2024 Year in Review: Fintech

Looking Ahead to 2025

Financial technology — or fintech — companies will continue to receive increased regulatory scrutiny in 2025. The latter half of 2024 saw a rise in regulatory guidance and enforcement activity relating to fintechs and the banks that partner with them to offer depository consumer financial services. Although federal activity is slowing down (at least initially) with the new administration, state regulators such as the California Department of Financial Protection and Innovation (DFPI) and New York Department of Financial Services (DFS) have signaled they will pick up the slack.

The Federal Deposit Insurance Corporation (FDIC) may provide further guidance on bank-fintech arrangements after considering the results from its July Request for Information (RFI) seeking information and comment on bank-fintech arrangements.

Prudential regulators will continue to pursue enforcement actions focused on fintechs’ anti-fraud and anti–money laundering policies, as well as their protection of confidential consumer data.

Key Trends From 2024

In 2024, Goodwin tracked seven enforcement actions regarding fintech companies and/or products by federal and state regulators, some of which involved deceptive disclosures and junk fees, among other issues. Federal agencies were active this year in issuing additional commentary and guidance on bank-fintech partnerships, and the Consumer Financial Protection Bureau (CFPB) continued to expand the breadth of its oversight, finalizing its rule giving it supervisory authority over large nonbank companies.

In the News

Federal financial agencies were active in issuing statements and commentaries specific to fintechs in 2024, covering a range of issues from recordkeeping to data security.

CFPB Finalizes and Adopts Rule Granting It Supervisory Authority Over Nonbank Companies

The biggest update of 2024 was the finalization and adoption of the CFPB’s rule, originally proposed in 2023, that grants it supervisory authority over nonbank companies and continues the CFPB’s efforts to “define larger participants operating in markets for consumer financial products and services.” The rule, which was published in the Code of Federal Regulations (CFR) at 12 CFR Part 1090, went into effect in January 2025 and grants supervisory authority over nonbank companies processing more than 50 million transactions per year, such as major digital wallet and payment apps. The CFPB will be able to supervise these companies with respect to privacy and surveillance, payment errors and fraudulent activity, and accusations of debanking.

FDIC, Federal Reserve, and OCC Issue Additional Guidance on Risks in Bank-Fintech Partnerships

In June 2023, the FDIC, the Federal Reserve Board of Governors, and the Office of the Comptroller of the Currency (OCC) issued interagency guidance for managing the “risks associated with third-party relationships, including relationships with financial technology companies.” This guidance rescinded and replaced prior individual guidance from each of the agencies and indicated that the agencies would view third-party vendors and partners of a bank as extensions of that bank with respect to compliance with applicable laws and regulations.

This past July, the agencies issued additional guidance on this subject by issuing a joint statement outlining the potential risks inherent in arrangements between banks and third parties that deliver bank products and services; they also provided potential risk management practices for banks to implement to address those risks. The joint statement identified several areas of operational risk, including potential inadequate complaint administration and error resolution processes, which may limit a bank’s ability to effectively identify and address issues affecting end users of deposit accounts. The joint statement was accompanied by an RFI published in the Federal Register, which described the types of bank-fintech partnerships currently in use, as well as potential risks associated with those partnerships, such as end-user confusion, meaning consumers’ inability to identify the capacity in which the bank or fintech company is acting with respect to a service provided, and confusion over which entity is contractually accountable for different aspects of the end user relationship. The RFI also invited comment on existing risk management policies and practices to handle these and other potential issues. The response and comment period for the RFI ended in October 2024, and the agencies have not issued any further statements since the comment period closed.

In addition, in September, the FDIC approved a notice of proposed rulemaking that would impose additional recordkeeping requirements for bank deposits received from third-party nonbank entities such as fintechs. The proposed rule includes a requirement that the FDIC-insured depository institutions reconcile the account for each individual owner on a daily basis, even if a third party is maintaining the records. The proposed rule was endorsed by the CFPB, with former Director Rohit Chopra noting that the rule would provide consumers with additional protections with respect to nonbank companies that “want the public benefits of being a bank or credit union, without the public obligations.”

The CFPB Expresses Concerns About Financial Institutions’ Reliance on Cloud Service Providers, and Treasury Department Provides Resources for Secure Cloud Services

In July, the U.S. Department of the Treasury and the Financial Services Sector Coordinating Council announced resources for financial services institutions to use in identifying and adopting secure cloud services, including standards for establishing best practices for third-party risk associated with cloud service providers, outsourcing, and due diligence processes, and advice on improving transparency and monitoring of cloud services for better “security by design.” Following this announcement, former CFPB Director Chopra gave a statement articulating the financial security concerns behind the new resources. In particular, in the event of service disruptions, there are risks associated with dependence upon a few major service providers that are not regulated financial entities, he pointed out. The new resources are intended to moderate cybersecurity risks associated with cloud storage of financial data and to mitigate the danger that consumers could be unable to access their funds in the event of a widespread cloud service outage.

