Bank Shut Offs: Why You’re (Maybe) Not Wrong

RUNWAY FINTECH SERIES: Compliance Advice you can Use??

This series is for leaders in small to mid-sized startup fintechs, with compliance environments in any state. Whether you’re humming happily along or compliance hasn’t made an agenda, there’s something in this series for you to think about and, we like to think, help. Maybe you can avoid some common pitfalls before you plunk into them or get so good you fly through your next due diligence round. Enjoy.??

It’s July 2024 and Evolve Bank finally received a consent order. Those of you following the Evolve Bank saga know that it started back at FTX over 18 months ago, and now with the more recent Synapse debacle. Being in the fintech industry, I honestly predicted that Evolve’s consent order would come at the end of 2023. I mentioned it to more than one person and company. I got some sideways glances as the Synapse news came out and no consent order. I couldn’t imagine this was going to continue, which of course it didn’t. It just took even more time than I predicted.?

I’m betting many of you don’t know what happens in that time. I can give you a couple of basics, but it could arm you “just right” as you look at your bank. First, let’s start with fintech banks overall. A couple have lasted several years, but no one has had real staying power. Every big fintech bank player I worked with 10+ years ago has gone through consent and either exited the fintech banking business or drastically adjusted its risk profile so they just don’t take much of the business. It all kind of started in prepaid, lots of innovation in prepaid products was the initial spark of the fintech flame we know today. But the banks backing those businesses didn’t know exactly how the compliance should work. That’s not shocking, it was the start of something and certainly there would be mistakes. But in the way of US banking, nothing moves particularly quickly, including how this is best done.?

Honestly, it’s innovation that’s impacted. This bad compliance from the regulators on down is a distraction from it and a detriment to innovation. But I digress too soon.?

Banks still, collectively, just don’t know how or what exactly their fintech clients should comply with. You either get a scalpel, where they’re digging into one thing, or it’s a seemingly random buckshot. And at its worst, it’s a scalpel when you start and then later during some review the bank goes through, they toss the buckshot. A likely cash conservative little fintech startup just wants to know what it’s supposed to comply with to be good, right! Well, here’s why listening to your bank or the program manager between you and your bank, isn’t really the way to get that complete list.?

Here’s what’s happening. Many years ago, more when I was at a very large card network, some large and medium-sized banks went after banking fintech business. It was so great! Easy money! A couple years later, they each found themselves in consent orders and had to restructure or end all that business. Either way they severely tightened their risk profiles. Most bigger banks pretty much stepped away from banking fintech startups. A few get through, but only those that look more like regular businesses. So where do all the little guys go? I mean, what they’re doing isn’t illegal, someone has to want this business. Enter little state banks. A bunch of little state banks start banking all kinds of fintech business. A couple come and go the way of consent pretty quickly, but it’s assumed they just didn’t know what they’re doing so new ones just step on in. Evolve was among those stepping in and with the help of a couple program managers bringing in all kinds of business. They built a huge portfolio and became one of the biggest fintech banks (if not the biggest in recent years, I just didn’t bother going to prove it).?

A good reminder at this point, or at least something worth pointing out. I haven’t said any bank has made it through all this and we have a clear path of how banks should manage the compliance of their fintech clients. So, yes, a bunch of little state banks jump on the fintech management band wagon after larger banks fail. Honestly, exactly who thought this was going to work out I’m not sure.?

In fairness, Evolve’s not alone. As the previous Chief Compliance Officer of several fintechs, I’ve known the banking relationships personally. Some of these banks even hire Silicon Valley bankers to “get this right”. Yet, to date I’ve received only one fully functional risk assessment asking me to cover each and every common compliance area of a business. What does that mean? It means, every bank but that one has regulatory gaps in how they’re managing their fintechs. I still don’t know exactly why.?

There’s often tremendous focus on financial crimes programs and a smidge of data protection, but to be honest a lot of the time that’s where a bank tends to end its oversight. Oh, sure, add in one other area that someone just happens to have gone to a conference about or they did a ton of at their last job. Due diligence is thin, ongoing management is often worse, and the banks generally want to blame their program managers or the fintechs. Personally, I blame regulators who have never actually worked in a fintech so they don’t actually know what needs to happen, so they don’t know what to tell the banks to do. If regulators don’t mandate clearly to the banks, the trickle down is just...bad.?

All that to say, you can blame whoever you want, but banks aren’t managing their fintech clients clearly and consistently from a full coverage risk scorecard. Now, that may sound daunting, but if you know the industry it’s actually not that difficult to get phenomenally better coverage than we’re getting. That’s a future article though, right now you’re probably wanting me to get to my point...if your bank drops you, you might not be the one who’s wrong because this is how this works.?

