CBW Fights FDIC's $20.5 Million Penalty That Could "Imperil" Its Existence

2024 Predictions: Graded, CFPB Sues Walmart & Branch

Jan 05, 2025

Hey all, Jason here.

After a relaxing end-of-year holiday to visit family in Mexico, this missive should be arriving in your inbox while I’m in flight back to the Netherlands — though I’ll only be there briefly. I’ll be kicking off my 2025 travel season with a *very* brief trip to London, followed by New York later this month, and then out to Salt Lake City to speak at the Fintech Xchange event.

I’m also excited to host the third installment of the Taktile Expert Talks series, focusing on emerging scam and fraud threats in the small business space. More info on this below.

Last but not least, my book, Banking as a Service: Opportunities, Challenges & Risks of New Banking Business Models, is now officially available — and, thanks to the support of readers like you, ranked as the #1 best seller in banking on Amazon!

If you enjoy reading this newsletter each Sunday and find value in it, please consider supporting me (and finhealth non-profits!) by signing up for a paid subscription. It wouldn’t be possible to do what I do without the support of readers like you!

Subscribe or Upgrade to Paid

Get Ready For a Massive 2025 with Fintech Meetup!

Sponsored content: It’s time to get ready for a huge 2025: join thousands Fintechs and FIs for the ecosystem event of the year on March 10-13 at the Venetian, Las Vegas.

You’ll be part of the industry's largest, most productive, and highest-rated meetings program. Don’t miss your chance to connect in over 60,000 meetings with banks, credit unions, fintechs, investors, and professional services firms. Sign up now and secure your spot.

The event will feature a carefully curated agenda packed with insights into the future of fintech. You’ll hear from industry visionaries like Kathleen Peters, Chief Innovation Officer at Experian, Eric Sager, COO at Plaid, and Kate Walton, MD & CCO at Merchant Payments, JPMorgan Chase & Co.

Whether you’re a start-up pitching for investment, an exhibitor unveiling cutting-edge AI solutions, or a financial institution developing the next-gen digital platform, Fintech Meetup 2025 is THE place to be this Q1.

Get Your Ticket

CBW Fights FDIC's $20.5 Million Penalty That Could “Imperil” Its Existence

The FDIC made its last public release of enforcement actions for the year on Friday, December 29th.

The thirteen enforcement decisions and orders include a notice of assessment of civil money penalty against $73 million-asset CBW, once known as Citizens Bank of Weir.

The FDIC is seeking a $20,448,000 penalty stemming from the bank’s alleged AML/CFT failures (Bank Reg Blog previously discussed this proposed fine here.)

The small Kansas bank was acquired in 2009 by Google veteran Suresh Ramamurthi and his wife, Suchitra Padmanabhan, a former Lehman Brothers banker, during the fallout from the 2008 global financial crisis.

The pair had the goal of turning the then-$7 million asset bank into a major hub for financial technology innovation, but, by early 2024, began looking for a buyer for the bank, Fintech Business Weekly exclusively reported at the time.

CBW assets by year. Data from FDIC call reports.

The effort to find a buyer came after CBW entered into a consent order with the FDIC in August 2020, related to gaps in its anti-money laundering controls.

As part of that order, CBW agreed to wind down its business line serving foreign financial institution customers, including funds transfer, remote deposit capture (RDC), US dollar repatriation, money services business (MSB) remittances, ACH transfers, transfers to or from foreign central bank accounts, and all activities related to domestic MSBs until the FDIC determined the bank made sufficient progress to exit the order.

Now, the FDIC has assessed a nearly $20.5 million penalty stemming from alleged violations of the Bank Secrecy Act and its implementing regulations during a review period spanning from approximately December 2018 to August 2020.

According to the FDIC’s findings, CBW provided correspondent banking services to more than 30 foreign financial institutions, six money services businesses, and other businesses providing financial services to individuals and entities in Central and South America, Europe, Africa, and the Middle East.

Although CBW has continued to serve local retail and business customers since its acquisition in 2009, the bulk of its earnings have come from the fee-based banking services it provides.

For the year through the end of Q3 2024, nearly two-thirds of the bank’s revenue came from non-interest income, its most recent call report shows.

CBW net income (loss), return on equity, return on assets by year. Data from FDIC call reports.

CBW Moved Billions For Banks In High-Risk Jurisdictions

The CMP provides additional detail on the gaps in CBW’s AML/CFT compliance program that led to the fine.

