The partnership between Citigroup and Numerated will help automate transferring important financial data from borrowers to the bank’s own systems. The transition should make the underwriting and data analysis process more efficient.
David Paul Morris/Bloomberg
Citigroup is partnering with the Boston-based digital lending fintech Numerated to help streamline the document organization process across the megabank’s enterprise lending operations.
Financial spreading is the process of transferring information from a borrower’s balance sheet into an institution’s financial analysis spreadsheet to spot trends and better predict future financial statements. It’s a critical part of any underwriting decision — and why Citi has been exploring the addition of technology to assist with this for many years.
“In a way, it’s a giant mapping exercise to ingest all the historical financial data on thousands of companies and automate future updates as they become available,” said Katya Chupryna, a director at Citi. “Converting this tremendous trove of information from disparate sources in diverse formats from unstructured to structured creates uniformity and opens up endless opportunities for immediate and future interaction with the resulting datasets.”
1/3
Example of how Numerated’s platform can extract data from borrower documents and provide underwriters with summaries. (Numerated)
2/3
Multipage documents are stored in Numerated’s platform for underwriters to verify and review. (Numerated)
3/3
Numerated’s artificial intelligence-driven financial spreading automation tools can extract data from the documents and categorize it on the platform. (Numerated.)
After Numerated’s commercial lending platform receives credit documents from Citi’s borrowers through the bank’s customer-facing systems, the fintech’s artificial intelligence-driven automation tools help compile the statements like tax filings and balance sheets into a singular dashboard accompanied with ratios on liquidity, credit and more.
Underwriters can conduct credit analyses and other reviews of their own within the platform after the data has been validated, before exporting the results to other departments within the bank.
“Through digitization of labor-intensive processes with the help of machine learning, financial institutions can augment manual processes to complete tasks more efficiently and make faster and more accurate decisions with better insights,” Chupryna said. The bank also invested in Numerated through its Markets Strategic Investments division.
This initiative is the latest in a wave of tech adoptions by Citi, which has invested in firms like the California-based real-time analytics platform StarTree and Ateria AI‘s digital documentation platform for drafting and negotiation of financial contracts.
AI adoption within the financial services space has been gearing up in 2024. According to research released in March by Arizent, American Banker’s parent company, 36% of respondents said they were exploring tech providers throughout the industry and 34% held that they were attending industry conferences or events on AI to better understand different use cases.
One such institution that has built out new tools is the Royal Bank of Canada. RBC has been working with the AI-powered wealth management platform TIFIN AG through its U.S. wealth management division since last August to outfit its advisors with an AI-powered insights tool for identifying client leads.
Other examples include the $3.8 billion-asset Citizens First Bank in The Villages, Florida, which has partnered with the Tennessee-based risk management software firm Ncontracts for more than five years and is exploring the firm’s new Ntelligent Contracts Assistant.
Experts say the growing interest among banks and credit unions in lending technology is largely “driven by the integration of diverse alternative data into their decision-making processes,” according to David Donovan, head of financial services at Publicis Sapient, a global digital consultancy firm.
“Lenders now consider a variety of data sources such as payment history, bank account data, educational and employment backgrounds,” and more, Donovan said. “These alternative data points complement traditional metrics like credit scores and income, providing a more comprehensive and real-time understanding of an individual’s financial habits.”
But not all executives are eager to jump into the AI ecosystem. Further findings in the March Arizent report showed that 61% of respondents felt that the technology is evolving too quickly to keep pace with, in addition to a separate 57% saying AI could introduce new ethical concerns or biases into their businesses.
Ian Benton, senior analyst in digital banking at Javelin Strategy & Research, said that while generative AI used internally for assistance with lending is poised for rapid adoption, consumer-facing applications are less abundant.
“Hallucinated data and insights, biases, legal compliance and customer expectations of interacting with a human [all] add up to reasons providers should exercise extreme caution before rolling out customer-facing tools using generative AI,” Benton said.
Other hurdles involve data privacy and security restrictions, legacy system inadequacies and the regulatory differences at the state and federal levels over AI usage, said Rajul Sood, global head of banking at the global research and analytics firm Acuity Knowledge Partners.
As Citi’s commercial lending experts use the Numerated platform, the bank will continue rolling out the product across its footprint.
“To see a bank like Citi making a global, very significant investment in automating the ingestion of financial statements using AI is a big deal. … Front office automation using AI is going to change it,” said David O’Malley, president of Numerated.
Small-business formation is booming. So are opportunities for fintechs targeting financial institutions that bank these entities to break into the business verification space.
Know-your-business, or KYB, refers to the regulatory requirement for industries such as banking to verify the ownership and legitimacy of a company and assess the risks it poses, both during onboarding and on an ongoing basis. It is related to rules on know-your-customer, or KYC, which focuses on individuals.
Alex Johnson noticed a flurry of startups tackling this problem as he monitored fundraising announcements for fintechs.
“There have been an unusual number of U.S.-based fintech startups that have raised money specifically around solving a KYB issue,” said Johnson, author of the Fintech Takes newsletter, including Baselayer, Ballerine, Coris, TrueBiz, Parcha, Accend and Greenlite. It could indicate a “groupthink” mentality in fintech, when “different people become obsessed with the same idea,” he said. But it also suggests there is a gap in the market where existing solutions aren’t cutting it.
There are numerous reasons why the KYB space is hot right now — and why banks are eager for more automated solutions to ensure companies are legitimate and not shells, to understand who the beneficial owners are and to screen for sanctions and adverse media. There were more than 430,000 business applications in the U.S. in June, according to data from the U.S. Census Bureau — about double the number of applications ten years ago. “It’s never been easier to set up a digital storefront,” said Danny Hakimian, CEO and founder of TrueBiz, which automates the process of investigating a business’s web presence.
KYB is also a highly manual process.
“There has been a huge push to get the KYC process in general more efficient, inclusive of KYB, because it’s a massive drain on bank spend,” said Spencer Schulten, executive director and U.S. head of financial crimes compliance for Capco. “Non-U.S. customers from higher-risk jurisdictions are seeking access to U.S. banks at a higher rate than I’ve seen in some time.” At the same time, compliance budgets are not growing to keep up with the demand, meaning fewer people have less time to do a greater amount of work.
The complexity of KYB is also becoming easier to solve.
“State business registries weren’t online 15 years ago, so you couldn’t build a direct API integration to pull data from them before,” said Johnson.
‘We do a lot of Googling’
First Internet Bank in Fishers, Indiana, and Nbkc bank in Leawood, Kansas, both use fraud and compliance management platform Alloy and business identity platform Middesk in tandem for KYB checks. But each is exploring other technologies to aid in their processes.
Anne Sharkey, chief risk officer at the $5.3 billion-asset First Internet, has spent the last couple of weeks with a vendor testing ways to improve customer due diligence for small businesses using artificial intelligence.
Normally, “we do a lot of Googling,” she said. “Do they have a website? Does the website work? Does it represent what the business says it does? Are there negative reviews out there about the company or owners?”
She sees potential in AI for flagging negative reviews, or a business model that First Internet does not want to bank (for instance, one relating to marijuana), or a nonfunctioning website, which could indicate the company is fraudulent.
“It still takes human intervention but making the process more efficient allows you to hone in on something that may look irregular, rather than getting buried in the detail and missing something right in front of you,” said Sharkey.
While Nbkc uses Middesk to retrieve Secretary of State data, not all states make this information available to the public. That means business owners need to upload such documents manually for an Nbkc employee to review. The $1.2 billion-asset bank is testing a homegrown system it built using Optical Character Recognition, or OCR, to extract the data it needs for its records and to review for certain signs of fraud or red flags, such as handwritten information or manipulated documents.
Nbkc had explored using a vendor, “but we weren’t sold on any in particular,” either because of pricing or functionality, said Brian Fellows, director of risk management at Nbkc. The bank will debut the technology this month.
The hope is that it will pare down the work for bank employees and reduce costs.
“Most of the time if [businesses] apply with us and we take a day or two to approve them, they’ve gone to another bank to open an account,” said Fellows.
He has explored using other startups to fill gaps in the bank’s current KYB process, but so far hasn’t found a combination that beats his current setup and that would justify the price of layering on more solutions.
What sets KYB fintechs apart
In his survey of the landscape, Johnson has wondered what distinguishes the slate of startups he has tracked from each other and from legacy providers.
“Why does the market need 12 of you?” he said.
Hakimian thinks there is room for venture-scale companies that focus on different angles to emerge in this space rather than a winner-takes-all. TrueBiz is not an end-to-end provider.
“Business entity verification is multifaceted and complex,” he said.
The 3-year-old TrueBiz scours a business’s website, social media, online reviews and more. Clients can use its API to retrieve a report analyzing hundreds of data points to construct a picture of the business’s owner and employees, the types of product it offers, its reputation, likelihood of fraud and more, in under 30 seconds, according to Hakimian. TrueBiz’s configurable decision modeling layer also indicates whether further due diligence is needed. Its clients tend to be acquiring banks in the U.S. and global fintechs offering merchant services.
Others say they are the rare or sole provider of certain capabilities.
Baselayer is another entrant to the KYB space. The nearly 2-year-old company purchased a wealth of government and court data, including Secretary of State filings, IRS identification numbers, sanctions data, state and federal tax liens, lawsuits and bankruptcy information. When a client — which includes banks, payment companies, lenders and fintechs — submits a name and address of a company it wants to investigate before onboarding, Baselayer’s AI-driven agent retrieves relevant information profiling a business’s identity along with a rating to indicate the risk level this business poses.
Baselayer tracks the “pulls” on a particular business’s information, as if a lender was pulling an individual’s credit report. Numerous pulls may be a sign of synthetic identity fraud, where criminals obtain personally identifiable information on different individuals and entities, and reformulate them into multiple fraudulent applications across banks. Baselayer also tracks the businesses and their repayment performance throughout its network to enhance risk profiling.
Co-founder and CEO Jonathan Awad says his is one of a handful of companies in the market that have purchased Secretary of State data, and that his is the only one tracking pulls on the entire profile of a business.
“Our solution is focused on the timeframe from when you get an application to every check you need to get through for Customer Identification Program or underwriting purposes,” said Awad.
Richard Rotondo, vice president and digital bank manager for American Commerce, who lead the development of Monesty. “A lot of institutions either need to do this [advancement] or possibly risk obsolescence in the market, but this fear of the unknown, this fear of cost and all those other factors,” is holding many institutions back, he said.
Frank Gargano
The evolving landscape of financial technology has become a race between financial institutions of all asset sizes for who can adopt the latest products and meet the changing needs of consumers. For those hesitating to jump into the fray, experts at American Banker’s Digital Banking conference last week weighed in on the reasons keeping many on the sidelines.
