At first blush, payments and bank partnerships may not seem immediately related. But upon closer consideration, there is an interplay between a bank partner program and the Electronic Fund Transfer Act (EFTA) as implemented by Regulation E, particularly when it comes to timeframes for disputes, liable parties, each party’s obligations when such disputes arise, and risk management overall. Given the overlay between the wording of the EFTA/Reg. E, the CFPB’s regulatory guidance pertaining to the definitions and responsibilities of financial institutions, and contractual relationships, bank partners have a lot to consider when engaging in online transactions.

In this Q&A, Aaron Kouhoupt (Cleveland), David Tallman (Houston), and Rachael Aspery (Cleveland) discuss recent agency guidance as well as regulatory and contractual considerations and responsibilities of both banking institutions and third parties in financial partnerships.

Aaron Kouhoupt: From a statutory perspective, what does Reg. E say as it relates to a non-bank partner?

David Tallman: The regulatory obligations lie largely with the bank, but there are strict requirements around investigating and responding to consumer disputes and to resolving disputed transactions. The non-depository institution in a bank partnership arrangement often is the consumer-facing entity. And by contract, if by nothing else, the non-depository partner is going to have obligations to facilitate the bank’s ability to comply with its obligations.

Aaron Kouhoupt: The CFPB’s Q&A, which clarified the definition of a financial institution, helped in some ways. It provided examples of when a non-depository institution maybe defined as a “financial institution” for purpose of error resolution. This may be true when the non-depository is the entity providing an access device, for example a mobile application or web portal, directly to the consumer. This means a non-depository should not only confirm their status as a “financial institution” but should also frame their contracts to provide for documentation and outline the mechanics of their error resolution practices if necessary.

David Tallman: Coordination is going to be key, absolutely.

Aaron Kouhoupt: Who’s taking the lead on this? Who has the customer documents to conduct an investigation? That question in and of itself can be very problematic, because one of the two entities might not really have the records that are necessary to even conduct a reasonable investigation.

David Tallman: It’s partly a data management issue: mapping out where the information is, who has access to it, and how it’s communicated between the parties in a way that is, if not seamless, at least smooth enough to allow you to conduct that reasonable and thorough investigation within the requisite timeframes.

Aaron Kouhoupt: That’s the key issue. This regulation has one of the fastest triggers under which the financial institution is required to act related to the consumer. You have 10 days to decision the dispute, or provide a provisional credit to the consumer and then take a little bit longer. But it is still a relatively short time to close that dispute out, especially if an entity deals with a high volume or has to coordinate with a party that may not have the necessary records, all while keeping an eye on the clock. Tracking those timeframes amid those coordination efforts becomes really important.

David Tallman: It’s also crucial to keep in mind that payments disputes, in particular, tend to be some of the more complicated, factually speaking. Investigations can and should get down in the weeds to determine, is this fraud? Is it not? What did the consumer know? Did they authorize this transaction? That can be a difficult determination to make, and it requires access to a lot of information.

Aaron Kouhoupt: The three of us have all discussed that challenge in other presentations and settings. What does it mean to be “authorized” now, in this very digital world, where your kids can make a purchase on a device, and their email account is associated with your debit card or your credit card. I’ve told the story numerous times about how one of my children spent a lot of money on Pokemon games via a phone before I really realized it. There’s that tension of how easy it can be sometimes to do an in-app purchase. So how does that look in the dispute setting? And which party is even responsible for thinking through what that looks like? (We’ll ignore in-app purchases, because there’s some liability there for the app maker as far as appearance and presentation, and how easy it might be to make or reverse purchases within a given app.)

The other reason that I really like this topic is because there’s a big overlay to so many areas of law that we’ve talked about. You’ve got UDAAP (Unfair, Deceptive, or Abusive Acts and Practices Act) risk in there, which I bring up in almost every Deep Dive discussion. But even from the perspective of Reg. E dispute resolution, we talked earlier in the Deep Dives about the risk of automated fraud decisioning and automated dispute resolution decisioning. In a bank partner program, at first blush, those automated systems seem like the perfect solution.

But as we talked about before, you have to be careful there not to ignore consumer input as to their complaint. If the consumer provides information that contradicts or goes beyond your decision making, you have to think about that. Which party received that information? Maybe that’s a different party than the one with the automated decisioning. So which party did the consumer have to notify in order to constitute a proper dispute?

David Tallman: And the UDAAP implications go beyond just the Reg. E obligations, if you are mishandling consumer disputes, or not investigating, or dropping the ball in some way that causes consumer harm or is reasonably likely to cause consumer harm. UDAAP is a very versatile tool that the regulators can use, which is why we always mention it. Regulators are increasingly considering consumer harm through a UDAAP lens, and those claims are pretty easily made.

Aaron Kouhoupt: Rachael, given all these concerns over disputes and the various parties’ responsibilities, what should financial institutions consider when establishing a partnership? What should they be thinking about?

Rachael Aspery: How to make this process smoother is essentially the million-dollar question, and it comes down to sound risk management strategies. Banking organizations routinely rely on third parties for a variety of products, services, and activities. They also partner with third parties such as FinTech non-banks to provide consumers and businesses more efficient access to technology and banking services, particularly in the payment space, through bank partnership programs and financial services platforms.

To highlight this concept, in June 2023, the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and the Federal Reserve’s Board of Governors issued joint guidance to help banking organizations manage risks associated with third party relationships. This isn’t really a new concept, but this guidance replaces guidance issued by each of these agencies individually, for consistency’s sake, especially concerning vendor management.