Although the FDIC raised concerns about deficiencies in the bank’s 2017 report of examination, the 2020 consent order, and subsequent 2022 and 2023 reports of examination, CBW failed to correct many of the issues identified, the regulator says.

The order provides a number of concrete examples from CBW’s various lines of business, including:

US dollar repatriation. CBW provided bulk cash services for five Mexico-chartered banks and an MSB, which, according to the CMP, “are a major concern for U.S. law enforcement because they are often associated with money laundering in connection with drug trafficking activities.” CBW used a homegrown software system, dubbed Context Engine, for much of its AML/CFT compliance, including for bulk cash transactions. But, the FDIC says, CBW made critical errors that undermined the integrity and accuracy of the review process, including failing to do “any analysis of where the funds deposited were wired to or from, or the identity of wire counterparties to identify potentially suspicious patterns or activities.”
International wire services. In 2018 alone, CBW processed more than $27 billion in wire transactions for foreign financial institutions, including for Mexican banks that participate in that country’s dollar-denominated payment system, SPID. During the review period, CBW also provided correspondent wire services to foreign financial institutions located in higher-risk jurisdictions like Lebanon, Brazil, and Cyprus. But, CBW’s Context Engine system often failed to detect suspicious transaction and, sometimes, when it did, CBW failed to act, the FDIC alleges. Critically, Context Engine was only used to screen discrete, individual transactions and did not evaluate aggregated transaction data or recurring transactions, the filing says. CBW further failed to take into account institutional wire customers’ use of concentration accounts to initiate transfers between low and high risk jurisdictions and thus did not appropriately monitor this activity, the FDIC says.
Remote deposit capture. CBW processed significant volumes of checks for foreign financial institutions and MSBs, including approximately $461 million worth in 2018, leveraging both Context Engine and manual processes to assess financial crime risk. However, according to the FDIC, CBW’s manual reviews focused primarily on operational issues, like errors or missing information, rather than money laundering or terrorism financing risk. Context Engine, the automated system, was entirely retrospective and only analyzed transactions by institution in a given month — failing to account for individual customers who used multiple institutions or multiple services from the same institution, the FDIC says.

CBW’s approach to customer due diligence and independent testing were insufficient and ineffective, the FDIC says. While the bank collected information, such as beneficial ownership declarations, articles of incorporation, service contracts, audits, and financial reports, it failed to do any meaningful analysis of this information.

Despite previous reports of examination and the 2020 consent order, the bank continued this practice of limited due diligence on new customers and expanded business lines through at least 2022.

While CBW did engage external auditors, the FDIC alleges this independent testing of the bank’s BSA compliance was “too limited and lacked sufficient detail in connection with the testing methods and data for the tests to provide a meaningful evaluation of [CBW]’s AML/CFT compliance program.”

For example, CBW’s independent auditor sampled just 10 wires for review in 2018, despite the bank processing more than 60,000 wires that year.

CBW employed two BSA Officers during the review period — neither of which possessed the requisite experience, authority, independence, or resources to do their job effectively, the FDIC alleges.

The first BSA officer had no experience in banking and, the FDIC says, was “unfamiliar with basic concepts such as concentration account risks and failed to monitor customer accounts for suspicious activity in wires.” According to the CMP, the unnamed employee “admitted to the FDIC he was not qualified for the role when hired.”

CBW’s various BSA Officers also lacked the authority to unilaterally file legally required suspicious activity reports, which instead were determined by a committee that included the BSA Officer, the VP/Cashier, the VP of Correspondent Banking, and the President of the Bank. The President told FDIC examiners that the bank “needed to keep its customers’ interests in mind when considering whether to file SARs.”

The FDIC also alleges that CBW failed to file SARs in a timely manner during and after the review period, including as recently as 2023.

CBW Says $20.5 Million Fine Could “Imperil” Its Financial Viability

Given CBW’s small size, the approximately $20.5 million fine poses a potentially existential risk to the bank.

CBW posted net income of just $2.7 million in 2023, making the fine equivalent to more than seven years’ earnings, based on the bank’s 2023 performance — and that doesn’t take into account the prospects of higher costs and/or reduced revenue as CBW works to remediate regulators’ concerns.

In fact, CBW acknowledges in its lawsuit seeking a preliminary injunction that the amount of the fine could “imperil” its financial viability.