A research report published in December by Arizent, the parent company of American Banker, polled executives of banks, credit unions and other players in the financial services space to gauge what tech priorities were like going into 2024. Among the top five tech spending priorities were data and analytics, enhanced security and fraud mitigation, artificial intelligence and machine learning, digital payments and automation tools or platforms.
More than 66% of respondents said that new technologies like AI and distributed ledgers would be the top trend impacting the banking industry over the next three years. Changing competitive environments and fluctuating consumer demands were the next most prominent factors at 49% and 42% respectively.
“For community banks, it’s less about differentiating themselves through technology and more about keeping up with industry standards,” said John Soffronoff, partner and head of community banking at the global management and technology consulting firm Capco. “However, they have a unique opportunity to build on their existing customer service advantage by offering personalized and customized solutions.”
For companies like American Express, Santander U.S., Alliant Credit Union and others that have made major technology upgrades in the last few months, economies of scale have played a significant role in the scope and effectiveness of any new technology.
One such organization is American Commerce Bank in Bremen, Georgia, which faced this concern when launching its digital banking division in November 2022 to offer customers new channels for interacting with the bank.
Executives of the $494 million-asset bank waited roughly five months before consumers took notice of the new platform dubbed Monesty, but engagement has grown since then. Monesty opened 81 accounts in January that brought in roughly $6.5 million in deposits, and has seen that figure exceed $20 million through today.
“In April 2023, somebody flipped a switch and all of a sudden the public found us,” said Richard Rotondo, vice president and digital bank manager for American Commerce, who leads Monesty. “What I built worked, and we continue to tinker with it.”
Rotondo said that for a banking industry “dominated by technological advancement,” many smaller community banks like American Commerce that reach a crossroads “haven’t made the leap” due to a host of worries.
“A lot of institutions either need to do this [advancement] or possibly risk obsolescence in the market, but this fear of the unknown, this fear of cost and all those other factors,” is holding many institutions back, Rotondo said.
In addition to cost and what he calls “tech apprehension,” Rotondo identified six other hurdles facing community banks where tech innovation is concerned: fear of weakening customer relationships, regulatory challenges, cybersecurity concerns, competitive landscape, shortage of tech talent and lack of buy-in from senior management.
Deborah Perry Piscione, co-founder of the AI and web3 advisory firm Work3 Institute, said the emphasis on personal relationships and local knowledge that defines many community-based institutions can create a barrier for integrating new technology.
“There’s a palpable fear that embracing too much technology might erode the human touch that has long been their competitive edge. … This concern is not unfounded, as many community banks serve demographics that may be less tech-savvy,” Piscione said.
Regulatory discussions have also been top of mind for many executives over the last few months, as supervisory agencies continue exploring how to effectively govern AI usage.
In an effort to stem the potential for misuse of AI through adequate regulation, President Biden released his executive order last October that called on supervisory agencies like the Consumer Financial Protection Bureau to gather more information on how various models are developed and put into use.
Bank advocates were quick to seek additional clarity on how the recommendations would factor into current and future rules, while also contended that operating in an already highly regulated environment would make adjustments easier to manage.
But not everyone in the banking industry feels that community banks are lagging behind in the tech race.
Charles Potts, executive vice president and chief innovation officer for the Independent Community Bankers of America, pointed to the response from executives to the trade group’s ThinkTECH Accelerator and other relevant resources available for those seeking to interact with tech providers.
“Thousands of bankers have taken advantage of the opportunity to engage with start-up and early-stage technology providers for the express purpose of finding new and innovative ways to address the needs of the bank and the customers they serve,” Potts said. “Community banks have always been innovators and creative problem solvers, leveraging technology to improve efficiencies and enhance customer experiences.”
As technology becomes more widely accessible, be it cost decreases or integration improvements, the gap between community banks and their larger counterparts could begin to shrink.
“Technology adoption is no different for community banks than any other bank or large enterprise. … Time, expertise, staff and budget are common constraints and considerations when taking on any new tech adoption project for any organization,” Potts said.
Combining the August 2023 launch of Statewide Federal Credit Union’s new savings account with aggressive marketing efforts proved fruitful for the credit union, pulling in more than $8 million in deposits in less than a year as of May.
Bart Sadowski/bartsadowski – Fotolia
As the country emerged from the COVID-19 pandemic in May 2023, banks and credit unions flush with deposits saw the cost of funds increase along with average interest rates. These increases drove competition between institutions to offer the highest rates for consumers.
When Casey Bacon, chief executive of Statewide Federal Credit Union in Flowood, Mississippi, was facing the same drop-off in new deposits, he leaned on fintech partnerships to boost new member acquisition and, in turn, deposits.
“We didn’t have the deposit growth like we had throughout [the pandemic]. … As the interest rate environment changed, we had to become more aggressive with both retaining our existing deposits and attracting new deposits,” Bacon said. “Even today, the competition just continues to basically accelerate.”
It was around this time that the $177 million-asset Statewide began rolling out the first phase of its targeted campaign to grow deposits. The push was centered around marketing the credit union’s inaugural high-yield savings account to households that weren’t members of Statewide and those that were but had deposits elsewhere.
Bacon began by working with Strum Platform, a Seattle-based financial customer data firm Statewide has partnered with for more than four years. The fintech’s analytics engine allowed credit union executives to use core and online banking information to profile the different lifestyles of members and create concise market segments.
Those cohorts gave the credit union a deeper insight into its relationships with members and helped determine how best to tailor the marketing of products and services to those who could benefit most from them.
“The strategy here was both to lean into existing members and [figure out] how do we both retain the deposits before they’re gone, and then how do we ensure that strategy also finds new opportunities to grow more deposits,” said Mark Weber, CEO and chairman of Strum.
Combining the August 2023 launch of the new savings account with aggressive marketing efforts proved fruitful for the credit union, pulling in more than $8 million in deposits in less than a year as of May.
The second key component of the campaign involved a partnership with Bankjoy, the Royal Oak, Michigan-based digital banking provider which has been working with Statewide for roughly two years. The company’s online account onboarding product helped reduce the time needed to open an account with Statewide and uses integrations with Plaid to give members the option to add accounts with other financial institutions to the digital banking platform for easy viewing.
Other institutions have seen similar success leaning on fintech partnerships and new product launches to help boost the inflow of consumer deposits.
Jenius Bank, the digital division of the Los Angeles-based Sumitomo Mitsui Banking Corp. MANUBANK, introduced a high-yield savings account at the beginning of this year and has reached more than $1 billion in deposits.
The $20.1 billion-asset Alliant Credit Union in Chicago worked with the New York-based account opening fintech MANTL to help develop and deploy the firm’s MANTL for Credit Unions system in late 2022. After the first six months of 2023, the credit union’s core membership grew by 22% and deposits jumped by $500 million.
Upgrading to digital account opening has been a common theme for banks and credit unions aiming to boost deposits.
Data from Cornerstone Advisors’ annual What’s Going on in Banking report found that consumer digital account opening is the top selection for new or replacement tech among banks and credit unions for this year, garnering 27% and 36% of bank and credit union respondents respectively.
Amanda Swanson, senior director in the delivery channels practice and practice leader of marketing and growth at Cornerstone, said that organizations like Chime, SoFi and JPMorgan Chase set the bar for account opening standards, and those with fragmented processes are falling behind.
The process “needs to be very seamless,” which from a digital point of view means removing redundant “hoops and boundaries” but should also include more human connectivity throughout the steps to address questions.
“That human piece is where I think it becomes critical,” Swanson said.
Statewide plans to focus next on tailoring existing products and educational resources to foster relationships with consumers in different age ranges.
“The big rates are what gets you in the door, and it’s really common in business. … But the question then becomes how do you keep those people around that maybe have a chance of sticking, even when that rate goes down,” said Dylan Lerner, senior analyst in Javelin Strategy & Research’s digital banking practice.
According to the Pew Research Center, 13% of people who have ever used PayPal, Venmo, Zelle or Cash App say they have sent someone money and later realized it was a scam, while 11% report they have had their account hacked.
Daniel Wolfe
Just after 8:00 a.m. on Monday, April 24, Margaret Menotti was writing a report for a client.
“I heard my phone ding, and I got a text from Bank of America saying there was suspicious fraud activity on my account,” said Menotti, a freelance media relations professional who works from her home in Venice, Florida.
Immediately after that, she got a phone call from someone who said they worked in Bank of America’s fraud department and they had seen suspicious activity on her account. The caller asked if she had made two Zelle transactions: a $109 payment for sporting event tickets and a one-cent transaction. Menotti doesn’t use Zelle.
“I closed out what I was doing, got into my bank account and said, yeah, I didn’t make these,” Menotti said in an interview. “She said, don’t worry about it, we’re here to help you, we can immediately reverse these.” The caller also asked Menotti if she knew someone named Doug Bland who lives in Denver. Menotti said no. Bland was trying to put through two Zelle transactions from Menotti’s accounts, one from her savings account, the other from her checking account, the woman said.
“I said, well, that’s not authorized, I don’t know anybody by that name,” Menotti said.
“Don’t worry about it,” the woman said. “We have fraud specialists here. Alejandro Lopez specializes for Bank of America in Zelle fraud.”
The rep gave Menotti a claim number, which she wrote down, and started walking Menotti through the steps she needed to take to reverse the Zelle transactions. Menotti started noticing that the screens she was seeing did not exactly match what the rep was describing. The rep told Menotti she needed to use her mobile app, then they would be looking at the same things. She opened the Bank of America mobile app and walked into her husband’s office (he’s a project manager at Dell who also works remotely) and asked if it all seemed legit to him. He thought it seemed real. She went through the steps the rep told her to take.
Menotti then went back to online banking from her laptop and saw that $3,500 had been withdrawn from her account and sent to Alejandro Lopez. She hung up the phone.
“It was already too late,” Menotti said. “I realized my mistake.”
For several weeks after that, Menotti spent many hours making dozens of calls to Bank of America and Zelle, trying to get her money back.
Menotti’s story is not uncommon. About 120 million consumers and small businesses used Zelle in 2023 to send 2.9 billion transactions totaling $806 billion, according to Early Warning, the bank consortium-owned company that operates Zelle. In 2024, the volume of Zelle transactions is expected to surpass $1 trillion. According to the Pew Research Center, 13% of people who have ever used PayPal, Venmo, Zelle or Cash App say they have sent someone money and later realized it was a scam, while 11% report they have had their account hacked. (Early Warning says 99.95% of the payments it processed in 2023 had no reports of fraud or scam.)
A report put out by Senator Elizabeth Warren in October 2022 stated that four banks reported 192,878 cases of scams — cases where customers reported being fraudulently induced into making payments on Zelle — involving over $213.8 million of payments in 2021 and the first half of 2022.
