9 Important Lessons from Evolve Bank & Trust’s Cease and Desist

Over the weekend, Evolve Bank & Trust received challenging news in the form of a significant 23-page Cease and Desist (C&D) order primarily focused on AML (Anti-Money Laundering) and OFAC (Office of Foreign Assets Control) compliance issues. It’s an unfortunate but not uncommon sight in today’s Banking-as-a-Service (BaaS) compliance landscape. At least five other financial institutions (FIs) faced cease-and-desist orders on similar grounds in 2023. S&P Global clocked that as the highest percentage BBaaS institutions have accounted for of total enforcement actions since 2020.

This development, while distressing, presents a crucial learning opportunity for BaaS banks and their partners. To avoid this happening to your FI, take these 9 important lessons with you to better understand the implications of compliance issues and what you can do to get compliant immediately.

What does a cease-and-desist order mean?

By definition, a cease and desist order form a government agency is a written demand that the recipient immediately stop an illegal activity they have been taking part in. In the case of BaaS cease and desists, this essentially means that the compliance practices of the recipient have fallen outside the legal requirements.

Once a cease-and-desist order has been issues to a BaaS provider, they must stop engaging in any BaaS activities they have ongoing and cannot begin new BaaS lines of business. They are also often commanded to remediate issues that still exist in the BaaS services they have been required to halt providing.

When does the FDIC issue cease and desists against BaaS entities?

Before the FDIC will issue a cease and desist, an examiner must first audit the FI in question’s compliance practices compared to the regulatory requirements. Here’s the official explanation from the FDIC’s own documentation on formal administrative actions:

Section 8(b) of the FDI Act authorizes the FDIC to issue a cease and desist order against a state nonmember insured bank or an IAP when facts reasonably support that:
• The institution or IAP is engaging, or has engaged, in unsafe or unsound practices;
• The institution or IAP is violating, or has violated, a law, rule, or regulation; any condition imposed in writing by the FDIC with regard to the approval of a request or application; or a written agreement entered into with the FDIC; or
• There is reasonable cause to believe the institution or IAP is about to do either of the above.

If they find a BaaS provider is, as the Fed stated in the Evolve cease and desist order, “engaged in unsafe and unsound banking practices by failing to have in place an effective risk management framework for those partnerships,” then it will result in a cease and desist.

These orders typically arrive about 7-9 months after the examiner audit, but that window can vary depending on the unique circumstances of each situation.

9 key lessons for BaaS providers to learn from Evolve’s cease and desist

1. Fintech partners bear the responsibility of compliance too, not just sponsor banks

Fintechs working with sponsor banks have to recognize that BaaS regulatory obligations extend beyond their sponsor bank partner and to them directly. Even within the nascent regulatory framework governing payment processors and fintech firms, adherence to AML and OFAC guidelines is imperative nonetheless.

2. Ensure you have enough compliance staffing and expertise

A significant shortfall identified in Evolve’s cease and desist order was inadequate staffing and expertise dedicated to AML compliance. Banks and fintechs alike have to invest in qualified personnel capable of managing complex regulatory requirements effectively, or things can fall out of compliance quickly.

3. Implement board governance and prove oversight of fraud and AML processes

The role of boards in overseeing AML and compliance matters can’t be overstated. Board engagement and competence in understanding and addressing AML risks prevents critical compliance failures that lead to cease and desist orders. Boards that neglect these responsibilities risk not only facing those significant regulatory penalties, but operational challenges as well.

4. Prove your sponsor bank has autonomy in decision-making

Banks need to have genuine autonomy and meaningful decision-making authority in implementing compliance measures. Clear lines of authority are crucial to ensuring compliance effectiveness and responsiveness to regulatory mandates.

5. Confirm the quality of threat analysis and risk assessment tools

The ability to reliably conduct comprehensive threat analyses concerning fintech partnerships is a critical requirement that regulatory requirements spell out for sponsor banks. This involves evaluating risks associated with each partner, product, service, or customer to proactively mitigate potential compliance risks.

6. Sure up communication between sponsor bank and partners for operational effectiveness

Lack of communication between sponsor bank and fintech partner is often present and usually plays a key role in compliance failures in BaaS. Specific directives in compliance regulation regarding ledger and sub-ledger activities highlight the importance of meticulous operational oversight and documentation. Fintech partners must align closely with their sponsor banks in meeting these operational standards to avoid regulatory scrutiny and operational roadblocks.

7. Complete a comprehensive program review BEFORE you face an examiner audit

As part of the cease and desist, Evolve was mandated to conduct a comprehensive review of its AML program’s effectiveness. Conducting one of these comprehensive reviews before things get to a formal administrative penalty phase can only benefit your compliance situation.

8. Prioritize OFAC compliance

On the whole, the cease and desist order issued against Evolve reaffirms the critical importance of reliably proving your FI has robust AML and OFAC compliance frameworks. Operationalizing the Treasury’s OFAC framework is crucial, necessitating meticulous adherence to sanctions programs. Fintech firms need to understand their responsibility in implementing robust OFAC compliance measures, regardless of their direct regulatory oversight.

9. Reevaluate capital management strategies

Traditionally, capital requirements and management strategies for sponsor banks have been linked to asset size. This framework, however, often inadequately addresses the operational risks inherent in BaaS models. The Fed’s proactive stance in addressing this gap signals potential future regulatory measures aligning capital adequacy directly with operational risk profiles. Fintech partner banks need to proactively evaluate their capital adequacy frameworks and align with evolving regulatory expectations.

Putting these lessons into practice

As regulatory frameworks continue to evolve, fintechs and their sponsor banks must collaborate closely to enhance compliance standards, mitigate operational risks, and uphold regulatory integrity. The lessons we can take from Evolve Bank & Trust underscore the necessity for proactive governance, robust risk management practices, and strategic alignment with regulatory imperatives to foster sustainable growth and resilience in an increasingly regulated financial environment.

For those navigating these challenges, seek expert guidance and stay abreast of regulatory developments. This proactive, forward-focused approach will be crucial to achieving compliance excellence and operational success in BaaS partnerships.

Looking to take the right next step toward ensuring your BaaS organization’s compliance with regulatory requirements? Here are a few helpful resources we’ve created to set you on the right path:

• Gaining BaaS Compliance with Confidence—A Checklist Guide for Sponsor Banks
• The Evolution of BaaS: Redefining Risk and Responsibility in Banking
• BaaS Beyond the Boom – Compliance in 2024 and Beyond
• On-demand Webinar: BaaS Lunch & Learn—Unlocking the Future of Account Opening Beyond the Four Standard Data Elements