With Blue Ridge's OCC Agreement, BaaS 'Rumors' Spill Into Public View
Also: 15,000 Fraudulent Green Dot Accounts Used in $286m SBA Loan Scam
Hey all, Jason here.
Happy Labor Day weekend to my US-based readers — hopefully you’re enjoying the unofficial end of summer. This Thursday, I’ll be headed to Guadalajara, Mexico — if you happen to be based there, drop me a line, I’d love to grab coffee while I’m in town.
With August wrapped up, we made the donation to our last finhealth charity, Justine PETERSEN — thank you, paying subscribers, for making this possible! To select the next charity, we’re trying something new — a poll.
Existing subscriber? Please consider supporting this newsletter by upgrading to a paid subscription. New here? Subscribe to get Fintech Business Weekly each Sunday:
Risk & Underwriting for Business Lending Panel with Ramp & Rutter
Sponsored content: Rutter is a Universal Commerce API (‘Plaid for Commerce’) that makes it easy for fintech companies (like Ramp, Mercury, Parafin, Airwallex and more) to read and write financial data from ecommerce platforms, marketplaces, accounting systems, and payment processors like Shopify, Amazon, WooCommerce, Quickbooks, Xero, Stripe and 30+ other integrations.
Join us for a panel discussion around Risk & Underwriting For Business Lending with Srinath, Head of Risk at Ramp on Wednesday, September 14, 2022, at 10 am PT.
With Blue Ridge's OCC Agreement, Banking-as-a-Service 'Rumors' Spill Into Public View
Regulatory storm clouds have been gathering over bank-fintech partnerships for some time. In July, this newsletter highlighted potential areas of concern for regulators:
“[S]pecific areas of concern could include how banks are ensuring compliance with Bank Secrecy Act and KYC/AML requirements, transaction monitoring, business continuity planning, information security, UDAAP, how fintechs are marketing themselves, customer complaints, and countless other areas.”
With the public filing of an agreement between Blue Ridge Bank and the OCC, there is now a concrete example of a regulator taking action over concerns stemming from how a specific bank operationalized a “banking-as-a-service” business model.
It is worth noting that Blue Ridge had both direct fintech partnerships, as well as working with banking-as-a-service platform Unit, which, in turn had numerous fintechs operating via Blue Ridge.
While the OCC agreement is clearly bad news for Blue Ridge, it should provide other banks and fintechs a roadmap to stay on the right side of regulation.
Further, the improved clarity stemming from the agreement should be a net positive for fintech-bank partnerships and the industry writ large.
What Is In Blue Ridge’s Agreement with the OCC?
Blue Ridge has grown aggressively in recent years, both through M&A activity as well as through direct fintech partnerships and those through BaaS platform Unit.
Blue Ridge’s oversight and compliance infrastructure doesn’t seem to have kept up with the bank’s rapid growth. The OCC agreement, viewed in aggregate, stems from Blue Ridge’s inability to adequately oversee its sprawling fintech partnerships.
Topics addressed in the agreement can be grouped into roughly five key areas:
Third-Party Risk Management
The agreement directs the bank to develop, implement, and adhere “to a written program to effectively assess and manage the risks posed by third-party fintech relationships.”
This directive shouldn’t come as a surprise to Blue Ridge; in fact, it’s surprising the bank didn’t already have an adequate third-party risk management infrastructure in place, as the OCC has long-standing guidance on the topic, including:
The agreement specifies that Blue Ridge’s third-party risk management program must address:
“how the Bank identifies and assesses the inherent risks of the products, services, and activities performed by the third-parties, including but not limited to BSA, compliance, operational, liquidity, counterparty and credit risk”
“how the Bank selects, assesses, and oversees third-parties”
“the Bank’s strategic plan for providing necessary resources, infrastructure, technology controls, and organizational capabilities to manage the third-party fintech relationship partners in a safe and sound manner”
“establishes criteria for Board review and approval of third-party fintech relationship partners”
an assessment of BSA risk, including money laundering, terrorist financing, and sanctions risk for third-party partners
how the Bank will monitor and oversee its fintech partners, including how it will address activities it identifies as non-compliant
“contingency plans” for winding down fintech partnerships in an “effective manner” (notable given the haphazard handling of some recent neobank failures)
Bank Secrecy Act Compliance, including Independent Audit and Adequate Staffing
The agreement prescribes significant steps Blue Ridge must take regarding its compliance with the Bank Secrecy Act, including conducting a BSA assessment to determine its risk across all products, services, customers, entities, and geographies involving third-party fintech partners.
