy.

Topic areas covered include BSA/AML, third-party risk management, liquidity management, access to timely and accurate information from fintech partners, “exit plans” for fintech partners, and documentation of banking-as-a-service and loan-as-a-service policies and procedures.

The key elements included in it are:

• the Board must update the bank’s strategic plan to address examination findings and recommendations, financial goals, including pro forma statements for asset growth, capital adequacy, and earnings;

• a profit plan to be submitted to the FDIC for review and comment consisting of goals and strategies for improving the earnings of the Bank and which is consistent with sound banking practices;

• liquidity and funds management strategies for maintaining adequate liquidity including back-up lines of credit to meet unanticipated liquidity needs;

• strategies to maintain internal controls; and support for Anti-Money Laundering/Countering the Funding of Terrorism (“AML/CFT”) program compliance.

• the Board shall evaluate the bank’s performance against the profit plan and submit it for the FDIC’s review and comment within 30 days of each calendar year while the order is in effect.

• the Board shall update the Bank’s Enterprise Risk Management Framework to address examination findings and recommendations.

• the Board shall review and approve risk tolerance thresholds for individual financial technology (“FinTech”) partners based on an enterprise-wide financial analysis of each FinTech partner’s financial projections under expected and adverse scenarios.

• the Bank shall review all policies and procedures, and where appropriate, revise them to reflect current objectives, strategies, practices and risk tolerances.

• the Board shall assess the resources needed to oversee AML/CFT functions at the Bank, and provide for the designation of a qualified individual or individuals, with appropriate experience and training, responsible for coordinating and monitoring day-to-day compliance with the AML/CFT program.

• the Bank shall develop, adopt, and implement a written plan (“AML/CFT Plan”) for the administration of the Bank’s AML/CFT Program designed to, among other things, ensure internal controls are sufficient to maintain compliance with AML/CFT laws and implementing rules and regulations and shall submit the plan for FDIC review and comment.

• the Bank shall perform a money laundering/terrorist financing (“ML/TF”) Risk Assessment within 90 days and annually thereafter.

• the Bank shall make any necessary adjustments to its written Customer Due Diligence (“CDD”) program, which shall include appropriate risk-based policies, procedures and processes for conducting ongoing CDD for new and existing customers and identifying those customers who pose a heightened ML/TF risk to apply appropriate risk-based monitoring and due diligence within 90 days of the order.

• the Bank shall develop and implement effective processes, across all business lines, for identifying and monitoring unusual or unexpected activity in order to detect, investigate, and, if applicable, report suspicious activity within 60 days of the order.

• in regard to the Bank’s BaaS Program business line, the third party risk management program shall address the level of risk and complexity of the Bank’s FinTech partners, and shall confirm, at a minimum:

  • Appropriate policies and procedures are in place to ensure that risks are properly identified, measured, monitored, and controlled;

  • A documented risk assessment of FinTech partners, specifically updating the risk assessment methodology and supporting documentation, is implemented and utilized;

  • A documented customer due diligence process is implemented to establish a customer profile and expected customer activity;

  • Information systems associated with FinTech partners provide timely and accurate information;

  • A documented process is implemented to monitor transactions for potential suspicious activity, including ACH transactions;

  • Any required suspicious activity reporting is completed within the timeframes required by the governing regulations;

  • The AML/CFT staff is adequately trained to identify suspicious activity;

  • Information required for the CIP is readily available;

  • Beneficial ownership information is documented and maintained, where required under applicable regulation;

  • A process to ensure third-party partners are meeting the requirements of the Bank’s AML/CFT program and policies; and

  • Develop and maintain an exit plan that at a minimum includes the following:

    • Identify how to monitor all FinTech relationships, including third, fourth, and fifth party providers, for service interruptions;

    • Detail steps in response process;

    • Define staffing requirements and respective roles;

    • Define customer notification of a service disruption and Bank’s response;

    • Identify any outside assistance necessary to implement the plan; and

    • Identify how external stakeholders and regulatory agencies will be notified.

• the Bank’s BaaS and LaaS program policies and procedures should be thoroughly and completely documented, addressing, at a minimum, third party partner and customer approval requirements, due diligence processes, growth and stress modeling, ongoing AML/CFT compliance monitoring, and steps to unwind third-party business lines, including FinTech partners, within 120 days of the order.

• the Board shall review and address liquidity and funds management.

• the Board shall address and correct any violations of law and regulation noted in the Report of Examination.

Representatives for Thread did not respond to a request for comment sent early this morning.

Representatives for Unit did not respond to a request for comment sent around 6:00pm ET on Thursday, June 27th.

After the time of publication, Chris Black, CEO of Thread Bancorp, provided a statement which said in part, “[W]e remain steadfastly committed to collaborating with regulators at the state and federal levels because we believe the regulatory framework is necessary, when conducted properly, and can help create a strong banking system for consumers and small businesses. As such, we are dedicated to meeting all obligations, and we have already made substantial investments to improve our policies, processes, procedures and controls over the past three years.”

About Fintech Business Weekly

Looking to work with me in any of the following areas? Email me.

• Vendor, partner & investment opportunity advice and due diligence

• Fintech advising & consulting

• Sponsoring this newsletter

• News tip or story suggestion — reach me on Signal at +1-316-512-1571