The Consent Order Creates Potentially Serious Conflicts Between the Parties on Data and Information Sharing and Fair Lending Compliance Risk Management Responsibilities.
As I have previously written, the rise of artificial intelligence, machine learning, and alternative data - coupled with a growing societal focus on fairness - has led a cadre of non-bank consumer lenders to emerge, powered by digital technologies and a new breed of credit scoring model, to disrupt the consumer finance industry with more expansive and equitable access to credit. To fund their loan originations, many of these fintechs rely on a network of bank partnerships - offering the opportunity for (primarily) smaller banking institutions to scale up significantly their consumer loan portfolios - e.g., personal loans, automobile loans, mortgages, and buy-now-pay-later ("BNPL") financing - in exchange for the fintechs' access to the banks' low-cost deposit-based funding and streamlined federally-based lending regulations - a win-win relationship.
However, not unexpectedly, cracks have begun to form in this bank-fintech ecosystem as it undergoes closer scrutiny under a more progressive federal regulatory climate concerned about potential consumer protection risks from federally-unsupervised non-bank lenders establishing so-called "rent-a-charter" relationships with less sophisticated banks. The most serious challenge to this ecosystem so far occurred on April 28, 2023 when the FDIC publicly released a Consent Order with Cross River Bank ("CRB") - one of the leading banks within this ecosystem - to resolve claims that CRB "engaged in the unsafe or unsound banking practices related to its compliance with applicable fair lending laws and regulations" as related primarily to CRB's complex network of fintech-driven, third-party lending relationships.
According to the FDIC, based on its confidential 2021 Report of Examination, CRB:
• failed "to establish and maintain internal controls, information systems, and prudent credit underwriting practices in conformance with the Safety and Soundness Standards contained in Appendix A of 12 C.F.R. Part 364"; and
• allegedly violated "... the Equal Credit Opportunity Act ... as implemented by Regulation B ... , and the Truth-in-Lending Act ... as implemented by Regulation Z ....".
While the Cross River Consent Order does not provide supporting detail to these allegations, its Corrective Action requirements do provide interesting context and insight around the underlying drivers of the FDIC's concerns - as well as the bank internal control frameworks expected for CRB's fintech-driven business model.
But isn't this Consent Order unique to CRB's specific business model? Or does it have broader implications for any bank working with fintech lenders?
In my opinion, the consumer compliance risks noted in the Consent Order generalize more broadly to situations whereby banks scale their lending volumes via fintech partnerships, fourth-party customer acquisition networks (e.g., BNPL merchants), and/or proprietary fintech lending algorithms. While the sheer volume and complexity of CRB's fintech ecosystem certainly amplified its third-party fair lending risks and alleged control deficiencies to a level critical enough to warrant formal enforcement action, it's a good bet that the fundamental third-party fair lending CMS expectations outlined in this Consent Order would also apply to other (FDIC-supervised) banks with any such relationships. Additionally, given the long history of interagency cooperation on fair lending regulation and enforcement, it would not be a stretch to expect the other bank regulatory agencies to adopt similar positions going forward.
OK, but is there anything new here? Third-party fair lending risk management has been a regulatory hot topic for several years.
I believe there is. While banks have always had a responsibility to manage third-party fair lending risks, the emergence of the fintech ecosystem has changed the nature of those risks in important ways. In the past, these risks primarily focused on third-party originators - such as mortgage brokers or automobile dealerships - whose role was limited to sourcing completed credit applications on behalf of the bank in exchange for a fee. Under this partnership structure, regulatory compliance activities were straightforward as the bank performed virtually all lending functions - including credit risk assessments, loan underwriting, loan pricing, consumer disclosures, and loan funding - and, therefore, possessed all the data and information necessary to support such activities.[1]
Modern-day fintech lending relationships, on the other hand, frequently involve a transfer to the third party of some lending functions - such as credit risk assessments, loan underwriting, and loan pricing - although such functions tend to be restricted by the credit risk parameters that define the bank's "credit box".[2] In these modern-day relationships, the fintech frequently combines its proprietary data and algorithms with the bank's credit box to decision and price loan applications on the bank's behalf - with the bank's operational role limited mainly to back-end compliance and loan funding activities. Additionally, for fintech partners who employ a network of fourth-party merchants to source credit applications (e.g., BNPL products), a bank's fair lending risk is further expanded due to the extended compliance risks associated with the merchants' actions - for example, applicant information collection, marketing, and Truth-in-Lending disclosure information.
