The New AML Compliance Landscape

Bank-fintech partnerships have transformed the financial services landscape, creating new opportunities and challenges for traditional banking institutions and innovative technology companies alike. In a typical arrangement, a technology company delivers innovative approaches to help banks offer regulated products and services. From referral agreements to application programming interface-powered wallets, investing and credit products, and embedded finance integrations, a fintech company and a bank leverage their comparative advantages to lower costs, increase convenience, and expand financial opportunities for consumers.

The compliance environment for these bank-fintech partnerships is rapidly evolving. In particular, the regulatory focus on the anti-money laundering (AML) compliance in such arrangements has intensified, with recent enforcement actions, consent decrees, and federal guidance underscoring the risks to both banks and fintech providers.

In light of the more robust scrutiny, banks are increasingly requiring fintechs to meet stricter standards, including requiring their fintech partners to implement more intensive AML policies and procedures than would otherwise be required of nonbank entities. Partnership agreements frequently give banks the right to review and audit the compliance procedures of their fintech partners—and regulators have made clear, through the recent spate of enforcement actions, that they expect banks to exercise that right. Fintech partners should be prepared for such reviews and audits to occur with increased frequency and stringency.

What’s Driving the Scrutiny?

Several factors are driving regulators’ heightened scrutiny of banking-fintech partnerships:

Misaligned Compliance Expectations

It is not uncommon in Banking-as-a-Service (BaaS) arrangements for the fintech to be assigned principal compliance responsibilities for the program that it operates. Such obligations are typically memorialized in the program agreement. These standard agreements can, at times, lead a bank to heavily rely on its fintech partner. But since fintechs have fundamentally different obligations than banks, this creates the potential for misalignment and, ultimately, can lead to noncompliance.

• Bank Secrecy Act (BSA) Obligations: Banks have their own independent BSA/AML compliance obligations regardless of what functions they seek to delegate to their fintech partners. Simply put, banks cannot delegate their BSA/AML obligations to their fintech partners and hope for the best. A fintech satisfying its own obligations will not mean that the bank has satisfied the more stringent requirements to which it is subject under the BSA. This misalignment has been the focus of recent regulatory scrutiny. Banks are subject to the highest degree of compliance obligations under the BSA, including requirements to maintain comprehensive AML programs, perform customer due diligence, report cash transactions over $10,000, monitor suspicious activity, and conduct risk profiling.
• Fintech Obligations: By contrast, many fintechs are technology providers rather than financial institutions, and, as such, do not have independent obligations under the BSA. Alternatively, some fintechs are subject to the BSA as a money services business (MSB)¹, which are subject to less comprehensive requirements than banks. While MSBs must develop, implement, and maintain an effective AML program, banks face more stringent BSA requirements in several key areas. Banks must implement enhanced due diligence for higher-risk customers, maintain more extensive transaction records, and deploy more sophisticated monitoring systems. Additionally, banks undergo more frequent and rigorous regulatory examinations, must satisfy the Customer Identification Program requirements of § 326 of the USA PATRIOT Act, and have broader obligations for correspondent banking relationships and private banking accounts for non-U.S. persons.

Increasing Pressure on Banks to Oversee Service Providers

Federal bank regulators have steadily built out guidance and examination criteria focused on a banking organization’s ability to effectively manage risks associated with third-party relationships in general and fintech partnerships in particular.² The guidance urges banks to implement risk-management practices for all stages in the life cycle of third-party relationships, including planning, due diligence, contract negotiation, ongoing monitoring, and termination. As regulators probe these relationships, banks are enforcing their contractual rights to audit or approve fintech compliance programs, especially for partners involved with BSA-relevant functions.

