Working with Fintechs: Who “Owns” the Customer?

This article was originally published by Alabama Banker’s Association in Volume 33, Issue 1 of Banking Traditions Magazine.

Community banks and financial technology companies (FinTechs) who partner together often have competing views about who owns the customer relationship. The divergent views can present the full range of risk – financial, strategic, operational, compliance and reputational – to the bank, who should take care to appreciate that FinTechs are not your average service provider.

The Bank View

FinTechs can help community banks expand their product offerings and customer base rapidly across geographies and demographics, all while generating handsome non-interest income for the bank. FinTechs are highly adept at innovating traditional bank products and offering them online or through mobile applications. In a typical FinTech program, the FinTech generally:

• • Identifies, markets to, screens and qualifies prospective customers
  • Establishes the customer account and delivers the product or services
  • Services the relationship on behalf of the bank

It does this all under the FinTech's "brand" and delivery channel. The terms and conditions of the bank-FinTech relationship, including the parties' obligations to each other, are generally set out in a program agreement that describes the FinTech as a service provider to the bank. As a result, banks tend to view FinTech partnerships through the third-party service provider lens, a view consistent with that of state and federal bank regulators and subject to specific regulatory guidance.

The FinTech View

FinTechs, by contrast, view bank partners as their service providers. That is, the FinTech creates innovative products aimed at specific customers, identifies and markets to those customers, delivers the products, services the relationships, and keeps all of the records, cradle to grave. It does so largely in its own name and through its own technology. Often, the bank partner has no direct interaction with the customer, other than providing the technical link between the FinTech application used by the customer and the larger financial system and being disclosed as the legal provider of services in the account documentation. The FinTech pays the bank significant monthly fees to supply the linkage. In the FinTech view, the customer "banks" with the FinTech and looks to the FinTech – not the bank – for current and future products and services. If the relationship between the bank and the FinTech breaks down, the FinTech moves the customer relationship to a new bank and the customer knows no difference.

The Legal View

The difference between the bank and FinTech view of who "owns" the customer – in the consumer programs that use the dominant FinTech model – runs squarely into consumer privacy laws, including GLBA and Regulation P. Those laws generally provide that consumer customer information may only be used by the financial institution with the customer relationship, and then only for the purpose given by or obtained from the customer. There are exceptions to the limitation, but even they are generally anchored to the consumer's financial institution. From a privacy law perspective, once a FinTech establishes a customer relationship under a bank partner program, the bank – not the FinTech – is the "financial institution" for privacy reasons. From a privacy law perspective, then, the bank "owns" the customer relationship.

Why Does It Matter Who Owns the Relationship?

In a FinTech program, there are generally three relevant blocks of time in the customer life cycle:

• • The marketing period, during which the FinTech is identifying and marketing to prospective customers, and the bank has visibility into the process or any legal relationship with the consumer
  • The service period, during which the FinTech is interacting with the consumer customer as a service provider to the bank
  • The second marketing period, during which the FinTech is marketing to the consumer additional, non-bank services

Because the second marketing period generally relies on experience-related information stemming from customers' transactions with the bank (acquired during the service period), the marketing activity generally falls outside of a privacy law exception. That is, because the bank is the "financial institution" for privacy law purposes, and the FinTech's marketing activity in the second marketing period is not in furtherance of a transaction initiated by the customer with the bank or for purposes of marketing the bank's products and services, the FinTech's use of customer data in the second marketing period may violate privacy laws. Importantly, since the burden of consumer compliance (here, protection of customer data) rests with the financial institution (i.e., the bank), the FinTech's violation effectively constitutes the bank's violation. As a result, who "owns" the relationship in a bank partnership has direct compliance risk for the bank given the way FinTechs often run their programs.

What To Do?

Given the regulatory issues FinTech partnerships can present for banks, banks should take care to understand the nature and manner of the activity conducted and carefully tailor the program agreement to align with the bank's regulatory burden. Indemnities, guaranties and program monitoring rights often play a role, and the cost of program oversight can sometimes eat away at those hefty non-interest income payments.

Chris Couch is a partner in the Birmingham office of Phelps Dunbar, where he advises banks and FinTechs in regulatory matters, payment systems, privacy and BSA/AML matters, including the structuring of bank partner agreements.