It is this recent evolution in bank third-party lending relationships that created new fair lending risk scenarios and, accordingly, new bank regulatory expectations for third-party compliance risk management.
So what lessons should banks take away from this Consent Order?
The overall Consent Order provisions have been summarized by numerous media outlets and law firms, and I refer readers to such publications for more general information on the provisions. Instead, in this post, I want to focus on three requirements related to the bank's fair lending monitoring of the fintech's algorithms and lending decisions that I believe are particularly important, and that may create significant conflicts within the framework of current bank-fintech relationships.
Before I begin, I note that my thoughts here are based on a plain language reading of the enforcement action. As always, for specific guidance, consult legal counsel. With that qualification ...
Let's dive in.
Data and Algorithmic Information Transparency Requirements For Fintech Partners
According to the Consent Order, to support the bank's independent fair lending compliance oversight responsibilities, the FDIC expects the bank to have full and continuing access to the underlying data and information associated with the algorithms used, and the lending decisions made, by the fintech partner on their behalf. Such information may include credit model variables and weightings, transaction data, and fair lending compliance/audit reports performed by, or on behalf of, the fintech partner. Importantly, this information must also be made available to state and federal regulatory agencies.
These requirements can be found in the following sections of the Consent Order where CRB is required to:
Maintain "sufficiently complete, accurate, and accessible ... data, documents, records and any other information, in any medium or form, ... (collectively, Information), related to each CRB credit product, every Third Party, and any models or systems, including any variables or weightings, used or relied on in connection with a CRB Credit Product (CRB Credit Model) ... to enable the Bank to appropriately determine and monitor the compliance of such CRB Credit Products, Third Parties, and CRB Credit Models with all applicable fair lending laws and regulations." (p. 8, emphasis mine)
Maintain Third-Party compliance internal controls related to applicable fair lending laws and regulations. "The Third-Party Compliance Policies and Procedures must require that all Information related to a CRB Decision or CRB Credit Model (collectively, CRB Decision Records) be collected by the Bank or a Third Party and readily accessible by the Bank; satisfactorily sampled to ensure the information necessary to perform fair lending monitoring, audits, and system validations is included, accurate, and complete; and the CRB Decision Records are retained in compliance with all applicable regulations and are fully accessible to Bank personnel and Federal and State regulatory agencies; (pp. 24-25, emphasis mine)
Maintain Fair Lending Internal Controls that "must provide for the satisfactory monitoring of CRB Decisions, CRB Credit Products, and Third Parties for compliance with applicable fair lending laws and regulations; ... The Fair Lending Internal Controls related to Fair Lending Monitoring must, at minimum ... appropriately monitor identified risks, including the risks identified in ... audit reports, whether issued by the IAD or an auditor associated with a Third Party, Fair Lending Compliance Reports ... reports prepared by or on behalf of a Third Party pertaining in any way to the Third Party’s compliance with applicable fair lending laws and regulations, and any other analyses and reviews related to compliance with applicable fair lending laws and regulations." (pp. 19-20, emphasis mine)
Maintain Fair Lending Internal Controls related to Fair Lending Monitoring that " must, at minimum ... establish statistical analysis and/or transaction testing requirements that appropriately consider actual underwriting and pricing factors used in connection with all CRB Decisions, CRB Credit Products and Third Parties." (p. 20, emphasis mine)
Establish "a comprehensive written agreement with a New Third Party clearly documenting and defining the specific duties and responsibilities of each party in connection with the offering of all proposed New CRB Credit Products. Such agreements must, at a minimum ... ensure full and timely access by Bank employees and the appropriate federal and state regulatory agencies to all information necessary to perform fair lending monitoring, audits, and validations of the New Third-Party Internal Controls;" (p. 28, emphasis mine)
What I find notable and new about these requirements is that they make explicit a bank's requirement to evaluate independently the fair lending compliance of third-party lending decisions - including supporting decision models - executed on the bank's behalf. What this means is that - even if the fintech has an extensive fair lending compliance program - the bank must still have its own set of fair lending policies and procedures for evaluating potential disparate treatment and disparate impact risks associated with the relevant fintech lending activities, and not simply rely on representations or testing artifacts provided by the fintech or by an independent consultant commissioned by the fintech.[3]
While the fintech's fair lending analyses - including those related to the fairness of algorithmic decision models - can be considered by the bank, the bank will need to assess the design and execution of such analyses relative to its own fair lending policies and procedures, using resources with the appropriate skill sets and knowledge to critically evaluate and credibly challenge the information provided, and using all necessary data and information from the fintech to support such assessments - including detailed algorithmic information and transaction data. Additionally, while there may be different views on this, the bank should consider whether ancillary decision models/algorithms used by the fintech on the bank's behalf for target marketing, fraud detection, or the need for income/employment verification should be evaluated for potential fair lending risks.