Regulatory Guidance in Focus

Recent agency activity reflects a coordinated regulatory push to raise the bar in third-party risk oversight. Key publications include:

• Interagency Guidance on Third-Party Relationships (June 2023)
• Joint Statement on Banks’ Arrangements with Third Parties (July 2024)
• Request for Information on Bank-Fintech Arrangements (July 2024)
• Proposed Recordkeeping Requirements for Custodial Accounts (October 2024)

Of particular relevance, the guidance from regulators makes clear that banks cannot outsource their legal obligations—BSA or otherwise—to third parties. As the Interagency Guidance on Third-Party Relationships states in relevant part, “the use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations

High-Profile Enforcement

The spate of recent enforcement actions and consent decrees demonstrates that regulators are increasingly scrutinizing bank-fintech partnerships and that the consequences of noncompliance can be severe. In recent years and among other examples, the following notable actions were undertaken by banking regulators:

• Evolve Bancorp, Inc. & Evolve Bank & Trust: In June 2024, the Federal Reserve Board of Governors issued a cease-and-desist order against Evolve Bank specifically related to its dealings with fintech partners. The order noted that the bank had “pursued a business strategy that primarily involves offering deposit accounts and payment processing services to … fintech partners … that, in turn, offer various financial products and services to end-user customers.” With respect to BSA/AML compliance, the order required the bank to retain an independent third-party to conduct a comprehensive review as to the effectiveness of the bank’s BSA/AML compliance. That review was required to, among other things, identify all fintech partners to ensure that such partners “are appropriately risk-rated and included in the Bank’s BSA/AML compliance program, policies, and procedures.” The bank was also required to retain an independent third-party to review domestic and international wire transaction activity associated with the bank’s fintech partners to “determine whether suspicious activity at, by, or through the Bank was properly identified and reported in accordance with applicable suspicious activity reporting regulations.” Finally, the bank was prohibited from establishing any new fintech partners or offering any new products, programs, or services to an existing fintech partner without prior approval of the Federal Reserve.
• Blue Ridge Bank N.A.: In January 2024, the Office of the Comptroller of Currency (OCC) entered a consent order alleging that Blue Ridge’s BSA/AML program experienced “systemic internal controls breakdowns” among other issues. As to third-party risk management, the order directed the bank to implement and adhere to a written program to effectively assess and manage risks posed by third-party relationships (including fintech partners). The bank was directed to conduct an “assessment of BSA risk for each third-party relationship, including risk associated with BSA compliance, money laundering, terrorist financing, and sanctions risk, as well as each third-party relationship’s processes for mitigating such risk and complying with applicable laws and regulations.” The bank was also directed to adopt due diligence and risk assessment criteria for selecting and approving each third-party relationship. Under the order, the bank was prohibited from onboarding new third-party fintech relationships or engaging in new activities with existing fintech partners until the bank complied with the BSA.

Bank Exits from BaaS

In light of the above-described regulatory scrutiny, some banks are proactively withdrawing from BaaS arrangements altogether, citing the burdens of meeting evolving regulatory standards. Indeed, recent banking industry reporting suggests that it is becoming more difficult for fintechs to find partner banks as more banks exit the space.

Strategic Takeaways

• Reevaluate your current policies and revisit your contractual obligations. Assess whether your policies and procedures are aligned with your bank partner’s compliance expectations—and whether your contracts reflect current regulatory norms. Ensure your AML program is properly tailored to the risks associated with your specific products, services, customer types, and transaction volumes, including robust risk assessment, due diligence, monitoring, and reporting mechanisms that satisfy both regulatory requirements and your bank partner’s vendor management protocols.

• Prepare for more oversight and audits from your banking partners. Build internal processes and documentation to support bank audits or requests for compliance testing. Establishing clear channels of communication and responsible parties can greatly improve the oversight relationship. To the extent banks have contractual rights to review, assess, and audit their fintech’s AML compliance, expect that banks will exercise these rights with more regularity and thoroughness.

• Don’t assume past practices will hold. As banks seek to limit their own potential exposure, your compliance posture may determine your ability to maintain or secure critical partnerships.

Footnotes

¹ 31 CFR§ 1010.100(ff).

² Banks are supervised and regulated at the federal level by the Office of the Comptroller of the Currency for national banks, the Federal Reserve Board of Governors for state banks that are members of the Federal Reserve, and the Federal Deposit Insurance Corporation for state non-member banks. State banks are also subject to supervision, regulation, and enforcement by state banking agencies.