A Federal Deposit Insurance Corp. consent order issued to Rogersville, Tennessee-based Thread Bank specifically calls out the lender’s banking-as-a-service business, with the regulator ordering Thread Bank to ensure its third-party risk management program addresses the level of risk and complexity of fintech partners in the bank’s BaaS program.

The order, dated May 21, 2024, and made public in July, also requires the bank to implement a documented risk assessment of fintech partners. The bank’s board must approve risk tolerance thresholds for individual fintech partners “based on an enterprise-wide financial analysis of each FinTech partner’s financial projections under expected and adverse scenarios,” the order stipulates.

The bank is “dedicated to meeting all obligations,” Thread Bank CEO Chris Black said in a statement, “and we have already made substantial investments to improve our policies, processes, procedures and controls over the past three years — all in collaboration with the FDIC and the Tennessee Department of Financial Institutions.”

The 10-page consent order stipulates that Thread Bank’s BaaS and loan-as-a-service program policies and procedures address third-party partner and customer approval requirements, due diligence processes, growth and stress modeling, ongoing anti-money laundering/countering the financing of terrorism compliance monitoring and steps to unwind third-party business lines, “including FinTech partners.” 

Thread Bank must implement documented customer due diligence and suspicious activity monitoring processes for its BaaS program, and ensure information systems associated with its fintech partners offer timely and accurate information, according to the consent order.

The lender also needs to make sure anti-money laundering/counterterrorism financing staff are adequately trained to spot suspicious activity, that such activity is reported in accordance with regulatory deadlines, and that third-party partners are meeting the bank’s AML/CFT program requirements. 

Additionally, Thread Bank is required to ensure beneficial ownership information is documented and maintained. That’s an issue in the spotlight amid bankruptcy proceedings for fintech middleware firm Synapse: Customers are owed $65 million to $96 million more than what’s being held for them in partner banks’ accounts, according to the bankrupt company’s trustee, former FDIC Chair Jelena McWilliams. But Synapse and Evolve Bank & Trust — one of Synapse’s partner banks — disagree over which company holds the funds.

Thread Bank also must develop an exit plan that lays out how to monitor fintech relationships — including third-, fourth- and fifth-party providers — for service interruptions. The bank must also detail response steps; outline staffing requirements; define customer notification of service disruptions and how the bank will respond; and detail how regulators and external stakeholders will be notified.

“We will continue to invest in our teams and services to ensure we meet the needs of, and provide strong protection for, our customers and partners as we move forward,” Black said in the statement. 

Still, the order “is much broader than BaaS,” requiring updates to the bank’s strategic plan, enterprise risk management and BSA/AML, noted Margaret Tahyar, head of the financial institutions group at law firm Davis Polk.

Thread Bank was also ordered to enhance its liquidity management policy, and set formal goals and lay out strategies to bolster the bank’s earnings as part of a profit plan. 

It’s not the first time the lender, formerly known as Civis Bank, has faced regulatory pressure. In 2015, the bank was hit with an FDIC consent order, requiring it to draft a plan aimed at improving earnings and increase its capital ratios.

Renamed Thread Bank in 2022, it has partnered with middleware firm Unit, and supports some 35 fintech programs, according to Fintech Business Weekly. A spokesperson for Thread Bank declined to comment on the bank’s fintech partnerships. 

“The regulators draft a broad order like this one when they want to send a stern message, typically of a lack of confidence in the board and management,” Tahyar said in an email. “Feels like they want a total change in the business model.”

A Wyoming bank holding company was hit with a cease-and-desist by the Federal Reserve Bank of Kansas City in connection with the banking-as-a-service activities of its subsidiary, Summit National Bank.

Hulett, Wyoming-based Mode Eleven Bancorp is prohibited from expanding in ways “related to the fintech business strategy, including the establishment of any new subsidiaries, business lines, products, programs, services, customers, or program managers” without Fed approval.

In response to the order, Mode Eleven is fully and voluntarily retreating from its fintech business.

“[Mode Eleven] and the Board of Governors have the common goal that [Mode Eleven] operate in a safe and sound manner and comply with all applicable federal and state laws, rules and regulations,” the order said.

In its most recent inspection of the bank, the Kansas City Fed found issues related to its fintech business strategy, board oversight, capital, earnings, liquidity, risk management and compliance with the rules related to affiliate transactions.

