The orders highlighted purported shortcomings in the banks' Banking as a Service activities and partnerships with fintech firms. Piermont Bank, headquartered in New York City, was found to have ‘engaged in unsafe and unsound banking practices’ and lacked the necessary internal controls and information systems commensurate with the bank's size and the risk associated with its third-party relationships, according to the FDIC's consent order.
Meanwhile, Sutton Bank, based in Attica, Ohio, faced similar charges of unsafe or unsound banking practices and violations of the Bank Secrecy Act in a separate order.
The FDIC's regular release of consent orders has increasingly focused on banks' fintech partnerships. In February, Lineage Bank of Franklin, Tennessee, was required to enhance its risk management program, bolster capital levels, and sever certain fintech partnerships. Blue Ridge Bank, Cross River Bank, and First Fed Bank have also faced consent orders related to their fintech ties, although not exclusively from the FDIC.
Representatives of Piermont Bank stated that regulatory scrutiny is affecting nearly every bank engaged in Banking as a Service (BaaS). She believes that no one is immune at this point, as she informed American Banker.
Piermont's consent order, spanning 35 pages and dated February 26, instructs the bank's board to intensify its supervision of management and enhance oversight of various aspects, including financial activities, third-party relationships, anti-money laundering measures, and internal controls.
The regulator directed Piermont to scrutinise all transactions since September 2022 for suspicious activity reporting, as well as Electronic Funds Transfer Act disputes since August 2020. The bank is also mandated to assess its staffing levels, compliance systems, and expertise of board committee members.
Within 90 days, Piermont must conduct a comprehensive review of its operations, activities, and third-party relationships, evaluating their compliance with laws and regulations. Furthermore, within 120 days, the bank must assess the adequacy of its due diligence procedures and draft an action plan to address any identified deficiencies in its third-party relationships program.
Sutton Bank's consent order, spanning 10 pages and issued on February 1, requires the implementation of a revised Anti-Money Laundering/Counter Financing of Terrorism (AML/CFT) program within 180 days. The bank must also develop policies and procedures for managing third-party risks and compile an inventory of such relationships.
Sutton must appoint program managers responsible for various aspects of compliance and establish a board committee to oversee adherence to the consent order. Additionally, the bank must review all prepaid card customers since July 1, 2020, within 60 days to verify their identities.
The orders emphasize banks' responsibility for compliance, particularly concerning third-party relationships. Matthew Smith, president of Bankers Helping Bankers, noted that banks outsourcing risk to third-party partners remain under regulatory scrutiny.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now