“In the vast majority of these cases, the banks did not repay the customers that were defrauded,” the report said. “Overall the three banks that provided full data sets reported repaying customers in only 3,473 cases (representing 9.6% of scam claims) and repaid only $2.9 million (representing 11% of payments).”
When consumers lose money due to Zelle scams, “Zelle and the big banks have said they couldn’t help,” Blumenthal said during the hearing. “What they mean is they wouldn’t help, and their attitude has been, ‘not our problem.’ Well, to the banks of America, particularly the seven that own and operate Zelle, it is your problem. You own it just as you own Zelle and you have the expertise, the resources, and the obligation to make sure that you do better.” (The seven banks that own the Zelle network are Bank of America, Truist, Capital One, JPMorgan Chase, PNC Bank, U.S. Bank and Wells Fargo. American Banker reached out to all for comment. Wells Fargo declined; only Bank of America responded with an interview by press time.)
In June 2023, Early Warning implemented a rule that requires its 2,100 member banks to refund customers that are victims of “qualifying” impersonation scams where crooks pose as a bank or government agency to trick customers into giving up money and/or account information. The company does not share what it takes for a scam case to qualify for the refund. “Each case is closely reviewed by the customer’s financial institution,” a spokeswoman said.
After listening to many customer stories, including those of Margaret Menotti and the consumers who testified at the Senate hearing, and talking to experts, a picture emerges of a problem that has outgrown large banks’ capacity to handle the ensuing fraud investigation and customer service work, even if the overall rate of Zelle fraud is low.
“How many workers are hired per capita to address Zelle?” said John Buzzard, a fraud expert who until recently was lead fraud and security analyst at Javelin Strategy and Research. “You have to pounce quickly and have world-class authentication. I’m not sure that’s a constant universally speaking but more of an aspiration.”
Bank of America has 37 billion active digital users and at least half of them actively use Zelle, according to the bank.
“Zelle is our customers’ number one choice for money movement,” said Mark Monaco, head of global payment solutions for Bank of America. “They choose Zelle more often to access their accounts than they write checks or withdraw cash from ATMs or our financial centers. The adoption continues to grow.”
Bank of America declined to say how many customer service reps are trained to handle Zelle fraud and scam cases. (Banks make a distinction between the two: if a fraudster takes over a customer’s account and makes a Zelle transaction, banks call that fraud; if a customer is tricked into making a payment through Zelle, banks call that a scam.)
Trying to get a refund
When Margaret Menotti realized she had fallen for a scam, she immediately called Bank of America’s fraud department and spoke with a bank fraud rep — a real one, this time — about what had just happened. The bank reversed the $109 transaction and she was told the claim number she had been given earlier by the woman claiming to be a Bank of America fraud specialist was not a bank claim number but a phone number.
Menotti dialed that number. A man picked up.
“I said, is this Alejandro? And he said, yes,” Menotti recalled. “I said, I want to know why you scammed me out of $3,500. He hung up.”
When she recalls the call she thought was from Bank of America, Menotti says the background music was the same as the bank’s and there was a message about this being a recorded line that was the same as the bank’s.
“It’s embarrassing to have fallen for it, but it really sounded like them,” she said.
She called the bank again. Bank fraud specialists told Menotti to file a claim with Zelle. They told her that both Zelle transactions went to another Bank of America customer.
She called Zelle’s customer complaint number, but got a recording saying she had to call her bank.
In an interview, an Early Warning representative said that Zelle customers who call about scams are redirected to their bank, which has their account data and history, while Early Warning does not store any customer data.
Menotti went back to Bank of America and filed a formal claim to get her money back. She was told it could take 45 business days to process. Two days later it was denied. She called the bank to ask why. In the meantime, she had read about federal Regulation E, which protects consumers who fall victim to scams. She asked the bank to dig deeper and was told it would reopen the claim. It was denied again.
When she asked why the claim was denied, she was told, “‘You authorized it.” Menotti said she did not authorize it; she thought she was speaking to someone at the bank and therefore Reg E applied. She was again told the claim was not approved.
She went to her local bank branch and spoke with the branch manager. He said it was a corporate decision he couldn’t override.
She moved her money to a different bank and reported the episode to the Consumer Financial Protection Bureau and the Florida Attorney General. She also wrote to Warren’s office and a few journalists.
She didn’t hear anything from Bank of America for two weeks, but on May 14, one working day after American Banker reached out to the bank to ask about her case and about 10 days after a journalist from a different publication called the bank with similar questions, a woman named Ashley from the bank’s claims department called Menotti to say that Bank of America’s leadership team had decided that she would be reimbursed for the $3,500 Zelle fraud that night or the next day. Ashley said the fraud team had called the number associated with the Zelle transaction, the voice did not sound like Menotti’s and the person said it was for rent payments. (Menotti and her husband own their home and they don’t own any rental property.)
The next day, Menotti saw a credit for $2.63 to her savings account and correspondence from Bank of America saying that was her refund because that was all that they could recover. When she went grocery shopping that day, her debit card and her husband’s debit card were declined. She called the bank again, spoke with more than eight people and was told her checking account was closed in error, that Bank of America would send her a check for the amounts in the accounts and that she could not use her debit cards anymore. The rep told Menotti that when she opened the account 40 years ago, she agreed to the terms that the account could be closed at any time.
After demanding to speak with somebody with full visibility to this case, Menotti eventually reached a woman at the bank named Jessica who confirmed that the accounts were closed in error.
While they were talking, Menotti saw a credit come into her savings account for $1,797.37. Jessica told Menotti she would work with an investigator to process the remaining $1,700 to her checking account and transferred her to a representative to reactivate her debit cards.
“I was transferred three times, nobody seemed able to handle this,” Menotti said. She was told that it could take 24 to 48 hours for the $1,700 to appear in her checking account.
A different representative told Menotti the bank was reopening Menotti’s and her husband’s cards, but that she experienced another glitch and couldn’t do it. The bank would be sending her new cards.
“What a nightmare this has been,” Menotti said. “I am convinced that without pressure from somebody like [American Banker], Bank of America would ignore requests like this. My sense is that they just keep rejecting claims and don’t aggressively investigate them until a customer makes a big fuss.”
A Bank of America spokesman said the decision to reimburse Menotti was made after considering additional information during a review. He declined to say what that additional information was. He also pointed out that the bank will never ask a client to send money to anyone, and that when sending money using Zelle, clients sometimes receive messages alerting them to red flags that indicate a scam. Clients also receive alerts they are required to review and approve before the transaction can be sent.
Menotti said she never received a message about Zelle and scams before sending either of the transactions, but that she did immediately call customer service when she realized she had been tricked.
The bank spokesman further said that if a customer has questions after they receive calls or texts that appear to be from their bank, they should call the customer service number on their debit or credit card or review their transactions online to confirm any questionable inquiries.
Stopping a scam
In hindsight, there’s one thing Menotti wishes she had done differently.
“I think you’re so panicked when you think money’s coming out of your account,” she said. “But once I walked into my husband’s office and said, do you think this is legit, I should have just hung up.”
Ben Chance, chief fraud and risk management officer at Zelle, backs this up.
“There’s an endless barrage of email, text, phone calls, social media messaging that’s doing this type of impersonation or otherwise attempting to scam consumers,” he said.
The first thing customers should do if they receive a text or phone call that appears to be from their bank is not answer, Chance said.
“The safest course of action is to not respond to that, to pull up their wallet, look at the number on the back of their debit card and contact the bank directly,” he said.
Zelle also reminds users to only send payments to people they know and to be on the lookout for scams. It provides “risk insights” to the banks on its network that flag transactions that seem fishy. Zelle representatives were not able to comment on whether a risk insight flagged the transactions on Menotti’s account.
Congress is watching this space closely. In January of this year, Senators Elizabeth Warren, Sherrod Brown and Jack Reed wrote a letter to CFPB Director Rohit Chopra, urging him to come up with rules regarding what counts as an authorized or an unauthorized transfer under Regulation E. People interviewed for this article said that when Early Warning created its rule requiring banks to reimburse victims of impersonation scams last June, the CFPB held off on setting its own rule. If consumer complaints keep coming in, the CFPB may reverse this position.
Menotti eventually got her $3,500 back and she is pleased with that.
“I am disappointed with the terrible customer service and passing the buck back to consumers when federal Regulation E is supposed to protect them,” she said.
A move by Citigroup to dismiss what it called a “misguided” and “imaginative” wire-fraud lawsuit by the New York attorney general has gotten a mixed reception among bankers, many of whom sympathize with Citi’s pushback while others say banks can do more to protect their customers.
The move also highlights ongoing debates in the U.S. and abroad about who should be liable when a consumer loses money to a bank spoofing scam. While Europe is moving toward holding banks liable, the U.S. has not seen any such proposals.
Letitia James, the state’s attorney general, sued Citibank in January for inadequate responses to “obvious red flags of identity theft and account takeover” cases, allowing fraud to take place, including against one customer who had $40,000 stolen from her via wire transfer after she clicked on a fraudulent link she received in a text message. Citi denied her case, according to the lawsuit.
According to James’ office, the customer “did not provide any information” after clicking on the fraudulent link she received. Yet, after clicking the link, an unauthorized user changed her online banking password, enrolled her account in online wire transfer services, tried and failed to make a wire transfer of $39,999, then successfully executed a $40,000 transfer, which constituted most of her savings after a recent retirement.
This month, Citigroup filed a motion to dismiss the case, acknowledging a recent rise in online wire fraud but arguing that banks are not liable for reimbursing customers who got scammed through wire fraud schemes.
“There is no denying that the problem is real,” the bank wrote, but the New York state AG’s lawsuit “defies longstanding, settled understandings” of banks’ liability in cases of fraud.
In reaction to the motion to dismiss the case, bankers on LinkedIn largely responded in defense of their institutions.
“In this case, it seems the victim clicked a link that appeared to be from Citi,” said Ana Campaneria-Villarini, director of corporate fraud for BankUnited. “Well, the victim fell for it! It’s sad but shouldn’t be the fault of the bank. Why should the banks be liable?”
Many responders sympathized to varying degrees. One commenter, Elena Michaeli, a fraud and cybersecurity consultant, pointed out that while banks have little recourse when a victim provides their banking credentials to a fraudster, banks have much more data and tools at their disposal than consumers.
In Europe, lawmakers have proposed changes that could entitle consumers to refunds in cases of bank spoofing, where a fraudster pretends to be the consumer’s bank and tricks them into parting with their money. Only in cases of “gross negligence” — for example, if the victim falls for the same scheme more than once, or if the spoof is not convincing — would the payment service provider escape refund liability, according to the proposed regulation.