To the extent that the design, execution, and supporting details of the fintech's analyses fall short of the bank's fair lending policy requirements, the bank will need to compensate accordingly or consider these deficiencies in its third-party approval process. Potential areas where deficiencies relative to the bank's fair lending policy may arise include:
The fintech's methods and data to identify race/ethnicity, gender, and age for fair lending analysis.
The fintech's fair lending disparity metrics.
The fintech's methodologies to test for disparate impact or disparate treatment.
The scope of the fintech's disparate impact or disparate treatment testing.
The frequency of the fintech's fair lending analysis.
Even if the fintech's fair lending analyses align exactly with the bank's fair lending policy requirements, they will still likely need to be auditable. That is, the bank would need to perform sufficient testing and validation procedures to establish their reliability for the bank's intended purpose.[4]
Additionally, besides the disparate impact and disparate treatment testing of the algorithmic decision models, the Bank should also evaluate - relative to its own fair lending policies - the fintech's methodology and validation testing of:
• the analytics and algorithms that determine Adverse Action notification reasons per ECOA and FCRA requirements - taking into account recent bank regulatory guidance in this area.[5]
• the analytics and algorithms used to "de-bias" the decision models used on the bank's behalf - taking into account the existing regulatory uncertainty of such de-biasing methodologies as well as the potential to create unexpected risks in other areas.
If interpreted correctly, these Consent Order requirements may resolve historical uncertainty as to (1) what level of detailed knowledge a bank is expected to obtain from its fintech partners on applicable decision model variables and algorithms, (2) what reliance a bank may place on the fintech's fair lending compliance representations and testing artifacts, and (3) what type of transparency fintech partners are expected to provide to their client banks concerning on-going internal fair lending performance testing and assessments - regardless (apparently) of legal privilege claims.
The requirement of this depth and breadth of information transparency - enforced by written contractual agreements between the parties - is certainly not the current norm across the bank-fintech ecosystem as the smaller, less sophisticated banks may place greater reliance on their fintech partners' technical expertise and pre-packaged fair lending compliance artifacts - and the fintechs protect their intellectual property through limited technical disclosures to their bank clients.
As a result, the Consent Order requirements are certain to raise the temperature around these relationships - with potential cracks emerging in the current ecosystem - as the fintechs potentially face:
• a slew of inconsistent and possibly conflicting requirements across their bank clients' fair lending monitoring policies and procedures (e.g., different race/ethnicity proxy methodologies, different fair lending disparity metrics, different adverse action methodologies, etc.),
• data and algorithmic information disclosures that may compromise the fintech's intellectual property protection goals,
• contractual requirements to provide bank clients with advanced notice of planned changes to credit underwriting and pricing processes - including models and algorithms used therein - and the opportunity to evaluate such planned changes for potential fair lending risks,[6] and
• disclosures of internal fair lending testing results that may undermine the fintech's legal privilege claims.
Requirements For Independent Bank Fair Lending Monitoring of Fintech Partner Lending Disparities - Including Algorithmically-Driven Disparate Impact
The bank must implement its own risk-based fair lending monitoring policy and controls to detect potential lending outcome disparities for each fintech-originated credit product - and, potentially, for fourth-party merchants through which the fintech partner sources applicants.