Blue Ridge must also adopt an updated independent BSA audit program with an expanded scope and risk-based review of activities conducted though third-party fintechs.
The agreement further directs Blue Ridge to ensure it “is appropriately staffed with personnel that have requisite expertise, training, skills, and authority” to meet its BSA compliance obligations under the agreement.
Customer Due Diligence & Enhanced Due Diligence
The OCC agreement speaks directly to Blue Ridge’s customer due diligence (CDD) and enhanced due diligence (EDD) processes, including in confirming beneficial owners (UBOs) for business entities.
The agreement calls for Blue Ridge to:
“implement and adhere to revised and expanded risk-based policies, procedures, and processes (“Program”) to obtain and analyze appropriate customer due diligence (“CDD”), enhanced due diligence (“EDD”), and beneficial ownership (“BO”) information for all bank customers at the time of account opening and on an ongoing basis, and to effectively use this information to monitor and investigate, suspicious or unusual activity.”
Suspicious Activity Monitoring & Reporting
The agreement directs Blue Ridge to review and revise its suspicious activity monitoring and reporting program. The program must include:
“revised and updated policies and procedures for review and documentation of suspicious activity that are commensurate with the Bank’s risk profile, with an action plan for the Bank to address any deficiencies and weaknesses identified with suspicious activity monitoring and reporting;
procedures and processes for the Bank to quantify the volume of activities and transactions conducted by or through each of the Bank’s third-party fintech relationship accounts and sub-accounts”
This element potentially reflects the increased complexity from the use of “FBO” accounts in bank-fintech partnerships, a common practice in the industy.
How such structures are implemented can impact a bank’s ability to directly monitor transactions itself vs. relying on a fintech and/or BaaS partner to do so. Regardless, a bank must have proper policies, procedures, and systems in place to monitor and report suspicious activity, whether or not it’s relying on third parties to carry out some of those responsibilities.
The agreement also calls for Blue Ridge to conduct a “SAR Look-Back” to determine if SARs should have but were not previously filed for “high risk customer activity involving the Bank’s third-party fintech relationship partners.”
IT Control Program
Compared to the majority of the agreement, which speaks to BSA/AML risk and compliance, Article X of the agreement, which calls for an “Information Technology Control Program,” is noteworthy.
In working with fintech partners directly, a banking-as-a-service platform (Unit), and that platform’s numerous fintech clients, Blue Ridge has a sprawling and presumably complicated software architecture.
In turn, Blue Ridge’s third-party fintech clients also rely on various service providers and APIs to operate their services. All of which adds up to a significant amount of complexity — and potentially numerous and dispersed points of failure.
The agreement’s IT control program calls for Blue Ridge to update IT risk assessment and governance, including standards and controls over the use and storage of data and an enterprise-wide business continuity plan.
OCC Review of New Fintech Partners & New Products, Services, and Activities of Existing Partners
Perhaps the most shocking element of the agreement is the requirement, as part of its third-party risk management obligations, that Blue Ridge receive the OCC’s sign off (“non-objection”) before onboarding new fintech partners or offering new products/services or conducting new activities with existing partners (emphasis added):
“Prior to onboarding new third-party fintech relationship partners, signing a contract with a new fintech partner, or offering new products or services or conducting new activities with or through existing third-party fintech relationship partners, the Board shall obtain no supervisory objection from the OCC.”
The requirement that Blue Ridge receive non-objection for onboarding new fintech partners is quite clear.
How the requirement of non-objection for existing partners offering “new products or services or conducting new activities” will be applied in practice is a bit less clear.
Does “new” mean an existing partner adding any product/service, even an ‘off-the-shelf’ offering like wire transfers? Or, more likely, does “new” mean only novel product formulations proposed by existing partners?
Unit, Blue Ridge’s BaaS partner, emphasized the agreement shouldn’t impact its customers. Unit CEO Itai Damti told Fintech Business Weekly:
“Unit’s relationship with Blue Ridge Bank remains very strong and we do not expect any impact to current or future joint customers. We’ve been impressed with the significant investments Blue Ridge has made over the last several months in hiring, processes and tools to increase their capacity to serve fintech customers.”
What May Have Caused the OCC to Act Now?
The short answer is, we don’t know.
Although the agreement specifies that the OCC “has found unsafe or unsound practice(s), including those relating to third-party risk management, Bank Secrecy Act (“BSA”) / Anti Money Laundering (“AML”) risk management, suspicious activity reporting, and information technology control and risk governance,” the agreement doesn’t spell out the specific issues that gave rise to the enforcement action.
One theory is that Blue Ridge’s partnership with MentorWorks, an income share agreement company, was the impetus for the OCC to act.
Around April, 2021, consumer advocacy groups, including the Student Borrower Protection Center and the NCLC, asked the OCC to “critically question” if ISAs are an appropriate product offering for banks like Blue Ridge.
Income share agreements, while potentially a consumer protection issue, seem unlikely to have been the driving force here, given the heavy focus on BSA-, AML-, and customer due diligence-related matters in the OCC agreement.
Scrutiny Increased During Failed FVCBankcorp Merger
Around the time of the MentorWorks dustup, Blue Ridge was pursuing a merger-of-equals with FVCBankcorp Inc.
In November, 2021, the two companies released a statement that regulatory concerns could delay the merger, stating (emphasis added):
“During this time, Blue Ridge also has learned that the Office of the Comptroller of the Currency (the “OCC”) identified certain regulatory concerns with Blue Ridge Bank that could impact the application process and timing of the Merger. Blue Ridge Bank has already commenced an initiative intended to fully address the OCC’s concerns.”
The merger was ultimately called off just two months later, in January, 2022.
Another theory is that, during the proposed merger process, the OCC uncovered other potential problems that ultimately resulted in the agreement.
One of those ‘problems’ may have been a neobank called Aeldra. The fintech, which partnered directly with Blue Ridge, was founded by a former exec who helped launch Goldman Sachs’ retail bank Marcus (full disclosure: the founder was a former colleague of mine at Goldman, and I briefly provided some advice in the product’s pre-launch phase.)
Aeldra purportedly enabled users living in India to open a US bank account through Aeldra’s relationship with Blue Ridge. The company’s website promoted (emphasis added):
“Exclusive U.S. Banking for Indians. Open a U.S. bank account in 10 minutes from India if you have an Indian Passport. Visa, Social Security Number or U.S. Address not required.
Using revolutionary technology based on Machine Learning Aeldra has proprietary KYC, Risk Management and Info Security capabilities to be in compliance with U.S. & Indian regulations as well as meeting the highest standards of safety and security.”
Now, it isn’t impossible for a bank to offer such a product. The Aeldra founder launched a similar product at East West Bank, dubbed Velo. Velo currently offers US bank accounts to residents with qualifying documents in China, Taiwan, Hong Kong, and India.
Section 326 of the PATRIOT Act requires most financial services companies to maintain a Customer Information Program (CIP) that collects an applicant’s name, date of birth, address, and identifier (most commonly an SSN or ITIN). Though institutions aren’t required to verify each piece of information, they do have an obligation to establish a “reasonable belief” in the identity of their customers.
It’s worth noting that Aeldra, through Blue Ridge, isn’t the only non-bank fintech attempting to offer such a service. Another fintech, Nomad, works with Synapse and underlying bank parter Evolve Bank & Trust to offer a similar product in Brazil.
(A spokesperson for Evolve indicated the bank works with all of its fintech partners and aggregators to review KYC policies and processes and noted Brazil’s identity infrastructure is known for its robustness. The spokesperson further clarified, “We feel that this process materially mitigates the risk; however, we further reduce the risk by limiting funding to USD and having a majority of the spend on the card limited to the US.”)
While it is possible to comply with AML/KYC requirements in offering these types of accounts, they would likely be considered “higher risk” and thus require additional diligence at onboarding and ongoing monitoring. Offering these types of accounts potentially could trigger additional regulatory scrutiny around BSA, AML, KYC, and SAR compliance.
Aeldra appears to have begun shutting down as of August 10th — just one week before Blue Ridge signed its agreement with the OCC — and is in the process of returning funds to its customers:
Still, given the scope and severity of the OCC agreement, it seems likely if Aeldra was a contributing factor to the OCC agreement, it wasn’t the only issue giving rise to the OCC’s action.
Absent some additional filings or regulatory action, we’re unlikely to know the full scope of issues that led to the agreement.
What Does This Mean for Fintech/Bank Partnerships?
While we don’t know what fact pattern gave rise to this agreement, and the agreement itself is specific to Blue Ridge Bank, its repercussions are likely to be felt throughout the fintech ecosystem.
What was previously quietly whispered about behind the scenes has burst fully into public view — there is no longer a shadow of a doubt that bank/fintech partnerships are on the OCC’s radar, and that it is willing to take action when it thinks necessary.
The result is likely to be the continued swing of the pendulum from “full speed ahead” to a much more cautious approach for banks considering taking on new fintech partners — or banks re-considering entering the banking-as-a-service business at all.
But that could turn out to be shortsighted. Partnerships with fintech and banking-as-a-service platforms can offer an important avenue to diversification and, frankly, continued relevance for smaller community banks.
Community banks, by definition, face geographic concentration risk. Many also are overly exposed to commercial real-estate — potentially posing a significant risk to their balance sheets as the commercial real-estate sector continues to adjust to a post-COVID world.
Banking-as-a-service business models can also foster competition in banking — an explicitly stated goal of the Biden administration. Unit CEO Itai Damti commented on this point, saying:
“At Unit we’re big believers in community banks and the important impact they have in promoting competition in and access to digital financial services. The recent announcement provides helpful clarity about regulatory expectations for current and aspiring fintech partner banks. We hope that regulators will continue to engage on these topics as we believe that clarity fuels innovation.”
Banks, Fintechs Should be Paying Attention
Popular nationally-chartered partner banks, like Stride, MetaBank, and recently launched Column Bank, are no doubt paying attention to Blue Ridge’s OCC agreement.
But the fallout of this agreement is likely to be felt even by banks that aren’t overseen by the OCC.
Many popular partner banks, including Evolve Bank & Trust, The Bancorp Bank, Coastal Community, Hatch Bank, Green Dot Bank, and Metropolitan Commercial Bank, are state-chartered, and thus not under the purview of the OCC. Instead, their primary federal regulators would be the Fed or the FDIC.
Fintechs looking to launch products with partner banks should be prepared for more thorough diligence, upfront and on an ongoing basis — likely resulting in slower-moving and more expensive relationships overall.
While more oversight is needed, there is a risk of making smaller, niche fintech plays that attempt to meet the needs of historically underserved users un-economical, if regulatory burdens become too great.
Still, banks are more likely to shy away from earlier stage fintechs that lack the experience, personnel, and financial resources to build and operationalize increasingly complex compliance infrastructure.
Banking-as-a-Service platforms may be a seemingly unlikely winner here. Insofar as BaaS platforms facilitate the standardization, to the extent practical, and automation of compliance systems, they may enable smaller banks to efficiently scale fintech partnership programs in a way that could be difficult to do on their own.