2024 Enforcement Highlights

California Department of Financial Protection Issues Consent Order Against Fintech Company Over Alleged Deceptive Convenience Fees

In January 2024, the California Department of Financial Protection and Innovation (DFPI) entered into a consent order with Credova Financial LLC, a Delaware fintech company that provided California consumers with access to an internet-based platform for merchants to offer installment payments for the purchase of outdoor adventure equipment. According to the consent order, since at least January 2021, Credova has contracted with a third-party servicer to service all installment payment contracts with the company’s customers. Before a customer’s first payment was due, the servicer provided information to them on how to make payments without incurring fees, and it also provided information on alternate ways to make payments (e.g., by phone, through the servicer’s website, or by setting up recurring electronic payments), all of which incurred a convenience fee. Although Credova ensured that its customers had an option to make fee-free payments, for a period of time, Credova allegedly failed to inform customers about the convenience fees they might incur until after the customers were already contractually bound. The DFPI categorized these convenience fees as junk fees that Credova was obligated to disclose up front per the California Consumer Financial Protection Law. During the investigation, Credova updated its online form contract to revise its disclosures, and under the terms of the consent order, the company also agreed to pay a $50,000 penalty.

The FTC Resolves Allegations Against Fintechs Allegedly Making Deceptive Loan Promises Related to the Pandemic

In March, the Federal Trade Commission (FTC) announced that it had entered into consent orders with Biz2Credit and another fintech firm over allegations of misconduct tied to the firms’ involvement in federal COVID-19 Paycheck Protection Programs (PPP). The FTC accused the firms of making false, misleading, or unsubstantiated claims regarding application processing time; unfairly blocking consumers from applying with other lenders; and making false, misleading, or unsubstantiated claims regarding PPP loans.

The FTC alleged that Biz2Credit promised to process applicants’ emergency PPP loan applications in 10 to 14 days but often took twice as long, prejudicing consumers’ ability to access the first-come-first-serve PPP funds. Consumers who asked to withdraw their applications were also allegedly ignored. Biz2Credit agreed to a $33 million monetary judgment to settle the FTC’s allegations.

The other firm agreed to pay $26 million to settle the FTC’s allegations that it falsely advertised to small businesses with limited resources that it had automated processes and good customer service that would help those businesses secure PPP loans fast and that it failed to deliver on those promises, resulting in millions of eligible consumers never receiving PPP funds because of glitches and flaws in the firm’s system.

FDIC Enters Into Consent Order With Banking-as-a-Service Bank

In May, the FDIC entered into a consent order with Thread Bank, which offered “banking-as-a-service” support to multiple fintech applications. The FDIC alleged that Thread, which experienced rapid growth from 2021 onward, failed to scale up its internal operations to match its growth. Under the consent order, Thread agreed to expand its risk assessment and management programs, including by implementing a documented risk assessment of its fintech partners. Thread also agreed to terms requiring its board members to approve risk tolerance thresholds for each individual fintech partner “based on an enterprise-wide financial analysis of each fintech partner’s financial projections under expected and adverse scenarios.”

CFPB Enters Into Several Consent Orders With Fintech Entities

In May, the CFPB announced that it had entered into a consent order with a financial technology company, resolving allegations that the company committed unfair acts or practices in violation of the Consumer Financial Protection Act (CFPA) by failing to provide consumers who closed their accounts with timely balance refunds. The company, which partners with banks to offer financial products, is responsible for processing account payments and for most consumer communications. Once a consumer’s checking or savings account is closed, it is also responsible for returning funds to consumers by check within 14 days in accordance with the company’s policy. The CFPB alleged that failures to provide timely refunds, sometimes delayed by more than 90 days from the closure of an account, caused or were likely to cause substantial injury in the form of lost use of funds. Under the terms of the consent order, the company agreed to reserve or deposit $1.3 million into a segregated deposit account for the purpose of providing redress to affected consumers. The company also agreed to pay a civil money penalty of $3.25 million into the CFPB’s victims relief fund.

In October, the CFPB also entered into separate consent orders with a large tech company and its partner bank over a joint credit card venture. The CFPB alleged that the credit card, which combined the tech company’s software with the credit backing of the bank, was launched prematurely, resulting in technical issues that harmed consumers. The CFPB alleged that the tech company failed to send cardholder transaction disputes to the bank for resolution and also failed to adequately disclose material aspects of the payment plans it offered cardholders. And when the bank did receive transaction disputes from the tech company, the CFPB accused it of violating federal regulations including the Truth in Lending Act (TILA) and Regulation Z by failing to resolve the disputes within the required time and notify consumers of the resolution, failing to conduct reasonable investigations in some instances, and holding consumers liable for amounts at issue in claims of unauthorized use before conducting a reasonable investigation. Under the consent orders, the tech company agreed to pay a $25 million civil money penalty, and the bank agreed to pay $19.8 million in redress to consumers and a $45 million civil money penalty.

CFPB Sues Operator and Co-Owners of Zelle

In December, the CFPB sued Early Warning Services LLC (EWS), the owner and operator of the Zelle peer-to-peer payment network, and three banks that co-own EWS. The CFPB claims that EWS and the banks rushed to launch Zelle in 2017 in order to compete against other payment apps and, as a result, did not implement “effective anti-fraud measures.” The CFPB alleges that Zelle and the banks violated the CFPA and the Electronic Fund Transfer Act (EFTA) by failing to implement sufficient identity verification; adequately share information about known fraudulent transactions, which allowed repeat offenders to continue using Zelle; and investigate consumer complaints and take appropriate action for fraud and errors under EFTA.

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.