The proposals also create a legal basis for payment service providers to voluntarily exchange personal data of their users, subject to information sharing arrangements, for the purposes of reducing fraud. The legislation would require such information sharing to happen in compliance with Europe’s General Data Protection Regulation.
The proposals are under review by the European Parliament and Council, and while exact timelines are not yet known, any changes to fraud loss liability and data sharing arrangements could take 18 to 24 months to enter into force once agreed upon by member states of the European Union.
“It is currently anticipated that the legislative proposals will enter into force in 2026,” wrote global law firm DLA Piper in a blog post about the proposals.
In the U.S., the Department of the Treasury recently alluded to the lack of a legal basis for sharing fraud data between banks voluntarily in a recent report on artificial intelligence. “Most financial institutions” interviewed expressed the need for better collaboration in the domain of fraud prevention, according to the report.
“Sharing of fraud data would support the development of sophisticated fraud detection tools and better identification of emerging trends or risks,” the report said, which likened such data sharing to similar arrangements banks have for sharing cybersecurity threat and anti-money-laundering data.
As for who is liable in cases where a consumer falls victim to fraud and shares their banking credentials to someone impersonating their bank, neither U.S. lawmakers nor regulators have put forward proposals to change the current standard in which customers are generally liable for wire transfer fraud tactics they fall for.
In a parallel case, consumers are sometimes liable when they fall for scams and mistakenly send payments through person-to-person payment networks like Zelle. The closest a regulator has come to changing the fraud liability standard for P2P payments was guidance that the Consumer Financial Protection Bureau was expected to issue in response to increasing fraud on Zelle in 2022. However, such guidance has not reached the agency’s rulemaking agenda; rather, the agency has proposed that it should examine payment markets run by the likes of Apple, Google and PayPal to ensure they comply with existing consumer protection laws.
Through the first quarter of the year, actions against fintech partner banks have accounted for 35% of publicized enforcement measures from the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller, according to the consultancy Klaros Group. This is an uptick from 26% during the previous quarter, and 10% from the first quarter of 2023.
The jump in enforcement actions against firms engaging in so-called banking-as-a-service, or BaaS, business models corresponds with the adoption of a new joint guidance from the Fed, FDIC and OCC for evaluating third-party risks, which was codified last June. The following quarter, the share of fintech partner bank enforcement actions doubled from 9% to 18%, according to Klaros. The uptick in BaaS-related enforcement comes amid a doubling of total enforcement actions against banks over the same period.
“It’s undeniable that there’s more enforcement activity happening related to BaaS,” said David Sewell, a partner with the law firm Freshfields Bruckhaus Deringer. “You are seeing the fruits of the enhanced supervisory posture towards that space.”
The question moving forward is whether this recent string of activity is a momentary adjustment as agencies ensure their expectations are taken into account, or a permanent shift in regulators’ attitude toward BaaS models.
Along with crafting new expectations for fintech partnerships, Washington regulators are also putting together specialized supervision teams to explore these activities more comprehensively. Last year, the OCC launched an Office of Financial Technology to “adapt to a rapidly changing banking landscape,” and the Fed established a similar group called the Novel Activities Supervision Program, which tracks fintech partnerships, engagement with crypto assets and other emerging strategies in banking.
These fintech-specific developments come at a time when the agencies are changing their approach to supervision across the board with an eye toward escalating issues identified in banks more quickly and more forcefully. The effort is being undertaken in response to last year’s failure of Silicon Valley Bank, which had numerous unaddressed citations — known as matters requiring attention — at the time of its collapse.
The FDIC has already amended its procedures and now directs its supervisors to elevate issues if they are unresolved for more than one examination cycle. A Government Accountability Office report issued last month called for the Fed to adopt a similar approach.
Gregory Lyons, a partner at the law firm Debevoise & Plimpton, said the confluence of these various developments will result in significant supervisory pressure on fintech partner banks, most of which are small community banks leaning on the arrangements to offset declines in other business opportunities.
“You have a general concern from regulators about fintechs, you have these new divisions within agencies focused solely on fintech activities and risks, and then more generally you have an exam environment in which things are going to get elevated quickly,” Lyons said. “This is a fairly volatile mix for banks relying heavily on fintech partnerships.”
Measuring supervisory activity and determining its root causes are both fraught exercises, said Jonah Crane, partner with Klaros. Public actions make up just a fraction of the overall enforcement landscape, which is itself a small portion of the correspondence between banks and their supervisors. Public enforcement actions are also intentionally vague in their description of violations, as a way of safeguarding confidential supervisory information.
Still, Crane said recent disclosures exemplify the areas of greatest concern for regulators: money laundering and general third-party risk management. He noted that the main threat supervisors seem to be guarding against is banks outsourcing their risk management and compliance obligations to lightly regulated tech companies.
“For every banking product in the marketplace, there’s a long check list of laws and regulations that need to be followed,” Crane said. “Those need to be clearly spelled out, and they still need to be done to bank standards when banks rely on third parties to handle those roles and responsibilities. That seems to be the crux of the issue.”
In official policy documents and speeches from officials, the agencies have described their approach to fintech oversight as risk-sensitive and principles-based. They emphasize the importance of banks knowing the types of activities in which their fintech partners engage as well as the mechanisms in place within them to manage risks.
“The OCC expects banks to appropriately manage their risks and regularly describes its supervisory expectations,” an OCC spokesperson said. “The OCC has been transparent with its regulated institutions and published joint guidance last June to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies.”
The Fed declined to comment and the FDIC did not provide a comment before publication.
Some policy specialists say the expectation that buck stops with the bank when it comes to risk management and compliance should not come as a surprise to anyone in BaaS space, pointing to both last year’s guidance and long-running practices by supervisors. The Fed, FDIC and OCC outlined many of their areas of concern in 2021 through jointly proposed guidelines for managing third-party risks.
James Kim, a partner with the law firm Troutman Pepper, likens the recent surge in activity to supervisors clearing out low hanging fruit. He notes that the rapid expansion of BaaS arrangements in recent years — aided by intermediary groups that pair fintechs with banks, typically of the smaller community variety — has brought with it many groups that were not well suited for dealing with its regulatory requirements.
“Several years ago, there were real barriers for fintechs to partner with banks because of the cost, time and energy it took to negotiate agreements and pass the onboarding due diligence,” Kim said. “Some of the enforcement activity we’re seeing today is likely the consequence of certain banks, fintechs and intermediaries jumping into the space without fully understanding and addressing the compliance obligations that come with it.”
Others say the standards set last year are too broad to be applied uniformly across all BaaS business models, which can vary significantly from one arrangement to another.
Jess Cheng, a partner with the law firm Wilson Sonsini who represents many fintech groups, said regulators need to provide more detailed expectations for how banks can engage in the space safely.
“In light of these enforcement actions, there seems to be a real time lag between what has been going on in terms of ramped up supervisory scrutiny and the issuing of tools to help smaller banks comply with and understand how they can meet those expectations,” Cheng said. “That is badly needed.”
In a statement to American Banker, Michael Emancipator, senior vice president and senior regulatory counsel for the Independent Community Bankers of America, a trade group that represents small banks, called the recent uptick in enforcement actions has been concerning, “especially in the absence of any new regulation, policy, or guidance that explains this heightened scrutiny.”
Emancipator acknowledged the guidance that was finalized last year, but noted that the framework was largely unchanged from the 2021 proposal and gave no indication that substantial supervisory activity was warranted.
“If there has been a shift in agency policy that is now manifesting through enforcement actions, ICBA encourages the banking agencies to issue a notice of proposed rulemaking, which more explicitly explains the policy shift and how banks can appropriately operate under the new policy,” he said. “Absent that additional guidance and an opportunity to comment, we’re seeing a new breed of ‘regulation through enforcement,’ which is obviously suboptimal.”
Among specialists in the space, there is optimism that the Fed’s Novel Activities Supervision Program will be able to address some of these outstanding questions and provide the guidance banks need to operate in the space safely and effectively.
“I expect more clarity going forward both in the enforcement action context but also if they adopt exam manuals and a whole exam process,” Crane said. “I remain glass half-full about how the novel activities programs are going to impact the space. It’s a pretty strong signal that agencies aren’t just trying to kill this activity. They wouldn’t establish whole new supervisory programs and teams if that’s what you’re trying to accomplish.”
The program will operate alongside existing supervision teams, with the Washington-based specialist group accompanying local examiners to explore specific issues related to emerging business practices. Crane said until more formal exam policies are laid out, the scope of the enhanced supervision conducted by these specialists remains to be seen.
“In theory, that enhanced supervision should apply only to novel activity,” he said. “There is an open question as to whether, in practice, the whole bank will be held to something of a higher standard.”
Lyons said the layering on of supervision from a Washington-based entity, such as the Novel Activities Supervision Program, eats into the discretion of local examiners. It also inevitably leads to the identification of favored practices.
“When these types of groups get involved in supervision, it tends to lead to more comparisons of how one bank approaches issues versus another,” Lyons said. “It’s not formally a horizontal review, but it’s that type of principle, in which the supervisors identify certain practices they like more than others.”
Lyons added that escalation policies, such as the one implemented by the FDIC, also take away examiner discretion and could create a situation where one type of deficiency — such as third-party risk management — can quickly transform into a different one with more significant consequences.
“If issues run over more than one exam cycle, they can go from purely being a third-party risk management issue, to also being a management issue for not monitoring a pressing risk well enough,” he said. “Management is typically considered the most significant of the six components of CAMELS for purposes of determining the composite rating, for example.”
With the addition of the self-service portal, DCU was able to boost lending from roughly $1 billion in mortgage loans when talks began in 2019, to $1.6 billion in 2023.
petzshadow – stock.adobe.com
When Jason Sorochinsky began transforming the Marlborough, Massachusetts-based Digital Federal Credit Union’s mortgage origination process in 2019, he knew that always offering the lowest rates wasn’t feasible. But with the help of several fintech partnerships, he was able to bring the process to members using an online portal and boost volume by 60%.
“Our value proposition really came down to one sentence, which is, we want to be known for speed and service using digital tools and technology,” said Sorochinsky, who is head of mortgage lending for the $12.1 billion-asset DCU.
DCU officially launched the self-service mortgage portal in 2022 after spending a year piloting the platform to fine tune the processes. The digital lending platform, built by the New Jersey software firm Blue Sage Solutions, capitalizes on the credit union’s “consumer direct” model by allowing potential borrowers to apply for mortgages and home equity loans and refinance existing loans, without the need for a staff member.
After selecting which of the three products they want to apply for, and inputting property details like zip code, anticipated down payment and estimated purchase price, consumers can see the maximum amount they could bid on a property and choose which rates and terms best fit their needs. This phase also allows members to electronically verify their income, employment and other owned assets to support their eligibility.
During the application process, borrowers concerned about market volatility can lock in their rate using OptimalBlue’s rate lock API, for 15 to 90 days.
Next, DCU will use Blue Sage’s integration with the mortgage fintech Optimal Blue’s product and pricing engine to order credit reports, validate loan pricing, run the file through Fannie Mae and Freddie Mac and conduct other calculations. A secondary API connection with the information services firm ClosingCorp provides added support by calculating application and appraisal fees as well as generating disclosure agreements for the member to sign.
Members will receive emails or text messages prompting them to proceed to the next steps in DCU’s mortgage portal and sign the necessary forms after the initial application is submitted. Once the fees are paid, orders are put in for standard items including title insurance, appraisals and flood certificates, then a second round of confirmation documents are sent back to the applicant for signing.
After signing all the necessary forms, the file is submitted to the underwriting department for further processing — which DCU says can be done in as little as 30 minutes and without the need for a credit union representative. Two-way communication with a DCU mortgage lending officer, processor or closer via a chat function, as well as informational videos, are available to help the member address any issues.
“It doesn’t matter what the forces are, recession or high rates or low inventory, we’re able to still be successful because we’re focusing on speed and service using digital tools and technology,” Sorochinsky said. With the addition of the self-service portal, DCU was able to boost lending from roughly $1 billion in mortgage loans when talks began in 2019, to $1.6 billion in 2023.
1/5
During the initial application process, members are prompted to input property details like zip code, anticipated down payment and estimated purchase price to determine the maximum amount they could bid on a property. (Digital Federal Credit Union)
2/5
Members can view the status of their loan application and view other details such as loan amount, interest rate and estimated monthly payment. (Digital Federal Credit Union)
3/5
Within the rate lock section, supported by Optimal Blue, consumers can select from a variety of lock terms and price points to suit their needs. (Digital Federal Credit Union)
4/5
Members struggling to navigate the portal or the application process can chat in real time with a DCU representative. (Digital Federal Credit Union)
5/5
Applicants can digitally sign necessary disclosures and other documents, while also electronically verifying their income and employment. (Digital Federal Credit Union)
DCU is among a host of other institutions that have added new technologies in the hopes of furthering membership growth and increasing loan volume.
The $18.5 billion-asset Alliant Credit Union in Chicago, for example, was able to grow core membership by 22% and boost deposits by more than $500 million in a six-month period with the help of the New York-based account opening fintech MANTL’s deposit origination system. The Providence, Rhode Island-based Beeline Loans launched an artificial intelligence-powered chatbot to assist during the application process.
Debra Shultz, vice president of mortgage lending at CrossCountry Mortgage, said that activity should pick up over the next two years as the signaled rate decreases will give way to lower mortgage rates — spurring current borrowers to refinance for a more favorable level.
“Today, borrowers understand that real estate is a great investment [as] it gives them the freedom to create the home of their dreams, take advantage of tax advantages and build wealth over time,” Shultz said. “The opportunity to refinance their loan into a lower rate in the next 1-2 years is a reality.”
Experts with Cornerstone Advisors and Datos Insights underscored the importance of proper due diligence when vetting both third-party firms and the products they bring to the table, but equally highlighted the value of exploring new technology.
“This sounds like a no-brainer but despite having system capabilities, many underwriters still manually pull credit and calculate ratios manually,” said Eric Weikart, partner at Cornerstone Advisors. “Sometimes, this is due to system setup issues but many times it’s because they have always done it that way and they aren’t willing to change.”
Automation is an important characteristic for underwriting programs to be truly effective, but only with “comprehensive risk assessment, regulatory compliance and clear guidelines” also put in place, said Stewart Watterson, strategic advisor for Datos Insights.
“Compared to 20 or 30 years ago, borrowers have a much higher expectation of speed to approval and closing along with desire to have a tech enabled process supported by knowledgeable, professional loan officers and operations personnel,” said Christy Soukhamneut, chief lending officer for the $4 billion-asset University Federal Credit Union in Austin. “We are actively implementing mortgage technology that is user friendly and intuitive so that our sales teams can focus on the member and referral partner experience.”
In a report last week on AI and cybersecurity, the U.S. Department of the Treasury said that, while banks tend to share plenty of information with each other for the purposes of cybersecurity and anti-money laundering, they have practiced “insufficient data sharing” in the area of fraud prevention.
The dearth of banks sharing their fraud data undercuts smaller banks’ efforts to train anti-fraud AI models— models that many banks hope will replace rule-based engines, deny lists and device fingerprinting in the fight to detect and prevent transaction-related crimes such as money laundering and fraud.
Treasury acknowledged a general gap in the data available to financial institutions for training AI models of all kinds, but the report said the gap is “significant in the area of fraud prevention,” which the report contrasted with robust cybersecurity data sharing efforts led by organizations including the Financial Services Information Sharing and Analysis Center.
“The accuracy of machine learning-based systems in identifying and modeling fraudulent behavioral patterns correlates directly with the scale, scope (variety of datasets) and quality of data available to firms,” the report reads.
The report said “most financial institutions” interviewed for the report, which was based on 42 interviews, expressed the need for better collaboration in the domain of fraud prevention, particularly as fraudsters themselves have been using AI and machine learning technologies.
“Sharing of fraud data would support the development of sophisticated fraud detection tools and better identification of emerging trends or risks,” the report said.
However, while such information sharing could improve fraud detection, it “also raises privacy concerns,” the report said, as it would involve collecting and storing sensitive financial information including transaction histories and personal behaviors. Data anonymization and algorithmic transparency — i.e., helping customers understand how their data is used — could mitigate these issues, the report said.
Treasury said in the report that the Financial Crimes Enforcement Network, which is a bureau of Treasury, might be well positioned to support fraud information-sharing efforts between banks, to ensure that smaller financial institutions “are benefitting from the advancements in AI technology development for countering fraud,” the report said. Core providers could also play this role, according to the report.
While many vendors offer smaller banks access to AI-based transaction monitoring systems, Treasury’s report said internal development at banks “offers advantages in oversight and control of the development, testing, transparency, and governance of models and access to sufficient data monitoring for model risk management evaluation purposes.”
For the moment, the report cited efforts by two institutions that are already working to close the fraud information-sharing gap: The Bank Policy Institute and the American Bankers Association.
The Bank Policy Institute, a public policy research and advocacy organization, told Congress in February that, as part of the effort to promote and enable data and intelligence sharing between institutions, the institute has established BITS, an “executive-level forum” for bankers to collaborate on policy advocacy, promote critical infrastructure resilience, strengthen cybersecurity and reduce fraud.
The American Bankers Association, a trade organization and bank industry lobbying group, is set to launch an information-sharing exchange in the first half of this year, which the association says will help member banks fight fraud.
As an example of how the exchange will work, in fraud cases known as business-email compromise, the platform will enable banks to alert their peers with key information about the account of the alleged fraudster, said Paul Benda, executive vice president of risk, cybersecurity and fraud at the American Bankers Association.
“The idea here is to allow banks to share this information amongst other banks in a near-real-time manner so they can integrate this data into their payment flows, into their risk-scoring systems, to stop that money from going out,” Benda said.
The association said its long-term goal is to make the exchange available to all financial institutions that are covered by Section 314(b) of the Patriot Act, which gives financial institutions the right to share information that could be used to identify transactions that might involve money laundering or terrorist funding.
As for the consequences of failing to promote adequate fraud information sharing, several institutions Treasury interviewed said “there may be a risk of future consolidation towards larger institutions” if “smaller financial institutions are not supported in closing this critical gap,” according to the report.
Banks that offer banking-as-a-service to fintechs be warned: Regulators continue to critique these programs. In the most recent example, the FDIC announced consent orders Friday against Sutton Bank in Attica, Ohio and Piermont Bank in New York City.
In these orders, regulators tell the banks they need to step up their oversight and monitoring of their fintech partners, and insist their boards must be involved. When the fintechs take on new customers, it’s the bank’s responsibility to make sure they aren’t criminals, terrorists or money launderers. As the fintechs process transactions, the banks have to monitor them to make sure they meet all Bank Secrecy Act, anti-money-laundering and countering financial terrorism rules.
All this fintech babysitting is a tall order, especially for a small bank. Sutton Bank has $2.2 billion of assets. It works with large fintechs like Square, Robinhood and Upgrade and is the bank behind many prepaid card programs. The bank did not respond to a request for comment. Piermont Bank has $578 million of assets. Its fintech partners include Wagestream, Tuvoli and Buildertrend.
“Every bank that touches BaaS is getting an enforcement action,” said Wendy Cai-Lee, founder and CEO of Piermont Bank, in an interview. “I don’t think anyone is not getting one at this point.”
Some in the industry see this as an example of regulatory overreach.
“It absolutely looks and feels like innovation within the banking system is being disproportionately targeted by regulators who at times seem like they are trying to make a point rather than helping to build the future of financial services,” said Phil Goldfeder, CEO of the American Fintech Council. “To ensure that a competitive financial services market exists, regulators need to find ways to encourage responsible innovation instead of stymieing it through disparate regulatory treatment.”
Others believe the stepped-up scrutiny of bank-fintech partnerships stems from some banks’ practice of outsourcing compliance with these rules to BaaS vendors like Synapse, Synctera and Unit. Piermont announced a partnership with Unit in 2022, but recently broke off that relationship.
“Middleware BaaS platforms and connectors led banks down a path of false assurances and the banks that chose to outsource their risk will continue to be at risk of regulatory scrutiny,” said Matthew Smith, president of Bankers Helping Bankers.
Piermont Bank has always been mindful of its compliance responsibility, Cai-Lee said. About half of the bank’s employees are in risk management.
“We have championed the idea that it’s our insurance, it’s our charter,” she said. “We have to have that direct relationship.”
In fact, the bank has been hurt by this compliance-first mindset, she said.
“Early on, fintechs didn’t want to work with us, because they figured Piermont required so much control,” Cai-Lee said. “We weren’t able to grow faster because we said [to potential fintech partners], I need my own contract with you and you need to send me your customer complaint log.”
But even though the bank has been conservative in its approach, it’s no longer sufficient for this changing regulatory environment, she said.
What’s in the consent orders
The FDIC’s consent order against Sutton focuses on anti-money laundering and countering the financing of terrorism.
For example, within 180 days, Sutton’s board must develop and implement a revised written anti-money laundering program that complies with the Bank Secrecy Act and money laundering rules, and share this with the FDIC. The revised program must include stronger assessment and oversight of fintech partners, and the bank has to document, track, and report on its adherence with the program to the board.
Within ninety days, the board must improve its supervision and direction of the anti-money laundering program and address any deficiencies and weaknesses identified in the last exam.