A motion CBW filed in US District Court in Kansas seeks an order enjoining the FDIC and its administrative law judge from carrying out administrative proceedings against the bank, arguing the process “unconstitutionally deprives CBW of its Seventh Amendment jury rights.”

CBW’s motion makes a similar argument to the ultimately successful one raised in the recently decided Supreme Court case SEC v. Jarkesy, but, the FDIC argues in its response filed in late December, the bank is unlikely to prevail for multiple reasons — the first being that the law specifically prohibits courts from interfering with an FDIC enforcement proceeding.

Per 12 U.S.C. § 1818(i)(1), “no court shall have jurisdiction to affect by injunction or otherwise the issuance or enforcement of any notice or order under any such section, or to review, modify, suspend, terminate, or set aside any such notice or order.”

The jurisdiction claim notwithstanding, the FDIC argues it is entitled to adjudicate the claim without a jury under the long-established “public right exception,” an important difference vs. the Jarkesy case.

In Jarkesy, the Supreme Court ruled that the underlying securities fraud case did not fall into the public rights exception, as the claim did not fall into a “distinctive area[] involving governmental prerogatives where . . . a matter may be resolved outside of an Article III court, without a jury.”

In CBW’s case, the FDIC argues that matters relating to federal banking regulation and enforcement actions, including the civil money penalties like the one it is seeking against CBW, clearly fall within the public rights exception, as bank failures draw down the Deposit Insurance Fund. While the DIF is funded from assessments insured depositories pay, it is backstopped by the FDIC’s authorization to borrow from the US Treasury.

The regulator’s motion further argues there is a second, independent reason the public rights exception should apply: the FDIC’s enforcement of the BSA is not rooted in “common law soil,” but rather is a “novel claim” that is “unknown to the common law.”

Todd Baker, Senior Fellow at Columbia University’s Richman Center for Business, Law and Public Policy, described CBW’s motion seeking a preliminary injunction as “a test case on the limits of the Jarkesy case from earlier this year in bank regulatory context.”

Baker suggested the FDIC has a strong counterargument, saying, “The alleged violations of anti-money laundering rules appear to be purely public matters with no parallel under common law, so the FDIC is in a strong position to argue that the Jarkesy case is inapplicable under the public rights exception.”

However, Baker noted that, “In ordinary times, the outcome would be clear and the FDIC would win. But as the current Supreme Court seems dedicated to eliminating the so-called ‘Administrative State,’ nothing is certain.”

Michele Alt, cofounder of regulatory advisory firm Klaros Group and a 22-year veteran of the OCC, pointed out the potential consequences should CBW’s effort succeed. Alt warned of potential resource issues at agencies.

Although federal banking regulators have the authority to bring actions in federal court, they currently have far more enforcement attorneys, who focus on internal administrative enforcement actions, compared to litigation attorneys experienced in bringing and defending actions in court, Alt told Fintech Business Weekly.

Alt also flagged that, if CBW prevails, the calculus of whether to agree to settle a matter through a consent order or fight in court would likely change, with the government’s ability and willingness to expend resources litigating and the bank’s perceived likelihood of success at trial coming to bear on the decision.

Representatives for CBW did not provide a comment on the matter prior to the time of publication.

2024 Predictions: Graded

Each year, I undertake the mostly tongue-in-cheek exercise of making predictions. Now, it’s the time of year to see how I did.

Unsurprisingly, the first prediction I made was regarding the banking-as-a-service space.

With 2023 already seeing a consolidation in the middleware space, with FIS acquiring Bond (a scoop first reported by Fintech Business Weekly) and Fifth Third acquiring Rize, I didn’t exactly go out on a limb when I predicted there would be additional consolidation in the space.

Specifically, I predicted: Synapse and Solid each stick it out for as long as they can, but ultimately wind down, for one reason or another, before the end of 2024.

I’m going to give myself an “A” on this one. Synapse certainly did “wind down,” though under circumstances and in a process I don’t think anyone could have anticipated.

My second BaaS-related prediction, also not too much of a leap, was that regulatory repercussions for BaaS banks would continue.

Specifically, I predicted: If I had to pick a number, let’s say at least four BaaS/partner-bank-related public enforcement actions in 2024 — most likely focused on BSA/AML compliance, but perhaps also fair lending or consumer protection.

I’ll go ahead and give myself an “A+” here. Last year saw Blue Ridge get hit with a second enforcement action, which deemed the bank to be in “troubled” condition; Choice Bank, which has worked with fintechs like Mercury and middleware platform Unit, entered into a consent order with its regulators over gaps in its AML/CFT compliance; Lineage, a partner to middleware platforms Synctera and Synapse, entered into a consent order with the FDIC, and its holding company subsequently reached an agreement with the Fed; Evolve Bank & Trust, perhaps the most prolific (and problematic) fintech partner bank, entered into a wide-reaching consent order; Thread, another popular BaaS bank and Unit partner, entered into a relatively narrowly-tailored consent order; and Customers Bank was hit with an enforcement action related to its “novel” activities.

That makes at least six (or seven, if you count both of Lineage’s orders) BaaS bank enforcement actions in 2024.

In non-BaaS-related predictions, I’ve long had my eye on the risks of credit builder products, and thought 2024 might be the year regulators, particularly the CFPB, took action against the burgeoning category.

Specifically, I predicted: At least one consumer fintech is the subject of a legal or regulatory action due to its business practices in relation to a credit building product — with the most likely regulatory issues being UDAP/UDAAP- or FCRA-related.

I’ll have to give myself an “F” here, as I’m not aware of any regulatory actions specifically addressing credit builder product structures, furnishing practices, or marketing claims.

There’s no doubt AI has been an inescapable trend in 2024. Many in the financial services industry and those that regulate it have been struggling to wrap their arms around the implications of emerging artificial intelligence capabilities — both how FIs can benefit from them and the risks they may pose.

Specifically, I predicted: When it comes to the current wave of generative AI, including large language models, the most likely place for them to show up this year is in customer service channels or in providing PFM-like tools — indeed, some fintechs are already experimenting with both of these.
On the flipside, I expect the use of genAI to execute fraud and scams to balloon this year — whether to induce authorize push payment fraud or to impersonate users to gain access to financial accounts, I fear the industry is woefully unprepared.
On the legislative/regulatory side, I’d expect to see growing scrutiny of the use of AI models in financial services, especially of potential bias or disparate impact to certain classes when it comes to things like fraud screening and credit scoring.
Expect at least one fair lending enforcement action related to AI.

I’ll give myself a “B+” on this one. There have definitely been a number of fintechs out front on AI adoption (or at least loudly positioning themselves that way).

The CEO of Klarna, which is in the run up to its IPO, has repeatedly made headlines by claiming the company has been able to stop hiring new employees and plans to replace a sizable chunk of its workforce with AI. AI tools have given scammers and fraudsters new capabilities and the ability to further scale their efforts. Regulators continue to grapple with the implications of AI in financial services, though I don’t believe there has been a fair lending-related enforcement action that involved AI (yet, at least.)

Apple’s slow-motion breakup with its partner on the Apple Card, Goldman Sachs, has been in process for sometime. At the beginning of the year, although I realized at the time it wasn’t the most likely outcome, I imagined an outcome where Apple took more control over the project, insourcing additional capabilities and shifting to an operating model more akin to a fintech/partner bank relationship.

Specifically, I predicted: what if Apple took a much larger role in running its card program — working with a BIN sponsor and taking over the role of program manager itself, rather than a cobrand arrangement more typical of big brands like airlines or hotel chains? It would give Apple greater (though still not total) control — an area that was clearly a point of contention in the relationship with Goldman. And Apple would get a greater share of the economics to boot.

I’ll have to give myself an “F” here as well. Not only has this not come to pass, but Apple is still working with Goldman, as the companies seek to negotiate the breakup and Apple works to find a new issuing partner. There has been public reporting that JPMorgan Chase may take over the program from Goldman. And on Apple’s buy now, pay later offering, Apple Pay Later, the company reversed course, shutting down its homegrown offering, in favor serving as a distribution platform and partnering with BNPL providers like Affirm and Klarna.

I also predicted Goldman would sunset the Marcus brand but continue offering its popular savings accounts under the Goldman name.

Specifically, I predicted: By the end of 2024, Goldman has substantially completed its dismantling of its consumer business and sunsets the Marcus brand — but holds on to the online savings accounts, folding them under the Goldman Sachs name.

Also an “F” here. The Marcus brand continues to limp on, offering savings accounts, CDs, and (for now) General Motors cobranded credit cards.