Under the order, Mode Eleven must develop a plan to strengthen its board oversight and its risk management program, and must submit to the Kansas City Fed a written business plan to improve its earnings and overall condition for 2024.

Additionally, Mode Eleven needs to write a capital plan and create a program to enhance its liquidity risk management, including diverse funding.

Requests for comment from Mode Eleven were not returned by press time.

Piermont Bank and Sutton Bank each entered into consent orders with the Federal Deposit Insurance Corp. in February 2024, the regulator disclosed, highlighting alleged deficiencies in the lenders’ banking-as-a-service work and partnerships with fintechs.

New York City-based Piermont Bank “engaged in unsafe and unsound banking practices,” and failed to have the internal controls and information systems needed for the bank’s size, as well as for the scope and risk involved with its third-party relationships, the FDIC said in the consent order.

In a separate order, Attica, Ohio-based Sutton Bank was also charged with unsafe or unsound banking practices and violations related to the Bank Secrecy Act.

"Every bank that touches BaaS is getting an enforcement action," Wendy Cai-Lee, CEO of Piermont Bank, told American Banker. "I don't think anyone is not getting one at this point."

Piermont’s 35-page consent order, dated Feb. 26, 2024, directs the bank’s board to increase its supervision of management, as well as oversight and monitoring of the bank’s financial condition, risk profile, activities, third-party relationships, anti-money laundering and counterterrorism financing, and the bank’s internal controls and audit systems.

The FDIC ordered Piermont to review all transactions since September 2022 to ensure all suspicious activity was reported. It must also review Electronic Funds Transfer Act disputes since August 2020.

The regulator outlined requirements related to maintaining “an appropriate number” of bank officers, establishing systems and procedures to maintain compliance, ensuring an appropriately sized internal audit, and assessing whether the bank’s board committee members have appropriate expertise. 

Within 90 days of the order, the bank must conduct a review of the data, documents and records related to its operations, bank activities and third-party relationships, the FDIC said. That assessment must consider whether the data “appropriately enables the bank to operate … in a safe and sound manner,” and to determine whether its third-party relationships comply with laws and regulations, the order said. The bank also has to assess its systems to ensure compliance with laws and regulations.

The order underscored that the bank’s procedures, data and systems tied to third-party relationships and the bank activities conducted through those relationships must “include clear lines of authority and responsibility” when it comes to monitoring adherence to bank procedures and laws and regulations, as well as effective risk assessment.

Within 120 days of the order, the bank has to review whether its third-party relationships program has the appropriate due diligence procedures; written agreement parameters; policies related to oversight and monitoring; data, systems and reporting; and recommendation and approval processes, the FDIC said. Within 30 days from that point, the bank has to come up with an action plan addressing any deficiencies discovered in its third-party relationships program. 

In Sutton Bank’s 10-page consent order, issued Feb. 1, 2024, the FDIC said the bank must implement, within 180 days of the order, a revised AML/CFT program designed to maintain bank compliance with the Bank Secrecy Act.

The FDIC also directed the bank to “develop appropriate policies and procedures relating to third-party risk management,” and compile an inventory of those relationships.

Sutton must designate program managers responsible for customer identification programs, transaction monitoring, independent testing and reporting suspicious activity for each partnership, the FDIC said.

Sutton also must have at least one BSA officer who reports to the board, and must establish a board committee to ensure compliance with the consent order, the FDIC said.

The bank, within 60 days of the order, must devise a plan to review all prepaid card customers since July 1, 2020, to ensure the bank knows their true identities, the FDIC said.

The orders pin responsibility for compliance on banks rather than their partners. “Banks that chose to outsource their risk [to third-party partners] will continue to be at risk of regulatory scrutiny," Matthew Smith, president of Bankers Helping Bankers, told American Banker.

But Phil Goldfeder, CEO of the American Fintech Council, told the publication that banks “also require clarity and appropriate rules of the road from regulators.” 

"It absolutely looks and feels like innovation within the banking system is being disproportionately targeted by regulators who at times seem like they are trying to make a point rather than helping to build the future of financial services," Goldfeder said. 

Lineage Bank entered a consent order with the Federal Deposit Insurance Corp. related to its financial technology partnerships, the agency declared in its monthly list of enforcement actions.