The FDIC said the bank must have at least one BSA officer who reports to the board and set up a board committee to ensure compliance with the consent order.
Sutton also has to create an inventory of third-party relationships and designate program managers responsible for customer identification programs, transaction monitoring, independent testing and reporting suspicious activity for each. It’s been told to provide due diligence and ongoing compliance monitoring of third parties.
It also has to develop and implement a revised training program for directors and staff on BSA regulations, and especially on mitigating risks associated with prepaid card activities.
Within sixty days, the bank has to come up with a plan to review all prepaid card customers beginning from July 1, 2020, to ensure that all required customer information has been obtained and the bank knows the true identity of these customers.
The FDIC’s consent order on Piermont Bank touched on many of the same areas as the one given to Sutton. The agency told Piermont to increase board oversight of compliance programs for fintech partners. The bank was also told to conduct internal audits and improve risk management of third-party programs. It has to conduct a review of all data and systems used in its fintech partnerships and of all third-party risk and monitor its fintech partners’ compliance with bank laws.
FDIC told the bank to set up internal controls for monitoring anti-money laundering rule compliance, to conduct tests of its Bank Secrecy Act compliance, appoint an AML officer and conduct more anti-money laundering training among board and staff. Like Sutton, it has to review all transactions since September 2022 to make sure any suspicious activity was reported. It also has to review all Electronic Funds Transfer Act disputes since August 2020.
The path forward
The way Goldfeder sees it, both regulators and banks have to adjust to the recent boom in banking as a service.
“Banks are responsible for their partners and the innovation they embrace and need to maintain the gold standard of compliance,” he said. “But they also require clarity and appropriate rules of the road from regulators.” Regulators need to provide clear supervisory expectations and understand the actual risks associated with a given product or service, he said.
Piermont Bank has made several improvements to the compliance controls in its banking-as-a-service programs in the year since the FDIC exam took place, Cai-Lee said.
For instance, it now has direct access to its fintech partners’ onboarding software and conducts quality control audits. It has consolidated the platforms it was using to monitor transactions for suspicious activity, fraud and money laundering into one platform for consistency. Quarterly BSA training is now mandatory for Piermont and its fintech partners’ employees, and if anyone doesn’t take it, Piermont gets an automated alert.
Cai-Lee said she’s going to keep working through all the FDIC’s demands and keep offering banking as a service.
“This is who we are, it’s a core pillar business,” she said. “I’m not giving up. I’m not walking away.”
Lack of understanding remains a key hurdle for adopting traditional and generative artificial intelligence-powered tools, but banks and credit unions are still eager to use the technology, according to a new report from Arizent.
Despite both consumer and institutional interest in artificial intelligence continuing to grow across the financial services industry, the majority of leaders are still unsure about the technology and its potential uses — leaving a select group of executives to lead their organizations into the fray.
Arizent, the publisher of American Banker, surveyed 127 financial institution professionals to find out how traditional and generative AI is unfolding in the industry with respect to applications, risks versus rewards, impact on the workforce and more.
Respondents represent banks ranging from less than $10 billion of assets to more than $100 billion of assets, as well as credit unions of all asset sizes.
The results showed that familiarity is the largest hurdle for adoption. Tech-minded changemakers helping prepare their organizations for AI said the top two things they are doing are researching providers and attending industry conferences or events on AI. They are also creating working groups for responsible AI usage and educating stakeholders.
James McPhillips, partner at Clifford Chance, said regulators abroad are more progressive than their American counterparts when it comes to overseeing the intersection of banking and technology, including the recent passage of the European Union’s Artificial Intelligence Act. This disparity has left financial institutions pondering what similar efforts will look like domestically.
“As it stands, federal regulators appear to be planning to use existing laws to regulate the use and deployment of AI, but banks have not yet seen how those regulators will actually enforce those regulations in the context of AI,” McPhillips said.
Below are highlights of the report’s findings that give deep insight into how leaders are getting better informed about the implications of AI and whether or not it can pave the way for future innovation.
What are the best use cases for generative AI in banking and fintech? What do banks and fintechs need to do to keep up with technological advances and not get left behind? We invited two long-time experts on finance and technology — Luis Valdich, managing director of Citi Ventures, and Alex Sion, managing partner of private equity firm Motive Partners — to American Banker’s downtown Manhattan office to share their view of the advantages advanced AI can bring about, as well as the challenges of implementing the technology. Watch this video to find out what they said.
Michael Berman (left), founder and chief executive of Ncontracts, and Ginger Devine (right), senior vice president and senior risk officer at Citizens First Bank, a client of Ncontracts. “This is going to really put financial institutions in the driver’s seat for understanding those control factors earlier in the process,” Berman says of his company’s artificial intelligence assistant for reviewing legal agreements.
For banking executives negotiating contracts with new and existing fintech vendors, careful review of the terms is essential. But as their list of partners grows, the task of analyzing every contract for compliance with current guidelines and continuously monitoring them can become unwieldy.
Meeting the ever-changing standards of regulators is a necessary cost of doing business for both fintechs and financial institutions. Banks and credit unions accordingly scrutinize every third party with which they work to avoid any possibility of missteps in risk management.
Ncontracts, a risk management software firm located in Brentwood, Tennessee, has spent the past year training its new Ntelligent Contracts Assistant to help automate the review process by feeding it vendor contracts with financial institutions and having it learn key terms such as “notice permissions” and “business continuity.” The product made its debut last month.
The assistant scans files one word at a time using optical character recognition and isolates clauses such as price changes and renewal dates using entity extraction. Then it uses a proprietary model powered by generative artificial intelligence to create a comprehensive score and summary that shows how well — or how poorly — the agreement complies with regulatory requirements.
1/4
Screengrab of Ncontracts’ Nvendor platform. Showcased are different modules that track which vendors have different alerts associated with them, as well as the level of risk they pose to the client. (Paul Viancourt)
2/4
A closer look at a summary of an individual contract generated by the Ntelligenct Contract Assistant. (Paul Viancourt)
3/4
Within the Ntelligent Contract Assistant widget, summaries of analyzed documents are broken down by sub categories such as “performance measures or benchmarks” and “costs and compensation.” (Paul Viancourt)
4/4
In contract scorecards generated by the assistant, problematic clauses and sections are isolated and addressed with an explanation for why it was rated inadequate. (Paul Viancourt)
Organizations large and small can “have hundreds of vendors, so being able to automatically process this information as well as identify any exceptions, is a far more efficient use of time than having” a human read each and every agreement, said Michael Berman, founder and chief executive of Ncontracts.
Berman emphasized that the tool, which is offered as part of the firm’s third-party Nvendor platform hosted on Microsoft Azure, is not designed to be a substitute for a lawyer but rather an additive product for running initial checks on contracts and identifying problem areas early on in discussions.
“Having a way to preliminarily run an agreement through a tool [like the Ntelligent Contracts Assistant] and make sure it checks the boxes for all the regulatory issues before you spend thousands and thousands of dollars with a law firm is extremely useful, because nobody wants to spend all that time and money with outside counsel to learn that a vendor doesn’t have everything in place,” Berman said. “This is going to really put financial institutions in the driver’s seat for understanding those control factors earlier in the process.”
With the proliferation of cybersecurity breaches and other third-party issues across the banking industry last year, officials with the Federal Reserve, Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency finalized guidance in June detailing proper steps for overseeing relationships with external vendors.
“As part of sound risk management, it is the responsibility of each banking organization to analyze the risks associated with each third-party relationship and to calibrate its risk management processes, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships,” the guidance said.
Organizations that have been hit with consent orders over their fintech relationships include the $3.2 billion-asset Blue Ridge Bank in Martinsville, Virginia, which has been offloading fintech partners to address compliance shortcomings in its banking-as-a-service relationships.
Ginger Devine, senior vice president and senior risk officer at Citizens First Bank in The Villages, Florida, was looking for help managing vendor relationships when she began partnering with Ncontracts more than five years ago.
“We were challenged in our ability to be able to process all the information related to our vendors, effectively obtain due diligence documentation, conduct risk assessments that were appropriate for the level of risk that the vendor [posed to] us and then do ongoing coordination with the vendor as everything was changing,” Devine said.
The $3.7 billion-asset bank uses several of the products offered as part of the Nvendor platform to manage internal and external audits, conduct custom risk assessments, stay up to date on relevant regulatory changes and more. As the bank continues its expansion, contracts are becoming more complex, leading executives to explore the potential benefits of Ncontract’s assistant.
Tools such as these are valuable “for all of us that are in [risk-oriented] roles where we’re expected to have a good understanding of what’s happening across the board, because we can’t be experts in everything,” Devine said.
Ncontracts is among a number of vendors that have recently begun offering AI-powered contract assistants such as the New York-based SpotDraft’s VerifAI and the Bellevue, Washington-based Icertis’ Contract Intelligence Copilots that entered the market in the middle of last year.
On an institutional basis, that means instituting a “robust governance framework” before using any AI-powered tools and “ensuring proper due diligence is done to better understand their scope,” said James McPhillips, a partner at the New York-based law firm Clifford Chance.
“Like any financial institution that has to analyze its third-party relationships, especially those that are critical, undertaking a due diligence process and performing a robust governance process on the use of [those tools] is really what all the banks are setting up and doing right now,” McPhillips said.
Executives seeking to address these gaps with outside help must remain dedicated to solving issues at their root cause, rather than adopting products as a temporary solution.
“Perhaps most crucially, banks and all industries should not rely on hopes that technology will eventually come out tomorrow to face the challenges the technology brings today,” said Gilles Ubaghs, strategic advisor on commercial banking and payments for Datos Insights.
The Colorado-based institution is overhauling its training procedures by using simulated VR experiences to prepare new member service representatives for their roles without the stress of serving live customers while supervisors watch.
Motive.io
When it comes to helping newly onboarded employees develop the skills and knowledge needed for success in their positions, most organizations use traditional methods like expansive handbooks or long lectures. While that may have worked for previous generations of workers, Ent Credit Union in Colorado Springs, Colorado, is trying something new: virtual reality.
In so doing, it joins a small, but growing, group of financial institutions seeking to help the next generation of front line staffers acclimate to the responsibilities of their roles — without the stressors of “trial by fire” training sessions facing real customers with supervisors watching.
The $10 billion-asset Ent began working with the Vancouver, British Columbia-based Motive.io and Aequilibrium in October to explore how the credit union could make training programs more interactive by leveraging virtual reality. Both firms specialize in the catch-all concept of extended reality, which in addition to virtual reality also includes augmented reality and mixed reality.