Last but not least, I predicted the fintech IPO window would reopen in 2024.

Specifically, I predicted: Apex Fintech Solutions (previously Apex Clearing) has already confidentially filed to go public so, baring unforeseen circumstances, that seems likely to happen. My next-best guesses are Stripe, Chime, and Klarna IPO, but below their peak private market valuations. Plaid is also a good candidate for IPO and, last valued at $13.4 billion in 2021, has a shot at debuting above that number. Revolut will probably talk about IPOing, but I doubt that will happen this year.

I suppose this one is also an “F.” Publicly traded fintechs have certainly seen their valuations rebound, though they are still off highs reached in 2021. Apex, despite filing to do so, did not complete its IPO in 2024. Klarna, Chime, and Plaid have all progressed towards being “IPO-ready,” but none did so last year.

Here’s hoping to a friendlier market for fintechs seeking to go public in 2025.

CFPB Sues Walmart and Branch For Alleged UDAAP, TISA, EFTA Violations

The CFPB was busy over the holiday season, as Director Chopra’s tenure, presumably, nears its end.

Among other year-end rulemaking and enforcement actions, the bureau filed suit against retail giant Walmart, the largest private employer in the United States, and a fintech service provider, Branch.

Branch offers workforce payment solutions, including handling payouts for both 1099 and W2 employees, tips, earned wage access, and payroll cards. While Branch partners with troubled Evolve Bank & Trust to provide these services, including deposit accounts, the CFPB did not name Evolve in the complaint, commenting in the press release announcing the action:

This is the CFPB’s first action against a fintech partner of Evolve Bank & Trust related to a deposit product. The CFPB previously filed a lawsuit against SoLo Funds, another Evolve Bank & Trust fintech partner, in the short-term, small-dollar loan space. The Federal Reserve Board issued an enforcement action against Evolve in June, finding the bank failed to properly police its fintech partners.

The enforcement action stems from Walmart’s Spark Driver program, which employs drivers on an independent contractor basis to operate the company’s “last mile” delivery fleet.

The CFPB’s complaint alleges that Walmart and Branch opened accounts on drivers’ behalves without their authorization, deposited drivers’ earnings into Branch accounts without their permission, and required drivers to use Branch accounts or face termination.

The bureau further alleges that Walmart and Branch misrepresented that Branch accounts would give drivers “instant access” to their pay, when, in reality, drivers often experienced delays in accessing their earnings or were required to pay fees to transfer funds out of their Branch account. According to the complaint, drivers paid more than $10 million in such “junk fees” to instantly transfer their earnings to an account of their choice.

Branch also deceived users about their ability to stop payments or make certain kinds of transfers from their accounts, the bureau alleges.

The CFPB’s suit alleges Walmart and Branch violated the Consumer Financial Protection Act’s prohibition of unfair, deceptive, and abusive practices; the Truth in Savings Act and its implementing Regulation DD; and the Electronic Funds Transfer Act and its implementing Regulation E.

The bureau is seeking to enjoin Walmart and Branch from further violations of the law, monetary relief, civil money penalties, and additional relief as the court may deem appropriate.

Is Your Organization Prepared For The Latest SMB-Related Fraud & Scam Threats?

Fraud and scams aren’t just a consumer problem.

In fact, the risk and the dollar amounts in play when businesses are involved can be orders of magnitude higher than consumer fraud and scams. Yet, the robustness of data and tooling to help banks and fintechs combat SMB fraud and scams often lag what’s available for consumer use cases.

In this installment of Taktile Expert Talks, we’ll bring together industry experts Jonathan Awad, cofounder and CEO of Baselayer, Chris Tremont, chief digital officer of Grasshopper Bank, Anchit Singh, chief business officer of Fundbox, and Alex De Jesus, Head of Fraud Management at Ramp, to discuss emerging threats in the space and how their organizations are staying ahead of them.

Start your 2025 off right by getting up-to-date on the latest threats facing small and medium-sized businesses and the financial institutions that serve them.

About Fintech Business Weekly

Looking to work with me in any of the following areas? Email me.

Now available: buy my book, Banking as a Service: Opportunities, Challenges and Risks of New Banking Business Models, here
Vendor, partner & investment opportunity advice and due diligence
Fintech advising & consulting
Sponsoring this newsletter
News tip or story suggestion — reach me on Signal at +1-316-512-1571

Fintech Business Weekly