While the guidance did not directly address bank partnership programs explicitly by term, the guidance suggests that the agencies are not opposed to bank partner programs in principle. These agencies fully acknowledge that there’s been an uptick in third party relationships, and also acknowledge the benefits that these types of relationships bring to the public but this efficiency and technology doesn’t diminish or revoke a bank’s compliance obligations under applicable state and federal law, and particularly the heavy hitters like UDAAP and regulations governing financial crimes. Banking organizations still have to ensure that their activities are performed in a safe and sound manner and in compliance with applicable laws and regulations, but also, the third party vendor or non-bank partner has its own compliance obligations.

To support the increase in such relationships, the guidance published by the agencies describes principles and considerations for banking organizations for sound risk management of these third party relationships and covers practices and strategies of that life cycle, from beginning to end. This includes planning the due diligence phases, selecting any type of third party, vendor, or partner, as well as contract negotiation, what obligations fall to whom, ongoing monitoring, and then potential termination of a relationship.

The guidance also recommends that each organization, banking organizations particularly, keep an inventory of third party relationships and update this inventory periodically based on that institution’s risk management practices. So this ties in with principles that we talk about all the time: risk management practices, risk appetite, risk profile. It also relates to each organization’s requirement to identify their critical activities and third party relationships that support “critical activities,” which are typically characterized as activities that would cause a banking organization to face significant risk if that third party fails to meet expectations, has significant customer impacts, or has impact on the banking organization’s financial condition, operations, safety, and soundness. Keeping an inventory helps ensure that the banking organization’s risk management program provides strategies in managing their third party relationships, including bank partnerships with FinTechs.

Those types of programs have to align with the nature, complexity, and the size of that institution, all fully acknowledging that each relationship poses a different level of risk and requires its own degree of oversight. However, to do so, a bank may prescribe certain requirements by contract to the non-bank, FinTech, or other third party in order to mitigate the bank’s risk of the partner’s non-compliance with applicable law. This can include, but is not limited to, independent review of that party’s business or operations, periodic testing and auditing of the third party, requiring notification of operational challenges, specifying reports that the third party must provide, and general escalation of issues that arise.

Aaron Kouhoupt: One thing that you said perfectly sums up the key takeaway here: as the entity governed by regulatory requirements, whether Reg. E, the Bank Secrecy Act (BSA), or others, the financial institution is ultimately responsible for compliance with that law, from a strict legal and regulatory perspective. You can’t contract your regulatory obligation away. You can use a third party, you can use a service provider, you can use a non-bank partner to do some of that activity on your behalf, and you can have some contractual provisions within that. But if you are the entity that’s required to comply with the regulation, you’re required to comply with the regulation, and it becomes very important to understand that.

It’s equally important on the non-bank side. Non-bank partners are not subject to certain aspects of Reg. E, for example, but look at your contract and look at what the bank has asked you to do as a service provider. You might not get regulatory criticism because you’re not subject to it, but you could have breach of contract issues. You could be fiscally liable to the entity that you’re providing the service for. UDAAP might also apply, whether the underlying regulation does or not, so that somebody can come in and say, this regulation exists and not following it is unfair, deceptive, or abusive. And so we’re going, use this UDAAP overlay. And so I think it’s a mistake, David, to look at the regulation and say, “not covered by it, not our problem.”

David Tallman: Absolutely. One of the benefits of a bank partnership for the non-bank is access to additional payment rails. Depending on how the arrangement is structured on the flow of funds, it can reduce regulatory requirements or licensing obligations, although not always. So there are reasons why non-banks want to partner with a bank, but it’s a double-edged sword since banks are subject to very robust, very well-defined third party risk management obligations, as Rachael discussed. By entering into the bank partnership, the non-bank partner becomes subject to that and should expect a significant degree of oversight by the bank.

Aaron Kouhoupt: Rachael, you and I have both worked in-house, and we’ve seen this first-hand. For both the bank and for the non-bank entity, what that oversight really comes down to is strong risk management procedures and strong documentation so that, when something comes up, there is a map to follow.

Rachael Aspery: That’s exactly right. We discussed this guidance because the agencies are emphatic about sound risk management programs for banking organizations and those engaged in third party relationships. And that in turn highlights what non-banks or FinTechs they could potentially expect. Obviously, it depends on the nature, complexity, and size of the organization. Some may have more robust compliance obligations, more rigorous third party management or vendor risk management programs. But every party involved has their own respective obligations.

These types of programs present tremendous opportunities for both parties, but it does potentially carry considerable obligations, whether contractual or regulatory. It’s important for all parties to be aware of this.

Aaron Kouhoupt: Absolutely. The takeaway here is that in any partnership, whether for a bank partner, service provider, or other third party: it’s critical to appreciate the contractual obligations at play. It’s not sufficient to analyze Reg. E and decide, “we’re not subject to this, so we don’t really have to worry about it.” Are you consumer facing? Is there some risk that a consumer misunderstands what your role is, or misunderstands what they’re doing? Have you then fallen short of a contractual obligation because there was an expectation that you act on behalf of the bank? That next level of analysis beyond what is strictly, technically required by Reg. Z or Reg. E. is required, for every kind of entity.

McGlinchey is pleased to present Deep Dive sessions into all things consumer finance. Each series will last 2-3 months, delivering content laser-focused on a certain regulation or topic at the top of your mind, delivered by attorneys across our various teams and spanning our geographic footprint.