“Often with new member service representatives, they stress over wondering if they said or did the right thing during a traditional scenario-based learning session with a human [respondent]. … The really cool piece about VR is that they get to play and go down that rabbit trail basically, and figure out where their mistakes were without it being high risk,” said Lori Benton, vice president of learning and cultural enrichment at Ent Credit Union.
Digital consultants at Aequilibrium helped develop the credit union-specific scenarios in the software on behalf of Ent and provided the institution with VR devices. They worked closely with department heads at Ent to better understand what skills need to be emphasized, explained Adrian Moise, founder and chief executive of Aequilibrium.
In addition to technical skills, the scenarios his firm created also help sharpen soft skills such as etiquette for interacting with members, Moise said.
The Aequilibrium team uses Motive’s software development kit to work in the cross-platform game engine Unity. Through the SDK, the three-dimensional environment can be programmed to include moveable objects and other interactive elements like virtual AI-powered avatars that simulate conversations by acknowledging user responses and progress along a prewritten script. The credit union is creating avatars using the text-to-speech avatar tool in Microsoft’s Azure AI platform.
Aequilibrium designers then move to Motive’s Storyflow tool after the test environment is established to write the step-by-step progression of the scenario, which involves prebuilt modules that represent different prompts like visual cues to advance the story as well as actions to interact with props. Modules also include vocal phrases for the aforementioned avatars to activate when conversing with the employee.
In Ent’s case, as employees talk to the avatars, the AI will compare their responses against a bank of understood phrases and generate scores based on how close the employee was to the list of acceptable answers. This characteristic, also known as intent recognition, provides the avatar with a greater element of flexibility when compared to focusing on exact matches.
Peter Wittig, director of customer experience at Motive, said the adjustability of the platform helps reduce the necessary time needed to update the scenarios.
“Most people make VR like a music box, where the tune is part of the machine and if you ever want to change the tune, you have to send it back to a bunch of software developers,” Wittig said. “The approach we take is [more like] allowing users to create a stage that they can then create scripts to play out on it.”
1/4
An example of what a three-dimensional simulation environment and all its assets could look like. (Aequilibrium)
2/4
Motive.io’s Storyflow platform allows users to build custom scenarios using module blocks as well as custom scripts. (Aequilibrium)
3/4
Dialogue between employees and the AI-powered avatars are broken down in this example to showcase how each phrase is categorized and understood by the bot. (Aequilibrium)
4/4
Perspective of the employee interacting with the bot, accompanied by a visual cue for what to say. (Aequilibrium)
Once the storyboarding is complete and rolled out using the firm’s content management system, employees will receive a code to complete a session using the VR device of their choosing. Results are compiled in the CMS for training staff to review and identify problem areas on an individual and aggregate basis.
“We’re really trying to walk away from a lot of [traditional training methods] and use modern technology because the people we hire use modern technology in their day to day lives,” Benton said.
Banks and credit unions need to use proper due diligence when training AI bots, experts said. They also need to recognize that users will have varying levels of reception to the technology.
“Sometimes AI can surprise us by doing something in a way that we wouldn’t have thought of. So how do you trust it enough to do the right thing, and distrust it enough to always double check and make sure that what you’re doing is [both] accurate and appropriate,” said Donna Z. Davis, director of the immersive media communication master’s program and Oregon Reality (OR) Lab at the University of Oregon. “At the end of the day, there always has to be a human looking at the whole picture.”
The campaign is still in the developmental stage at Ent, but is slated to be put to use with member service representatives as the resources near completion.
“Depending on who facilitates the training, you can get a varied experience. … With the virtual reality tool, it’s a fairly consistent experience,” said Marnie Gerkhardt, director of learning innovation at Ent. “So it can build that consistency with the responses and the behaviors within our teams.”
The operator of a cash-advance app has run into trouble with the Federal Trade Commission — for the same reasons one of its competitors was penalized by the agency in November.
On Jan. 2, the FTC filed a lawsuit against FloatMe — whose app “floats” small amounts to members who pay the $3.99 monthly membership fee — and ordered the company to pay $3 million. The FTC alleges FloatMe made a number of deceptive claims, engaged in unfair discrimination and charged customers without their consent.
For instance, the FTC claims that the San Antonio, Texas-based company knowingly lies to consumers about their chances of receiving advances of up to $50 via an automated process that increases the cash advance limit over time. In reality, the FTC says, this automated process does not exist, and a very slim percentage ever receive $50. There is a $4 surprise fee for receiving money instantly, rather than after the standard three-day waiting period, contrary to advertising that suggests the advances are instant for members upon downloading the app for “no hidden fees,” the FTC says.
In determining which users receive advances, FloatMe doesn’t count income that derives from gig work, tips, pensions, military benefits or public assistance, according to the FTC. Finally, the FTC claims that FloatMe has charged users in several instances without their consent, including after customers canceled their accounts.
An attorney for FloatMe did not immediately respond to a request for comment.
FloatMe changed some of its wording after learning of the FTC’s investigation, according to the agency, such as removing the “up to” $50 assertion on its website. “Only after the FTC’s investigation began did FloatMe add anything about the $4 fee for instant advances to its website; even then, FloatMe buried any mention of the fee in the bottom half of its website, after multiple links inviting consumers to leave the site to download the app,” reads the complaint. Currently, the homepage lists varying fees for Instant Floats.
These issues echo claims the FTC lodged in November against Brigit, a consumer finance app that allegedly misled customers about the amount of money they could access via cash advances — “up to $250” — and locked them into paid subscription plans that were burdensome to cancel. The proposed court order would require Brigit to pay $18 million in consumer refunds and change the way it markets to customers and handles cancellation requests.
Brigit told American Banker at the time that it “strongly disagree[s]” with the allegations but it decided to settle with the FTC nonetheless in the best interests of its customers and employees.
The FTC’s action against Brigit is one of several it has initiated in recent years against companies extending some form of credit, suggesting that it is an enforcement priority and an area where fintechs specializing in nontraditional credit need to tread carefully.
“For those operating in this space, it’s a good reminder that you have to be exercising caution” on matters ranging from how services are marketed to how fees are disclosed, Donnelly McDowell, a Washington-based partner at the law firm Kelley, Drye & Warren, said in a November interview with American Banker.
Sen. Joe Manchin, a Democrat from West Virginia, and Sen. John Moran, a Republican from Kansas, reintroduced the Fair Audits and Inspections for Regulators (FAIR) Exams Act this month in an effort to enhance transparency of bank examinations.
Anna Rose Layden/Bloomberg
Banking-as-a-service institutions are applauding legislators’ calls for fairer exams and increased transparency from federal financial regulators.
Last week, the American Fintech Council, which represents BaaS banks, supported the introduction of the Fair Audits and Inspections for Regulators (FAIR) Exams Act by Sens. John Moran, a Republican from Kansas., and Joe Manchin, a Democrat from West Virginia.
David Patti, director of communications and government relations at Customers Bank, said financial institutions would prefer to be told what the exact expectations are, instead of guessing until they get it wrong. Brian Graham, a co-founder and partner at Klaros Group, said regulators haven’t issued many clear-cut rules for BaaS, and the process for challenging those agencies can be precarious.
“There’s a legitimate point to be made that much more of the public policy around banking is happening outside of the law and regulation process, and [instead] in the supervisory process, which can both feel more arbitrary and unfair and sometimes can be arbitrary and unfair,” Graham said.
Phil Goldfeder, CEO of the American Fintech Council, said in a prepared statement in response to the proposed legislation that, “innovative banks are rightfully held to the highest standard of transparency, compliance and responsibility,” but added that regulators should meet the same bar.
Banking-as-a-service [BaaS], when fintechs and banks partner to deliver services, has been high on regulators’ radars in the last couple of years. In June, the Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation issued guidance for how banks can assess and monitor third-party relationships, but bankers and trade groups said the report still wasn’t specific enough.
Patti said that Customers, a player in the BaaS space, is in constant communication with its regulators to make policy decisions for the bank to follow. But if regulators make individual decisions with each financial institution, it’s hard to know if each bank is treated consistently, he said.
“In the absence of bright lines, it depends on relationships [with regulators],” Patti said. “So there’s probably not much transparency….it’s not transparent and not public.”
BaaS sponsor banks, which bear the brunt of the regulatory burden in these relationships, have also relied on other banks’ mistakes as blueprints for what not to do due to a lack of formal rules, Graham said. Blue Ridge Bank, Cross River Bank and First Fed Bank have each been hit with enforcement actions regarding their BaaS practices in the last year and a half.
These regulatory decisions can also seem ad hoc or idiosyncratic, Graham said, as determinations are made based on internal assessments, instead of publicly available information.
“Right now, BaaS activities are a significant area of focus for the regulators, fair or unfair,” Graham said. “It does appear that much of what the regulators want to achieve in the space — from a policy point of view or risk management point of view or compliance point of view — is being done through enforcement actions.”
Patti said that Customers has a good relationship with its overseers, but he thinks an independent examination review protocol would increase visibility of policies.
The full text of the Fair Exams Act hasn’t been published, but other aspects of the bill include requiring agencies to issue timely responses to bankers during exams and creating an independent examination review director within the Federal Financial Institutions Examinations Council to inspect exams upon banks’ requests. The American Bankers Association and Independent Community Bankers of America also supported the proposal in written statements.
The FDIC, Fed and OCC each have ombudsman offices designed for banks to appeal or question regulatory decisions without fear of retaliation. Graham said, however, that banks he’s spoken to don’t see these units as a practical option, since the process is still under the regulators’ umbrella.
The Fed and FDIC declined to comment. The OCC did not respond to a request for comment.
Neither Graham nor Patti think the FAIR Exams Act will pass. But similar to how regulators can use actions to make policy, Patti thinks it’s possible a recent case heard by the U.S. Supreme Court could lead to more “neutral” enforcement and appeals processes. In Securities and Exchange Commission v. Jarkesy, a hedge-fund founder challenged the constitutionality of the agency’s administrative enforcement proceedings. The case could have implications for banking regulators too, potentially requiring court involvement in enforcement actions.
The court hasn’t yet issued a decision on the case, but justices expressed skepticism in comments about the use of in-house judges.
Financial institutions are increasing their tech budgets and honing in on AI in 2024 following a rollercoaster year of bank failures, interest rate shifts and geopolitical unrest.
About three-quarters of banks and finance firms are planning to invest more in technology spending, according to recent research from Arizent, American Banker’s parent company.
The research comes from a survey of 314 representatives, primarily made up of leaders, from banks, fintechs, credit unions and payment companies. About one-third of respondents are planning to increase their annual tech spending by 1% to 9%, another third expect a 10% to 19% increase and about 9% of respondents plan to raise their tech budgets by more than 20% from last year.
Here’s what Arizent’s research showed are the top tech priorities for financial institutions in 2024:
The $225 billion-asset bank is doubling-down on its partnership with the New York-based payroll verification and direct deposit account-switching firm Pinwheel to streamline new account fundings and bolster the flow of new customers.
Michael Nagle/Bloomberg
The Federal Reserve’s aggressive interest rate hikes throughout the majority of 2023 fueled a race for consumer deposits that pushed bank executives to offer competitive — yet costly — savings rates. But as predictions that the Fed will hold or cut rates in the first half of next year continue to persist, Citizens Bank in Providence, Rhode Island, is enlisting the help of its fintech partnerships to bolster the flow of incoming deposits.
To help both retain existing customers and attract new ones, the $225 billion-asset Citizens began working with the New York-based payroll verification and direct deposit account-switching firm Pinwheel earlier this year on adopting its tools for simplifying the process of moving paycheck disbursements to Citizens accounts.
Consumers accessing the bank’s online banking platform are prompted to search for their payroll provider through the Pinwheel integration, which uses a permission-based API to match and confirm details such as Social Security and telephone numbers between the two databases. After completing a multi-factor authentication, which substitutes the need for a second set of login credentials, customers can choose a different account to fund.
While a partnership between Pinwheel and the payroll provider isn’t necessary for consumer access, banks that want to use Pinwheel’s deposit-switching tool have to be Pinwheel customers.
The ability to streamline this process has “long been talked about” across the industry, as part of reducing the friction points during the “early days of building a relationship with the clients,” said Chris Powell, executive vice president and head of consumer checking and deposits at Citizens.
“Historically, banks were hanging their hat on the fact that it was harder for a customer to move from ‘Bank A’ to ‘Bank B.’ … In today’s environment, you can transfer those funds and move your direct deposit over with a couple of clicks, giving customers a greater level of choice,” Powell said.
Powell explained that where consumers keep their deposits is a “direct sign of trust” in their financial institution of choice, and winning that initial business can promote the use of debit products and other services. Citizens Bank also debuted a similar ability for business banking clients interested in opening their own accounts in October.
“As we look at the competitive environment, it behooves us to make sure that we’re at the forefront of providing customers with that flexibility and choice so that as they look at different providers, they could consider that we become the one that they ultimately choose,” Powell said.
Firms specializing in offering DDS tools, which include Clickswitch and Atomic in addition to Pinwheel, are not new to the marketplace. But the turmoil generated by this year’s banking crisis saw consumers flock to other institutions like credit card issuers and credit unions offering stability and attractive rates.
This dynamic could be further empowered by the Consumer Financial Protection Bureau rule implementing section 1033 of the Consumer Financial Protection Act of 2010, which would require financial institutions offering products such as checking accounts and credit cards to permit customers to share or transfer their personal data to other organizations. Data points include transaction amounts, payment types, account balances and more.
Brian Karimi-Pashaki, partnerships lead for Pinwheel, explained how the incumbency created from the difficulty in moving funds from one institution to another would be disrupted if the CFPB’s proposal is approved, creating competition that benefits consumers and the firms that help facilitate the moves.
“As it becomes easier to switch, banks are going to have to fight harder to win your business by offering higher rates for savings and lower rates for borrowing and better product experiences that you would see more often from fintechs,” Karimi-Pashaki said.
Pinwheel, which works with organizations like Plaid and American Express, formally announced its partnership with the Dallas-based payroll provider OneSource Virtual in November as part of the proliferation of open banking concepts. The collaboration is set to go live sometime this month.
But challenges still persist on the technology side when it comes to building the connections between financial institutions and providers like OSV and many others.
Don Weinstein, former chief product and technology officer of ADP, said the number of banks, credit unions and other challenger institutions in the market when compared to payroll companies means that the larger players are increasingly selective about which organizations are granted access to their data — especially when it concerns startups.
This “many to many” courting problem, which requires a significant amount of time and money to sustain, showcases the value of intermediaries like Pinwheel to serve as a single integration point rather than multiple.
“We’re all chasing the same thing, which is financial institutions wanting to make it as easy as possible to capture the direct deposit, and the providers who want to make it as easy as possible for the consumers to get the direct deposit in place,” Weinstein said.
A fintech company has launched a secured credit card, the second to do so in two months.
Upgrade, which offers checking and savings accounts, credit and loans through its bank partners, announced on Wednesday the launch of Secured OneCard, a secured version of its Upgrade OneCard. OneCard is a hybrid debit/credit card with “pay now” or “pay later” options the company started testing earlier this year. It follows the recent launch of NerdWallet’s secured NerdUp card, which was announced in October.
Renaud Laplanche, co-founder and CEO of Upgrade, says three things set his company’s secured card apart from other options.
One is the ability to earn cash back of 1.5% to 3% depending on the type of purchase and whether users have met certain conditions. Another is the 5.07% yield users earn on the funds they keep in their Upgrade savings account that secure their credit line. A third is a “graduation” mechanism where Upgrade will examine its customers’ card usage, credit history and other factors to determine a good time to elevate them to the unsecured version, starting at the three-month mark. Users will keep the same card and will not have to change card numbers.
“We feel that we are giving users good value with high cash back and high APY on savings, but setting them up well for the future with the ability to build credit and have a pretty smooth transition to unsecured credit once they’ve earned it,” said Laplanche in an interview.
There are no annual or late fees; the interest rate is a fixed 19.99%. Users must start with a minimum balance of $200.
Like NerdUp, the card was not designed to be profitable in its early days. The hope is that people will remain enmeshed with the brand and its products after using the card. It is intended for people with low or no credit, including young cardholders and recent immigrants.
“It’s not a product that is designed to make money,” said Laplanche. “It’s a way to help consumers build their credit.” Another card in Upgrade’s portfolio, Upgrade Select, is also considered entry-level, with unsecured credit lines maxing out at $2,000.
The Upgrade OneCard is issued by the $2 billion-asset Sutton Bank in Attica, Ohio.
Some of these features differentiate the secured OneCard, said Tony DeSanctis, a senior director at Cornerstone Advisors, including the cash-back rewards and the graduation strategy. But as with NerdUp’s cash rewards, “it does impact the economics pretty significantly,” he said.
“My guess is that since most folks looking for secured cards are not likely to move their deposit relationship to a new provider like this just to get rewards, the deposit-gathering side of this will not be as successful on the secured side as it is for the regular card,” DeSanctis said.
There are a range of credit-building mechanisms offered by fintechs and financial services companies, from having users set aside a sum of money each month that will be drawn upon to make payments to checking accounts that translate on-time bill payments into evidence of creditworthiness.
Although the success of Chime’s credit builder card suggests other fintechs can enjoy the same success, “I am not sure [the Upgrade and NerdWallet products] will make a dent,” said DeSanctis.
Digital banking functions at approximately 60 credit unions have been interrupted by a ransomware attack on a third-party service provider, but there is no evidence that consumer data has been misused, according to the company whose system was compromised.
Ongoing Operations, a credit union information-technology firm, says it experienced a cybersecurity incident on Nov. 26. Ongoing Operations added that it has “no evidence of any misuse of information,” although it is “reviewing the impacted data to determine exactly what information was impacted and to whom that information belonged.”
Neither Ongoing Operations nor its parent company, Trellance, responded to requests for comment.
A spokesman for the National Credit Union Administration confirmed the number of affected entities in a statement Tuesday, adding that the regulatory agency is “in close contact with affected credit unions.” He also said member deposits at affected federally insured credit unions are covered up to $250,000.
The incident was a ransomware attack, according to a Nov. 30 statement from Maggie Pope, the CEO of Mountain Valley Federal Credit Union in Peru, New York. Pope said the next day that online banking and bill-pay services had been interrupted by the attack, but members could still use their debit cards and get cash from ATMs or in a branch. Online banking remains down for the credit union.
The core-banking software provider FedComp notified Mountain Valley of the attack against Trellance, according to Pope. FedComp did not respond to a request for comment.
FedComp’s own services appear to have been disrupted by the attack. Its data center was “experiencing technical difficulties and is under a country wide outage,” according to a notice on the company’s website Nov. 30 that was later removed but is still visible as a Google cached file.
FedComp said at the time that “Trellance is still working on resolving the issue.” FedComp has not clarified whether its data center is still disrupted, but one credit union said Tuesday it expected to regain access to its own FedComp server “soon.”
The credit union, NY Bravest Federal Credit Union, serves New York firefighters and is based in Albany. It uses FedComp’s core-banking services and has been affected by the attack against Trellance. NY Bravest was anticipating an estimate on Tuesday regarding when its services would return, according to a notice on its website.
NY Bravest told members it “went above and beyond” in responding to the outage to ensure members “felt as little disruption as possible,” claiming the credit union built its own database after the disruption to give staff and members who reached out to the credit union up-to-date balances.
“While the other credit unions that were affected by this outage sat and waited, NY Bravest FCU went above and beyond and ensured members felt as little disruption as possible,” the credit union’s notice said.
Before the ransomware attack, Ongoing Operations had failed to patch a vulnerability in the cloud-networking software NetScaler, according to Kevin Beaumont, a cybersecurity researcher who until October served as head of cybersecurity operations at the telecommunications company Vodafone.
Cloud Software Group, the company that owns NetScaler, warned users on Oct. 10 about the NetScaler vulnerability, later dubbed Citrix Bleed, saying it could result in “unauthorized data disclosure.” Cloud Software Group provided information about how to patch the vulnerability with the announcement.
On a 0 to 10 scale used to rate the severity of cybersecurity vulnerabilities, Citrix rated the NetScaler vulnerability a 9.4, which is at the high end of the scale.
On Oct. 23, Cloud Software Group followed up by saying it had reports of “targeted attacks” exploiting the Citrix Bleed vulnerability. A month later, on Nov. 21, federal agencies including the FBI warned that the ransomware group LockBit and its affiliates had been exploiting Citrix Bleed, emphasizing that the move could allow bad actors to “bypass password requirements and multifactor authentication.”
Ongoing Operations is not the only firm that appears to have neglected these warnings about Citrix Bleed. An attack last month against the U.S. arm of the Industrial and Commercial Bank of China (ICBC), which prevented some U.S. debt brokers from conveying trade contracts, also stemmed from the Citrix Bleed vulnerability, according to a report by The Wall Street Journal.
For his part, Beaumont pointed out multiple pathways for preventing vulnerabilities like Citrix Bleed and the fallout they can produce, including having software vendors better secure their products and outlawing ransom payments. At the moment, he said, ransomware actors — often teenagers receiving huge sums of money in ransom payments — are far more powerful than they ought to be thanks to companies accepting ransomware attacks as somewhat normal.
“We shouldn’t have normalized ransomware like we have, especially given the escalating nature of the problem,” Beaumont said.
