Adobe Stock: ReeldealHD images
Banks are heavily regulated and fintechs are not.
This discrepancy is a below-the-surface problem that occasionally bubbles up as consent orders on banking-as-a-service banks and quagmires like the recent bankruptcy of Synapse, a BaaS middleware provider that left millions in customer funds unaccounted for when it went bankrupt in 2023.
The Coalition for Financial Ecosystem Standards, or CFES, co-founded by Sima Gandhi, a former Plaid executive, is this week releasing industrywide standards for risk management and compliance in bank-fintech relationships.
“The reality is that fintechs need to be doing more” to comply with financial regulations and make sure their bookkeeping is accurate, Gandhi said in an American Banker podcast that will air March 18. “This isn’t just the banks’ problem to solve when it comes to enabling risk management and compliance. The fintechs need the banks just as much as banks need the fintechs, and one of the defining theses of CFES is that the fintechs can band together, invest resources, time, effort, and pull together standards that help them hold themselves accountable to the banks.”
Members of CFES include Block, Bluevine, Brex, Mercury, Stripe, Rho and Treasury Prime.
The CFES standards describe the efforts fintechs should be making in areas like AML, compliance management, third-party risk management, complaint handling, operational risk, marketing and product compliance. In each area, five levels of compliance are defined, from one (optimized) to five (rudimentary). For instance, in the framework’s standard for AML officers, level five means the officer is inexperienced, lacks a formal job description, has no clear authority or resources and has little engagement with senior leadership and the board. Level one AML officers, on the other hand, are well qualified and have clear, documented authority with direct access to leadership and the board.
The CFES scoring framework takes into account that compliance programs should be tailored to each organization’s scale, complexity and maturity. “For example, a rapidly growing nonbank may appropriately have different controls than a large established nonbank, even while both maintain sound risk management,” the Standardized Assessment for Risk Management and Compliance document states.
The framework will be backed by a certification process in which expert, independent third parties will assess fintech policies and “not only ensure that they’re saying the right things, but also get into the weeds and look at how they’re operating against those policies,” Gandhi said.
At least one banker applauds the effort. “What they’re doing is hopefully going to push the industry where it needs to go,” said Chris Black, CEO of Thread Bank, a community bank in Rogersville, Tennessee, that’s not a member of CFES but does work with fintech partners. “By industry, I mean banks, fintechs and regulators, all three together, have to get on the same page.” He noted that other self-governing organizations, such as FINRA, have been effective in the financial industry.
Phil Goldfeder, CEO of American Fintech Council, also praised the CFES’ work.
“Regulatory clarity is critical to building a strong foundation for financial services,” he said in a statement. “The best regulation is not made via enforcement, but rather through broad, consistent, and responsible industry collaboration combined with regulator engagement. Robust standards can create operational guardrails and ensure continued consumer trust in the financial system without stifling innovation. We are encouraged by the work of CFES and excited to work alongside them to create industry standards and universal regulatory and compliance language that we can all embrace.”
Fintech industry standards could make it easier for banks to assess fintechs, Gandhi said. “At the end of the day, the regulators have made very clear that the bank is the responsible party, and we want to put banks in the risk management driver seat,” she said.
Customers and the market demand fintech services, Black observed, which means banks and fintechs have to agree on the right way to move forward with banking as a service.
“The essence of leadership isn’t sitting back and waiting for other people to tell you what to do,” Black said. “It’s working with good and aligned people in a reasonable way and finding common ground between sometimes competing priorities and helping technology companies understand if you offer to partner with a bank to offer banking products, you’re now a banker, and bankers to understand, if you’re partnering with the technology company and accessing their customer base through their technology, you’re now a technologist. We’ve got to figure out how to speak a common language. So I think CFES will likely be successful with this, because that’s the way they’re coming at it.”
The framework could do for fintechs what Carfax does for cars, Black said — provide credible information to potential partners about strengths and weaknesses.
The next step will be to get regulatory buy-in on the framework, Black noted. “This vacuum of guidance and alignment is not good for anybody,” he said. “And this demand in the market for banking and technology also is not going to be diminished. So we’d better get together, and so if we as an industry can help deliver a strong framework for the regulators to then have their input, that seems like the best possible solution we could have.”