Under the consent order, which took effect Jan. 29, 2024, the Franklin, Tennessee-based lender must implement an enhanced risk management program overseen by its board of directors, increase capital levels, and let go of some fintech partners.

Lineage partnered with fintech enablers Synctera and Synapse to provide banking-as-a-service solutions to its customers.

“Due to our partnerships with organizations like Synctera and Synapse, we’ve been able to tap into the market with great success. We look forward to expanding upon this BaaS growth here in 2023,” Lineage stated in a January 2023 blog post.

The bank has experienced significant growth since 2020, with assets rising from $27 million to nearly $300 million at the end of 2023, according to FDIC call report data.

The order asks the bank’s board to develop and submit a general contingency plan detailing how Lineage Bank “will administer an effective and orderly termination with significant third-party FinTech partners” within 60 days of the order’s effective date.

Additionally, the bank needs to hire a third party to evaluate the management structure and how the bank staff monitor the risk management of Lineage Bank’s BaaS line of business. Based on the evaluation results, the lender will then be required to establish and implement a staffing and action plan to address any weaknesses identified in the report.

The FDIC forbade the bank from entering any new lines of business or expanding its current business in a way that would yield annual growth of 10% or more in total assets or total liabilities without the agency’s prior written approval.

The consent order also dictates that Lineage Bank submit a written capital plan to achieve and maintain a tier 1 leverage capital ratio equal to or greater than 12.5%. It should also achieve and maintain a total risk-based capital ratio equal to or greater than 16%, the agency said.

“We’ve stood by our partner Lineage during their recent leadership transition,” a Synctera spokesperson told Banking Dive in a statement. “While it’s unfortunate to see them leaving the FinTech space, we’re thankful for their ongoing assistance and support in transitioning our shared FinTechs to new banks within the Synctera community.” 

Blue Ridge Bank found itself in regulatory crosshairs again, leading to a consent order with the Office of the Comptroller of the Currency.

Blue Ridge’s primary federal regulator deemed the bank in “troubled condition” after the fintech-focused bank’s alleged continuous failure to establish and maintain a strong and well-staffed Bank Secrecy Act/Anti-Money Laundering compliance program.

The OCC alleged that Blue Ridge’s BSA/AML program experienced systemic internal controls breakdowns and had weak independent testing, and that the bank failed to correct problems already called out within its BSA/AML program by the OCC in a regulatory action in September 2022.

As with the prior regulatory action, Blue Ridge is prohibited from starting up any new third-party fintech relationships or building upon ones already started without the permission of the OCC, and it must maintain a leverage ratio of 10% and a capital ratio of 13% — compared to well-capitalized standards of 5% and 10% — lest it be deemed undercapitalized.

But even with its higher leverage and capital ratio requirements, Blue Ridge cannot be deemed well-capitalized, under the consent order.

Among other things, the bank must also:

• Maintain a committee to monitor compliance with the order and regularly submit progress reports to the regulator
• Submit a written plan to the OCC detailing how it intends to achieve and sustain BSA/AML compliance
• Develop a written program to assess and manage risks posed by third-party relationships
• Develop a better risk-based program to ensure the bank, including accounts related to third party fintechs, meet compliance requirements in filing suspicious activity reports
• Develop a three-year strategic capital plan for achieving and maintaining capital no less than required by the order

An OCC spokesperson told Banking Dive it does not comment on enforcement actions or specific banks.

In connection to the issuance of the order, Blue Ridge neither admits or denies any of the OCC’s findings or charges, according to a Securities and Exchange Commission filing.

CEO Billy Beale told Banking Dive that the consent order “was issued based on the OCC’s June 2023 exam findings and is not reflective of the progress the bank had made since June 2023.”

The bank divulged plans in November 2023 to reduce its roughly 50 banking-as-a-service partnerships to a “limited number” of them, with “a commercial focus or strong consumer traction,” following regulatory scrutiny.

In December 2023, Blue Ridge announced a $150 million capital raise in a private placement deal to comply with the bank’s minimum capital ratios and to support organic growth. Although the capital raise fell through, definitive securities purchase agreements grossing $150 million were successful in April.

The agreements will allow Blue Ridge to “build a stronger platform for growth and shareholder value,” Beale said at the time.