Another potential big winner? Compliance-focused consulting firms. Building and operationalizing compliance systems, whether in direct or BaaS platform-facilitated fintech partnerships, requires specialized compliance, legal, and technical knowledge. Smaller banks that power these partnerships often lack the resources to build out such systems. That might just prove to be a boon for consulting firms in the space.
Regardless of specific “winners” and “losers” from this increasing scrutiny, all participants in the fintech/banking partnership ecosystem should benefit from the increased clarity that Blue Ridge’s OCC agreement provides.
Fraudsters Used 15,000 Green Dot Accounts in $286 Million SBA Loan Scam
According to a press release from the US Secret Service last week, the agency recovered some $286 million in fraudulently obtained Economic Injury Disaster Loans (EIDL):
“[T]he U.S. Secret Service returned approximately $286 million in fraudulently obtained Economic Injury Disaster Loans (EIDL) to the Small Business Administration (SBA). These recovered funds were generated by fraudulently submitted EIDL loan applications using fabricated or stolen employment and personal information.”
Though also administered by the Small Business Administration, the EIDL program is distinct from the Paycheck Protection Program, which experienced significant amounts of fraud. The EIDL program predates the COVID pandemic and exists to aid small businesses impacted by disasters. According to the SBA’s website:
“Small businesses, small agricultural cooperatives, and most private nonprofit organizations located in a declared disaster area and which have suffered substantial economic injury may be eligible for an SBA Economic Injury Disaster Loan (EIDL).”
The SBA did offer COVID-specific loans and advances (grants) through the existing EIDL program.
At this point, stories of COVID-era fraud are hardly remarkable. What stands out about this one is that the proceeds were funneled through 15,000 accounts at the same institution: Green Dot Bank. Per the release (emphasis added):
“[T]he investigation revealed that the conspirators utilized third-party payment system Green Dot Bank (GDB), issuer of Green Dot debit cards, to conceal and move their criminal proceeds. Working with GDB, the Secret Service was able to identify over 15,000 accounts used in the conspiracy and seize the $286 million contained in these fraudulent accounts.”
What’s even more shocking is that this isn’t even the first time a significant amount of fraudulently obtained funds have been recovered from Green Dot.
In December, CNBC reported on some $400 million in unemployment, PPP, and EIDL loan funds that were recovered from Green Dot and PayPal, among other companies.
According to a Secret Service spokesperson (emphasis added):
“After the Secret Service alerted the private sector early on about the emerging fraud, numerous financial institutions proactively identified, investigated, and safeguarded against suspected fraudulent pandemic relief funds. These private institutions then reached out to the Secret Service for further assistance. In coordination with companies like Green Dot Corporation and PayPal, the Secret Service was able to seize over $400 million in fraudulent funds.”
While Green Dot’s cooperation with the Secret Service helped facilitate recovering the funds, perhaps we should be asking how banks like Green Dot — which serves as a bank partner to major companies like Apple, Uber, and Walmart — allowed fraud to happen at an industrial scale in the first place.
Looking to Get In Front of Fintech Decision Makers? Sponsor This Newsletter.
Are you looking to get in front of some of the most well-informed, influential decision makers in fintech and banking? Then consider sponsoring an edition of Fintech Business Weekly’s newsletter or podcast.
Select placements are available for Q3 and Q4. Contact us for a media kit and additional details.
Other Good Reads
What Would It Get You to Change Banks? (You’re Probably Lying) (Ron Shevlin/Forbes)
The CFPB’s Capraesque Obsession with Relationship Banking (Fintech Takes)
Three Steps to Fix Fintech’s Diversity Problem (WTFintech?)
Is Crypto a Scam, or Just Full of Scams? (Fintech Brainfood)
Contact Fintech Business Weekly
Looking to work with me in any of the following areas? Email me.
Fintech advising & consulting
Sponsoring this newsletter
News tip or story suggestion
Early stage startup looking to raise equity or debt capital