The Federal Deposit Insurance Corporation (“FDIC”) recently entered into a consent order with Cross River Bank (“CRB”) addressing what the FDIC considered to be unsafe and unsound banking practices associated with CRB’s fair lending compliance.

The consent order, which was published in April on the FDIC’s website, required CRB to take extensive corrective actions. With CRB being a known banking partner of fintechs – having recently partnered with Circle in connection with the automatic settlement of Circle’s USDC stablecoin – the consent order has prompted questions on whether heightened regulatory action is on the horizon for financial institutions with marketplace lending and credit products offered in collaboration with third parties. This alert discusses certain consent order provisions related to CRB’s third party-facilitated lending that may be of note for financial institutions with similar operations, or any bank that is considering partnering with fintechs to provide banking-as-a-service.

At a high level, the consent order requires CRB to do the following:

1. Strengthen marketplace lending and third party compliance controls. CRB was tasked with increasing supervision and oversight of internal controls, information systems, credit underwriting practices and internal audit systems relating to its marketplace lending, and also developing its third party compliance internal controls.
2. Comply with credit product and third party disclosure and non-objection processes. CRB must identify credit products offered by, or in conjunction with, CRB (“CRB Credit Products”), identify all third parties that offer CRB Credit Products, and seek the FDIC’s non-objection before offering new credit products or partnering with new third parties.
3. Prepare assessments and reports regarding information systems and fair lending. CRB must engage independent third parties acceptable to the FDIC to prepare certain assessments and reports regarding CRB’s information systems and fair lending compliance.

Below are areas of concern highlighted by the FDIC in connection with CRB’s credit offerings:

Fair Lending Compliance When Using Automated Processes and Systems for Credit Decisions. The consent order required improvements to CRB’s internal controls for its Marketplace Lending. Cross River’s website describes Marketplace Lending as a platform that “accepts applications for a wide variety of loans and determines an applicant’s creditworthiness using an automated algorithm.” CRB originates loans that are issued to consumers and small businesses through CRB’s lending partners.

The FDIC required periodic risk-based fair lending assessments of marketplace lending activities, with assessments that are “well supported by qualitative and quantitative data.” In addition, the FDIC’s consent order imposed requirements aimed at ensuring automated processes used in CRB credit decisions are adequately examined and assessed for compliance with fair lending requirements. For example, the consent order provides that the independent third party evaluation of CRB’s information systems must assess if data on CRB’s credit products and data on “any models or systems, including any variables or weightings, used or relied on in connection with a credit product” is sufficiently complete, accurate and accessible to permit CRB to appropriately monitor compliance of the credit products, third parties and credit models with all applicable fair lending laws and regulations. In addition, the independent third party evaluation of CRB’s fair lending practices must consider and analyze CRB’s use of “non-staff resources, including software, automated systems, and/or other technology” in connection with lending decisions, and “assess the adequacy and effectiveness” of non-staff resources in supporting the fair lending compliance requirements of the bank.

Robust Third Party Due Diligence Requirements. The consent order’s non-objection requirements imposed in-depth due diligence obligations on CRB in connection with offering new credit products or permitting new third parties to offer its products. To partner with a new third party, CRB must provide the FDIC with (i) a draft of the proposed written agreement between CRB and the new third party, (ii) a third party risk assessment that evaluates, among other things, the third party’s internal controls, internal audit functions, and any models or systems the third party employs in connection with a credit product, (iii) a written assessment from the CRB board on whether the third party meets CRB’s due diligence standards, and (iv) descriptions of the procedures CRB will use to evaluate and monitor the third party’s fair lending compliance and compliance with the recordkeeping and informational requirements set out in the consent order. In addition, CRB is required to have processes in place to assess at least annually whether each of the third parties offering CRB Credit Products are in compliance with fair lending requirements.

Marketing Decisions Related to Credit Products. Under the consent order, CRB is expected to consider the marketing associated with its credit products as part of its fair lending compliance obligations. This includes considering the terms and conditions describing a credit product in its own marketing materials, contractually requiring the recordkeeping of marketing materials in its agreements with new third parties, and overseeing the terms and conditions in marketing materials regarding a credit product that are distributed by a third party.

The consent order highlights features of fair lending processes and procedures that the FDIC considered relevant in connection with CRB’s offer of credit products in collaboration with third parties. The FDIC directive to implement additional compliance management system controls required not only ensuring that CRB’s products and services comply with fair lending laws, but also the Truth in Lending Act, the Electronic Fund Transfer Act, and more generally, Section 5 of the FTC Act, which indicates the FDIC’s findings here may apply to other aspects of banking-as-a-service.

Banks with credit product arrangements like CRB, and those who are partnering with, or considering partnering with, fintechs may wish to examine their internal controls, due diligence, and information systems processes in the context of the directives identified in the Cross River consent order. Specifically, banks may consider implementing the following aspects of the written compliance program mandated by the FDIC as part of the consent order:

• policies that address the bank’s products and services and related consumer protection risks which are designed to ensure compliance with consumer protection laws,
• training that provides comprehensive education in applicable consumer protection laws and bank policies to employees,
• monitoring that regularly reviews bank business units and operations, products/services, and changes in applicable consumer protection laws,
• a consumer complaint process that provides for timely identification, review, investigation, response to and resolution of all consumer complaints received by the bank and third-party providers, and
• a consumer protection audit program that ensures an effective, independent, risk-based review is conducted of bank policies and product/services to determine compliance with consumer protection laws.