Per the Consent Order, CRB is required to:
Maintain Fair Lending Internal Controls that "require appropriate oversight and monitoring of all CRB Decisions to ensure compliance with applicable fair lending laws and regulations; and identify statistically significant disparities involving a prohibited basis ... under applicable fair lending laws and regulations (Disparities). ... The Fair Lending Policies and Procedures must include processes to: (i) determine whether detected Disparities appear to be the result of one or more acts or practices that do not comply with applicable fair lending laws and regulations (Discriminatory Practice);" (pp. 17-18, emphasis mine)
Maintain Fair Lending Internal Controls that "establish statistical analysis and/or transaction testing requirements that appropriately consider actual underwriting and pricing factors used in connection with all CRB Decisions, CRB Credit Products and Third Parties; and ... identify Disparities and then investigate, analyze, and determine whether any such Disparities resulted in an apparent Discriminatory Practice;" (p. 20, emphasis mine)
Perform a Fair Lending Compliance Assessment for each Third Party offering one or more CRB Credit Products for a period of six months or more during the timeframe starting January 1, 2021, through December 31, 2022 that includes "a detailed description of any CRB Decisions that do not appear to have been made in compliance with the Third Party’s policies or procedures and/or applicable fair lending laws and regulations indicating whether the CRB Decision involved a Disparity; an analysis of whether any of the CRB Decisions involving a Disparity resulted in an apparent Discriminatory Practice;" (pp. 22-23, emphasis mine)
Develop "policies, procedures, and/or processes to conduct periodic, but not less than annual, assessments of whether each Third Party offering one or more CRB Credit Products for a period of six months or more during the calendar year preceding such assessment offered these CRB Credit Products in compliance with applicable fair lending laws and regulations;" (p. 24, emphasis mine)
Maintain Third-Party Compliance Policies and Procedures that "require appropriate oversight and monitoring of all CRB Decisions made by a Third Party, and establish standards and processes for such oversight and monitoring, appropriately taking into account the complexity, risk profile, and transaction volume of such Third Party’s operations, including the CRB Credit Products offered by the Third Party, the adequacy of the Third Party’s compliance program, the number of Third-Party Merchants, transaction volume of the Third-Party Merchants, and the Third Party’s oversight of Third-Party Merchants;" (pp. 25-26, emphasis mine)
These requirements make it rather clear that it is an unsafe / unsound practice for a bank to manage its third-party fair lending risk primarily by reviewing certain standardized fair lending testing artifacts designed and reported by the fintech partner. This is consistent with long-standing bank regulatory positions that a bank cannot outsource its compliance risk management function to a third party.[7]
The practical impact of this requirement is that: (1) a bank engaging in fintech lending relationships must ensure that it has the appropriate fair lending monitoring policies, procedures, processes, and personnel to identify and address potential disparities in its lending decisions - even if those lending decisions are fully or partially operationalized by a fintech partner, and (2) fintechs participating in these lending relationships must provide the bank with all data and information necessary to perform such monitoring according to the bank's policies and procedures.
While this may seem rather straightforward, keep in mind that the detection of credit decision and loan pricing disparities requires both detailed loan application and origination data - as well as information and data associated with the fintech algorithms used in these decisioning processes. As highlighted above, the FDIC requires such testing to "consider actual underwriting and pricing factors used in connection with all CRB Decisions". This means that, for example, to identify statistically significant, unexplained credit decision disparities, the Bank would need to control for the effects of legitimate credit risk attributes actually used by the fintech partner in its credit decisioning algorithms. It cannot simply try to proxy for these attributes using a set of commonly-used credit risk factors (e.g., FICO score, DTI, PTI, etc.).
Finally, while not entirely clear from the Consent Order language, the FDIC may also be requiring CRB to monitor potential fair lending disparities at the fourth-party merchant level. While requiring a bank to monitor a fourth-party merchant's loan application forms, marketing materials, and loan disclosures for compliance with "technical" fair lending compliance requirements is nearly always appropriate, monitoring for potential lending disparities at the individual merchant level would only seem relevant when such merchants exercise discretion over credit decisions and/or loan pricing - which may not always be the case. In any event, it would seem prudent that a bank would include an evaluation of such potential risks in its third-party due diligence process and, based on the results of this evaluation, develop appropriate fair lending monitoring controls.
