Pick Up the Indemnification Stick for Your True Lender Bundle



In this edition of Fintech Flash, we discuss ways to think about true lender risk in fintech–bank lending partnerships, with a particular focus on how indemnification provisions in program agreements weigh in the balance of the true lender determination. This Flash provides practice tips on drafting indemnification provisions with true lender risk in mind.

“True lender” is one of the biggest risks in a fintech–bank lending partnership. It is a challenge that regulators or plaintiffs’ counsel could advance, alleging that the fintech company is really the lender in the arrangement, not the bank. It goes something like this: The fintech did so many activities, got so much of the economic benefit, and took on so much of the program risk that it should be considered the true lender. And, as the true lender, the fintech would not have been authorized to charge as high an interest rate or as much in fees as the bank, and, therefore, the loans should be considered usurious or the fees charged exceeded legal limits.

Game of Pick-up Sticks

Addressing true lender risk is akin to playing a game of pick-up sticks.1 Case law and regulator actions have indicated that the totality of the circumstances must be considered to determine the identity of the “true lender,” with key factors (sticks) heaped onto one of six question piles2:

Appearance Pile: Does the bank appear to be the lender to prospects, applicants, and borrowers—really the world?

Stick Example: Do the marketing materials prominently disclose that the bank is the lender?

Non-Ministerial Functions Pile: Does the bank perform or control the non-ministerial functions normally performed by the lender?3

Stick Example: Does the bank approve program loans via approving and adopting the underwriting guidelines and credit criteria, and does the bank require its approval for any changes or deviation from the guidelines and criteria?

Control Pile: More generally, does the bank control the program?4

Stick Example: Does the bank require the fintech to periodically report its compliance and have the right to direct remediation of any reported issues needing attention?

Source of Funding Pile: Is the bank the real source of funding of the program loans?5

Stick Example: Does the bank use its own funds to fund the loans?

Economic Interest Pile: Does the bank have a “predominant economic interest” in the loans?6

Stick Example: Does the bank retain the loan account and some horizontal percentage of the receivables generated by the account?

Risk Pile: Does the bank have some level of risk reasonably expected of an originating lender under the circumstances?

Stick Example: Is the indemnification provision in the program agreement mutual?

The true lender risk mitigation exercise is to gather the biggest bundle of sticks possible in an effort to answer each pile question in the affirmative, to make the case that the bank is the true lender.

Rise of the Risk Pile

The Risk Pile is pointed up in CFPB v. CashCall, which holds: “The key and most determinative [true lender] factor is whether Western Sky [the lender in name] placed its own money at risk at any time during the transactions, or whether the entire monetary burden and risk of the loan program was borne by CashCall.”7 Bad facts for CashCall in this case that led to it being recast as the true lender include CashCall “fully indemnifying” for any litigation or regulatory action, assuming all the regulatory risk and covering financial risks other than loan performance.8 There is the indemnification stick — the fintech providing “full indemnification.”

More recently, the risk pile’s indemnification stick has been incorporated by at least five states as a factor in their true lender/anti-evasion laws.9 Each of the five states has the same formulation. Here is Maine’s:

A person is a lender subject to the requirements of the [Maine Consumer Credit Code — Finance Charges and Related Provisions] notwithstanding the fact that the person purports to act as . . . [a] service provider . . . for [a bank] . . . , if, among other things:
. . .
3. The totality of the circumstances indicate that the person is the lender and the transaction is structured to evade the requirements of this Article. Circumstances that weigh in favor of a person being a lender include, without limitation, when the person:
A. Indemnifies, insures or protects an exempt entity for any costs or risks related to the loan;
B. Predominantly designs, controls or operates the loan program; or
C. Purports to act as an agent or service provider or in another capacity for an exempt entity while acting directly as a lender in other states.10

Practice Points for Indemnification Provisions in Program Agreements

To make a good grab at picking up the indemnification stick from the Risk Pile and adding it to your true lender bundle, consider incorporating the following points into the indemnification provisions of your program agreement:

