Metropolitan Faces $30M Fed & NYDFS Enforcement Action
Metropolitan Faces $30M Fed & NYDFS Enforcement Action
Sendwave Enters Consent Order Over Remittance Rule Violations, UDAAP
Hey all, Jason here.
Today’s the day — Money2020 kicks off in Las Vegas this morning. I’m here, if a little jet lagged. I’m looking forward to several days of informative panels and keynotes, productive meetings, and a chance to catch up with folks from across the industry.
For those clamoring for an explainer and analysis of the proposed 1033 rule — hang tight. I figured it would be better to do it after having a chance to chat with the real experts at Money2020 this week.
PS, make sure to stop by my friends at Unit21’s booth. Unit21, the authors of the recently published Fraud Fighters Manual, will be onsite handing out printed copies of the popular book. Grab your copy (and other goodies) by chatting with them at booth #13239.
Existing subscriber? Please consider supporting this newsletter by upgrading to a paid subscription. New here? Subscribe to get Fintech Business Weekly each Sunday:
The Struggle is Real. Reconciling BaaS is Serious Business
Sponsored content: Early sponsor banks have moved the BaaS industry forward by partnering with BaaS providers, housing customer accounts outside a bank owned ledger and managing aggregate balances in pooled FBO accounts. Keeping these in sync is no easy task and banks are faced with manually managing the settlement process along with additional regulatory and reputational risk.
Eliminate the struggle. It’s time for the right approach. The platform approach.
Infinant provides a bank-controlled, fully transparent platform which solves the challenges associated with real-time and end of day reconciliation for every bank sponsored program.
Find out how leading banks are scaling their BaaS and embedded programs in the next wave of banking by utilizing our interlace platform.
Money2020 Preview: What I’m Keeping An Eye On This Year
Believe it or not, this is actually only my third time attending Money2020’s US show.
And while some themes have been more enduring, others (crypto, NFTs) have been more trend-driven, with interest quickly peaking and then significantly receding.
It’s probably no surprise, but the two topics I’m most excited about are developments in banking-as-a-service and open banking.
It was a year ago that Rohit Chopra was on stage at Money2020, announcing the CFPB would undertake a rulemaking for “1033,” a requirement of 2010’s Dodd-Frank bill requiring financial institutions to give consumers’ access to their financial data.
Now, a year later, the 299 page proposed rule has just been published — against a backdrop of some large incumbents, like Fidelity and PNC, drawing battle lines over how other companies can access data on their users’ behalf.
The specifics of the rule (which, I’ll admit, I haven’t had time to read in its entirety) matter and will shape not only the data aggregators — fintechs like Plaid, MX, Finicity, and Yodlee — but any fintech that is accessing data through them and their end users.
On the banking-as-a-service front, many of the developments are happening behind closed doors, as part of banks’ conversations with regulators. Only occasionally do regulatory developments spill into public view in the form of an enforcement action, like the action BaaS- and crypto-friendly Metropolitan received last week (more on that below.)
But, absent the creation of a new type of charter — a “fintech” charter, emoney/payments institution charter, or national lending charter — as some other countries have done, the reality is, fintechs will continue to need to partner with banks. The creation of such a new type of national charter would require Congressional action, and that doesn’t look particularly likely in the near future.
What banking-as-a-service looks like in the future, including the business, operating, and compliance models, is still being figured out. And while the experience is, no doubt, painful for some, it’s also necessary to get bank-fintech partnerships and banking-as-a-service to a sustainable place.
If you’re attending Money2020, you’ll have the chance to catch me on stage talking about some of these topics twice; once on Monday, at an “Off the Record” sessions — details here:
And I’ll be joining Alex again on Tuesday to do a live recording of our Fintech Recap podcast; details here:
Metropolitan Faces Fed & NYDFS Enforcement Action, Must Pay Combined $30 Million Penalty
Last week, Metropolitan Commercial Bank (“MCB”) entered into agreements with the Federal Reserve Board and the New York Department of Financial Services, including penalties totaling about $30 million, stemming from MCB’s “unsafe and unsound” banking practices.
Those “unsafe and unsound” practices included failures in its third-party risk management (TPRM) and BSA/AML compliance — specifically, related to MCB’s relationship with prepaid debit card issuer MovoCash, which began in 2016 and continued until 2020.
The Fed and NYDFS found that MCB’s BSA/AML and TPRM failures enabled bad actors to channel some $300 million of illegally obtained state unemployment benefits through MCB and MovoCash. Both MCB and MovoCash benefited from the fraud in the form of interchange and transaction fees.
According to NYDFS’ order (spacing adjusted and emphasis added):
As early as January 2020, senior compliance personnel at the Bank became aware that a primary risk associated with the Bank’s third-party prepaid card programs, including MovoCash, was fraudulent account openings.
Specifically, senior compliance personnel observed that the primary complaint received by the Bank in connection with these programs was that fraud actors opened these prepaid card accounts using another individual’s identity and directed payments, including direct deposit payroll payments and government benefits, onto the fraudulently opened cards.
Despite becoming aware of these risks in January 2020 — before the onset of COVID-19 and the subsequent relief programs — in April 2020, MCB discussed terminating MovoCash or requiring it to implement stronger controls, but ultimately did neither (emphasis added):
Senior executives at MCB discussed the possibility of terminating the relationship with MovoCash, but the Bank chose not to do so at that time, and, instead, continued to allow new accounts to be opened.
An internal suggestion that more stringent CIP controls be implemented — e.g., documentary ID verification for new accounts — might be worth considering on a temporary basis was not ultimately acted upon.
It took another three months — and repeated warnings from third-party business partners and ultimately law enforcement before MCB froze MovoCash account openings and ultimately moved to terminate the relationship (spacing adjusted and emphasis added):
On July 6, 2020, the Bank was informed that at least 60,000-80,000 fraudulent MovoCash accounts were opened each week, and at least $2 million was being taken out of the system through ACH card-to-bank transactions per day.
On July 8, 2020, a senior executive at the Bank was informed by federal law enforcement that not a single unemployment benefit claim from New York State paid to MovoCash accounts was legitimate. Four days later, on July 12, 2020, MCB halted new account openings for the MovoCash Prepaid Card Program.
Interestingly, though the Fed and NYDFS orders highlight the use of fraudulently opened MovoCash accounts to illegally obtain unemployment benefits, MovoCash also touted the ability to use “crypto as your funding source.”
MovoCash advertised the ability to load crypto, including bitcoin, bitcoin cash, ether, Gemini, USDC, Paxos, or XRP on to a MovoCash card and send it “to anyone, including yourself” —
The Fed and NYDFS orders found MCB had deficiencies in its approach to third-party risk management and its compliance with requirements of the Bank Secrecy Act to maintain a Customer Identification Program “that includes risk-based procedures for opening an account that verify the identity of each customer sufficient to enable MCB to form a reasonable belief that it knows the customer’s true identity.”
The Fed and NYDFS orders require Metropolitan to:
strengthen board oversight of the group within the bank, the Global Payments Group, that had been responsible for the MovoCash program, including in a way that will ensure adequate oversight of new products, programs, and services offered by the group
develop a written program for reviewing proposed new programs
enhance its Customer Identification Program (CIP)
enhance its Customer Due Diligence (CDD) program
enhance its third-party risk management (TPRM) program
pay an approximately $14.5 million penalty to the Fed and a $15 million penalty to the NYDFS
What Exposure Might Coastal Community Have?
According to the enforcement actions, MCB halted account openings through MovoCash on July 12, 2020, and made the decision to terminate its relationship altogether on August 19, 2020.
But that wasn’t the end of things for MovoCash. The company was able to find a new bank partner — Coastal Community.
Based on updated to MovoCash’s website, it transitioned to Coastal sometime around late March or early April 2021. At that time, the company still purported to offer the ability to convert and spend crypto:
Based on disclosures on MovoCash and Coastal’s site, the relationship came to an end earlier this year, on March 31, 2023.
While MovoCash’s website is still live, at present, it doesn’t appear to have a bank partner or actually be operational.
How MovoCash was able to sign Coastal Community as a bank partner, after effectively being booted from MCB for facilitating hundreds of millions in fraud, begs the question: what kind of due diligence did Coastal do before agreeing to work with the company, and whether Coastal may suffer some of the same BSA/AML and third-party risk management control gaps as MCB.
In response to questions about its relationship with MovoCash, a spokesperson for Coastal Community indicated the bank was aware of potential issues stemming from its prepaid card program with Metropolitan and clarified that Coastal partnered with MovoCash on deposit accounts and debit cards (not prepaid cards).
The spokesperson also emphasized that Coastal required MovoCash to rebuild its compliance programs to its strict standards, saying, “Importantly, as is typical with our partnerships, we required from the outset that MovoCash fully rebuild its policies and procedures prior to entering into a partnership with Coastal, including its AML program (which is inclusive of its CIP program), which was subject to approval by Coastal before implementation, so that the CCBX-MovoCash-Program would be structured consistent with our stringent compliance standards.”
Despite MovoCash’s public site claiming to offer “crypto conversion and more,” Coastal’s spokesperson made clear the bank has never been involved with programs with any crypto functions.
The Coastal spokesperson also indicated the bank is not subject to any regulatory enforcement actions, saying, “Lastly and in an effort to be as transparent as possible, we are not subject to any memorandum of understanding, consent order, or cease and desist.”
Chime (No, Not That One) Enters Consent Order With CFPB Over Remittance Rule Violations, UDAAPs
First things first: this CFPB action has nothing to do with the “Chime” most people are familiar with, the neobank, whose official entity is Chime Financial, Inc.
The action was against Chime, Inc. (confusing!), which operates under the trade name Sendwave.
Sendwave was acquired by London-based Worldremit in 2021 (to avoid confusion, the rest of this piece will refer to the company by its dba name Sendwave.)
The CFPB’s consent order finds a number of violations of the Consumer Financial Protection Act, including that Sendwave:
made false and misleading statements to consumers about the speed of remittances, including that transfers would be delivered “instantly,” “within seconds,” and “within 30 seconds,” when this was not always the case for many users
made false and misleading statements about fees, including that transfers had “no fees,” when this was not the case
improperly required users to waive their rights under the Electronic Funds Transfer Act (EFTA) and its implementing regulation, Reg E
improperly included a clause that limited the company’s liability to $1,000, in violation of the EFTA
did not provide users with a timely receipt
failed to investigate and determine whether an error had occurred when receiving customer communications that might constitute a Notice of Error
failed to provide a written explanation of findings in response to Notifications of Error
failed to develop required policies and procedures for error resolution
failed to accurately disclose dates of fund availability
failed to accurately disclose the exchange rate
provided disclosures that did not comply with EFTA requirements
The consent order requires Sendwave to develop and maintain required error resolution procedures, promptly investigate and determine if an error has occurred when it receives a Notification of Error, provide users with written explanation in response to Notifications of Error, refund all fees and taxes when it determines an error has occurred, and implement record retention policies and procedures as required by Reg E.
Sendwave is also prohibited from engaging in deceptive practices, including by misrepresenting the speed or costs of its remittance transfers.
The company must also develop a compliance plan designed to ensure its services comply with all applicable laws and regulations.
The CFPB consent order further requires approximately $1.4 million in consumer redress for Sendwave users harmed by its misleading fee and speed claims, as well as a $1.5 million civil money penalty.
Other Good Reads
When was the last time Marc Andreessen talked to a poor person? (Techcrunch)
Open Banking Endgame (Fintech Brainfood)
FDIC IG Provides New Details on FDIC’s Approach to Crypto (Bank Reg Blog)
About Fintech Business Weekly
Looking to work with me in any of the following areas? Email me.
Vendor, partner & investment opportunity advice and due diligence
Fintech advising & consulting
Sponsoring this newsletter
News tip or story suggestion — reach me on Signal at +1-316-512-1571
Early stage startup looking to raise equity or debt capital