The Bank's Responsibility for Fair Lending Corrective Actions For Fintech Partner Lending Disparities
The bank is expected to own the fair lending corrective action process for fintech fair lending decision disparities - including determining customer remediation approaches, payment of remediation amounts (where warranted), and implementing appropriate preventative controls to prevent a re-occurrence. This requirement may be at odds with the fintech partner's own fair lending corrective action policy, procedures, and processes.
Per the Consent Order, CRB is required to:
Develop Fair Lending Policies and Procedures (consistent with the Third Party Compliance Policy and Procedures) to: ... determine the appropriate corrective measures and/or remedial action, including, e.g., restitution or Credit offers (Remedial Action) to address the apparent Discriminatory Practice and/or mitigation steps necessary to prevent reoccurrences of such apparent Discriminatory Practice; (iii) implement the appropriate corrective action and/or Remedial Action to address the apparent Discriminatory Practice; and (iv) establish appropriate mitigation steps to prevent reoccurrences of any apparent Discriminatory Practices;" (p. 18, emphasis mine)
Develop Third Party Compliance Policies and Procedures that "require appropriate Remedial Action when apparent Discriminatory Practices by either a Third Party or a Third-Party Merchant are identified;" (p. 26, emphasis mine)
This requirement would certainly appear to heighten the potential for conflict between the bank and its fintech partner when the latter is contributing to the lending decisions on the bank's behalf - for example, by deploying algorithmic models to assess applicant creditworthiness. In such cases, the bank's assessment of potential fair lending disparities - as well as the bank's determination of potential customer remediations and other corrective actions - may differ from those of the fintech partner, thereby exposing the fintech lender to potentially greater legal, compliance, and reputational risks. For example,
• What if the bank's fair lending testing identifies disparities and the bank decides to self-report this matter to its regulator(s) - but the fintech disagrees with the bank's testing methodology and/or results?
• What if the bank requires the fintech to adopt changes to its data and/or algorithms as part of its corrective actions - but the fintech disagrees with these actions?
• What if the bank's customer remediation approach conflicts with the fintech's views on appropriate remediation?
• What obligation does the fintech have to disclose these fair lending disparities and corrective actions to other clients that may use similar fintech decision tools or processes?
Clearly, the bank taking the lead on fair lending corrective actions creates several thorny issues for the fintech partner that has the potential to cascade across its client base. Additionally, by now having to implement fair lending remediation and corrective actions across multiple clients - each of which may have a different policy and approach - the fintech lender's compliance risk management complexity may increase significantly - raising compliance costs materially.
* * *
ENDNOTES:
[1] Typically, although not exhaustively, these third-party fair lending risks involved potential discretionary price discrimination through mortgage broker fees or auto dealer mark-ups.
[2] A lender's credit box refers to the specific set of credit policy parameters that define acceptable credit risk - e.g., minimum credit scores, maximum debt-to-income ratios, etc.
[3] To be clear, per the Consent Order, the bank has the responsibility for evaluating the effectiveness of the fintech's fair lending compliance management system ("CMS") as part of its Third-Party Compliance Internal Controls. However, even if the bank deems the fintech's fair lending CMS to be effective, it cannot wholly rely on this CMS to manage its fair lending compliance responsibilities.
[4] I am not suggesting here that the bank may rely on the fintech's fair lending analyses if validated. Rather, if the bank intends to consider such analyses as part of its overall fair lending monitoring program, then there should be a factual basis established as to the reliability of such information.
[5] See my prior blog post "Using Explainable AI to Produce ECOA Adverse Action Reasons: What are the Risks?"
[6] See FDIC Spring 2024 Consumer Compliance Supervisory Highlights (p. 12) - " ... institution management did not provide adequate oversight of the pricing and underwriting systems used by its third-party lenders. Relevant compliance personnel were not provided access to all variables used in the pricing and underwriting models the institution utilized to originate loans through third-party lenders. In addition, material changes to pricing and underwriting model criteria were made without review or approval from institution management."
[7] To be clear, a bank may outsource certain operational activities related to its compliance risk management program; however, such activities must be performed according to the bank's established policies and procedures governing such activities, and the bank must provide effective oversight of the third-party's services consistent with its third-party risk management policies and procedures.
© Pace Analytics Consulting LLC, 2023.