I don’t mean to pick exclusively on Evolve, they just have the best recent headline. To be clear, this could be ANY fintech bank. Here’s how the story goes. Someone at the bank is approached by a fintech or an executive sees fintech clients can bring in decent revenue; for whatever reason the bank decides, they’re going for these clients. They make a due diligence process maybe, often focusing on financial crime and a little bit of data protection. They push a ton of daily, monthly, quarterly management of compliance requirements off to the program managers and the fintechs themselves. They even discuss plans with their regulators, who seem to be all good with the plan and program. Genius! Everyone’s feeling good and making money. They bring on even more fintech clients, because once word gets out there, well, they will come.?

Then, there’s the first regulator audit. It goes well enough, a couple adjustments. Then the next, a few more warts. Maybe one of the businesses they bank ends up in a headline or maybe what’s provided in a recent audit is just lackluster, or maybe the fintech portfolio of the bank is just big and suddenly shifting the whole risk profile of the bank (think Silicon Valley Bank), but different regulators start popping up. It’s getting harder. In Evolves' case, it appeared to be FTX. With some of these other small banks, it’s less of a headline, but regulator feedback starts piling in. The bank gets agency “recommendations”, which are regulators way of saying “we should see progress on this within 6 months or you’ll be headed to a consent order.” The banks Board of Directors does not like this, these are the worst “recommendations” they’ve ever had.??

The Board ceases all new fintech business. Yes, this is a common effect of a bit of regulator feedback if the bank’s Board is any good. If the banked business handles other people’s money in any non-traditional way, the bank is on a break from that business. Then, as part of the remediation processes, the current fintech client portfolio of that bank gets a full, deep, risk and compliance review. Any client who doesn’t look like a known, traditional, fintech product, with known, traditional compliance mandates is, generally, out. Heck, sometime known fintech products are out if they just haven’t been performing. If it’s not making major money, it could be cut during this period.?

Now, did those businesses do anything wrong? Are they actually non-compliant? Did those businesses themselves fail any review with the bank? More often than not, no, they haven’t significantly changed their business or product in months, maybe even a year or two. It does not matter. The bank Board wants its risk profile down, immediately. That means anything unusual is just done. And, yes, they can absolutely do that. And, no, you (maybe) did absolutely nothing wrong.??

You might simply be ensnared in the crosshairs of your bank's regulators and their readjustment of risk.?

Now, some really smart banks cut the business realizing they just don’t know how to manage it and avoid the consent order. Some keep at it, just not seeing that they do not have a template for effectively managing these businesses that handle other people’s money like a bank (that’s pretty much what a fintech is). And their portfolio is so big, some of those poorly compliance managed businesses get big...and then blow up.?

That blow up will ripple through that bank and all the others as well. All the banks banking fintechs, or at least the halfway decent ones, will do a portfolio and due diligence processes review. Many will cut some business and tighten their risk profiles to make it harder to accept new fintech business. It all gets harder for everyone, but not any clearer. The regulators have a new area they’re picking at (Synapse and ledgers, oh, such a good future conversation!). The bank compliance management of that area might improve and, frankly, it might not. A lot of times, the headlines and consents rattle everyone for a moment, but meaningful adjustments aren’t made by the regulators so each bank just goes along trying to guess how to adjust their fintech program management. Yes, I’m serious.?

Given this series is for the fintechs, what does all this seemingly bad news mean for you? Well, it kind of goes like this. If you’re trying to get in with a bank and the due diligence is short, not too bad, do not be so pleased! It means, as you move forward with that bank there is a higher likelihood you will just be shut off one day. ?That, as much as you don’t want to hear it, is bad fintech program management. They also will, I just don’t know exactly when, give you a laundry list of items to comply with one day. It happens every time. They will buckle down and what you thought was a great relationship will suddenly, out of the blue probably, be a nightmare. You have to move resources over to solve it or lose your bank. And worse, because you didn’t have to do real, full, due diligence in the first place, changing banks is hard. The other banks ask for so much! And where exactly will you be in runway when all this bad news comes? I can tell you, if this bad news comes when you’re short on runway, it can hurt more than you can possibly imagine.?

If you didn’t build your compliance program around what was asked of you, but rather around the risks of your business (I know, now I’m just getting crazy), then you’re in a significantly stronger position. You might be able to negotiate more time with the bad bank and finding a new bank is not so hard for you. If you were really well risk and compliance managed, you already had bank diversity and one bank closure is simply an annoyance. Of course, that requires assessing your business by its risk and compliance profile, which so many startup founders are afraid of and yet it so often takes the business down. Ah, two points for future conversations.??

If your Compliance Officer or anyone else is trying to tell you your bank is dropping your business because your product is non-compliant, or because your business has done something wrong, check the news. Check consent orders given to that bank. Talking to the bank usually does not help, they usually cannot tell you about what’s going on internally and many employees don’t know how this goes. They don’t get it. But if you look and there’s activity around that bank, take a pause. This may have very little to do with you and your business. You still may have to leave that bank. The only question is how well your compliance program was built, which will be a large determining factor in how you weather that storm.?