Piermont, Sutton banks hit with FDIC consent orders over BaaS

Dive Brief:

Piermont Bank and Sutton Bank each entered into consent orders with the Federal Deposit Insurance Corp. in February, the regulator disclosed Friday, highlighting alleged deficiencies in the lenders’ banking-as-a-service work and partnerships with fintechs.
New York City-based Piermont Bank “engaged in unsafe and unsound banking practices,” and failed to have the internal controls and information systems needed for the bank’s size, as well as for the scope and risk involved with its third-party relationships, the FDIC said in the consent order.
In a separate order, Attica, Ohio-based Sutton Bank was also charged with unsafe or unsound banking practices and violations related to the Bank Secrecy Act.

Dive Insight:

The FDIC’s month-end disclosure of consent orders is becoming a regular spot to find pushback against banks’ fintech partnerships. The FDIC, at the end of February, made public its consent order against Franklin, Tennessee-based Lineage Bank, which the regulator required to implement an enhanced risk management program, increase capital levels, and let go of some fintech partners. Blue Ridge Bank, Cross River Bank and First Fed Bank, in recent months, have also received consent orders related to their fintech partnerships — though not always through the FDIC.

"Every bank that touches BaaS is getting an enforcement action," Wendy Cai-Lee, CEO of Piermont Bank, told American Banker. "I don't think anyone is not getting one at this point."

Piermont’s 35-page consent order, dated Feb. 26, directs the bank’s board to increase its supervision of management, as well as oversight and monitoring of the bank’s financial condition, risk profile, activities, third-party relationships, anti-money laundering and counterterrorism financing, and the bank’s internal controls and audit systems.

The FDIC ordered Piermont to review all transactions since September 2022 to ensure all suspicious activity was reported. It must also review Electronic Funds Transfer Act disputes since August 2020.

The regulator outlined requirements related to maintaining “an appropriate number” of bank officers, establishing systems and procedures to maintain compliance, ensuring an appropriately sized internal audit, and assessing whether the bank’s board committee members have appropriate expertise.

Within 90 days of the order, the bank must conduct a review of the data, documents and records related to its operations, bank activities and third-party relationships, the FDIC said. That assessment must consider whether the data “appropriately enables the bank to operate … in a safe and sound manner,” and to determine whether its third-party relationships comply with laws and regulations, the order said. The bank also has to assess its systems to ensure compliance with laws and regulations.

The order underscored that the bank’s procedures, data and systems tied to third-party relationships and the bank activities conducted through those relationships must “include clear lines of authority and responsibility” when it comes to monitoring adherence to bank procedures and laws and regulations, as well as effective risk assessment.

Within 120 days of the order, the bank has to review whether its third-party relationships program has the appropriate due diligence procedures; written agreement parameters; policies related to oversight and monitoring; data, systems and reporting; and recommendation and approval processes, the FDIC said. Within 30 days from that point, the bank has to come up with an action plan addressing any deficiencies discovered in its third-party relationships program.

Piermont has partnered with BaaS companies Treasury Prime and Unit.

Sutton’s consent order

In Sutton Bank’s 10-page consent order, issued Feb. 1, the FDIC said the bank must implement, within 180 days of the order, a revised AML/CFT program designed to maintain bank compliance with the Bank Secrecy Act.

The FDIC also directed the bank to “develop appropriate policies and procedures relating to third-party risk management,” and compile an inventory of those relationships.

Sutton must designate program managers responsible for customer identification programs, transaction monitoring, independent testing and reporting suspicious activity for each partnership, the FDIC said.

Sutton also must have at least one BSA officer who reports to the board, and must establish a board committee to ensure compliance with the consent order, the FDIC said.

The bank, within 60 days of the order, must devise a plan to review all prepaid card customers since July 1, 2020, to ensure the bank knows their true identities, the FDIC said.

The orders pin responsibility for compliance on banks rather than their partners. “Banks that chose to outsource their risk [to third-party partners] will continue to be at risk of regulatory scrutiny," Matthew Smith, president of Bankers Helping Bankers, told American Banker.

But Phil Goldfeder, CEO of the American Fintech Council, told the publication that banks “also require clarity and appropriate rules of the road from regulators.”

"It absolutely looks and feels like innovation within the banking system is being disproportionately targeted by regulators who at times seem like they are trying to make a point rather than helping to build the future of financial services," Goldfeder said.