  • Make the indemnification section mutual — both the fintech and the bank should have indemnification obligations. Each party should indemnify the other for losses resulting from the indemnifying party’s breach of any of its representations, warranties, or covenants made in the program agreement. Obviously, the fintech should have more potential indemnification obligations because it performs more program obligations and, therefore, makes more representations, warranties, and covenants around its expanded obligations. Of course, include other traditional indemnification grounds for both parties, such as those covering intellectual property infringement, security breaches, and gross negligence or willful misconduct.
  • Avoid flatly requiring the fintech to indemnify the bank for any and all claims, litigation, regulator inquiries or actions, or losses, particularly to the extent that any of the same result from the bank’s breach of any of its representations, warranties, or covenants in the program agreement, the bank’s acts or omissions, or the fintech following the bank’s directions or requirements.
  • Limit indemnification to third-party claims.
  • Where appropriate, include reasonableness qualifiers in the enumerated losses covered by indemnification (e.g., “Losses” means all damages, fines, penalties, judgments, settlements, costs, and fees, including attorneys’ fees, each as reasonably incurred by the indemnified party).
  • Stay away from dollar caps on the bank’s aggregate liability, particularly if the cap is one-way in favor of the bank.

Naturally, from a commercial perspective, the split of indemnification obligations between the parties should approximate the parties’ split of program obligations and interests in the program loans, informed by market expectations.11 The fintech providing “full indemnification” à la CashCall should be avoided.

[1] Pick-up sticks is a centuries-old game of skill played with sticks. The game starts with a player bunching 50 or so sticks in their hands, holding them above a tabletop or other flat surface, and dropping them so the sticks fall into a pile. Players take turns trying to remove a single stick from the pile without disturbing any other. If a player succeeds in doing so, they may try again. The player with the most sticks after all are picked up wins.
[2] Each pile contains a number of sticks. We offer an example of one stick for each pile.
[3] This pile derives from the Federal Deposit Insurance Corporation’s guidance on where a bank is located for purposes of interest exportation. See FDIC General Counsel’s Opinion 11, 63 Fed. Reg. 27282 (May 18, 1998).
[4] The 2020 settlement of a true lender lawsuit brought by the Administrator of the Colorado Uniform Consumer Credit Code against two fintech-bank lending partnerships is a source for control and supervision requirements for banks in these arrangements. See Assurance of Discontinuance dated as of August 7, 2020 entered into by and among the Colorado Administrator of the Uniform Consumer Credit Code; the Attorney General of Colorado; Avant of Colorado, LLC; Avant, LLC; Avant PB SPV, LLC; WebBank; Wilmington Trust, N.A.; Wilmington Savings Fund Society, FSB; Marlette Funding, LLC; and Cross River Bank.
[5] This pile can be traced to the secondary market exemption in Regulation X, the implementing regulation of the Real Estate Settlement Procedures Act. See 12 C.F.R. § 1024.5(b)(7).
[6] See Ga. Code Ann. § 16-17-6; Sawyer v. Bill Me Later, Inc., 23 F. Supp. 3d 1359 (D. Utah 2014); CashCall, Inc. v. Morrisey, No. 12-1274, 2014 W. Va. LEXIS 587 (W. Va., May 30, 2014), cert. denied, 135 S. Ct. 2050 (2015).
[7] CFPB v. CashCall, 2016 WL 4820635, at *6 (C.D. Cal., Aug. 31, 2016) (emphasis added).
[8] Id.
[9] See Conn. Gen. Stat. § 36a-556(d); 815 Ill. Comp. Stat. Ann. 123/15-5-15(b); Me. Rev. Stat. tit. 9-A, § 2-702; Minn. Stat. § 47.60(8)(c); N.M. Stat. Ann. § 58-15-3(D).
[10] Me. Rev. Stat. tit. 9-A, § 2-702 (emphasis added).
[11] Importantly, we note that at our Fintech Forum event in San Francisco on February 7, 2024 one of the panelists on the investment trends in fintech companies panel emphasized that their firm focuses on the breadth of indemnification provisions in material contracts when assessing investment opportunities in fintechs.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Goodwin | Attorney Advertising

Written by:


Goodwin on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide