FinTech sponsor banks have had a difficult 18 months.
Tasked with mediating between the speed of the tech world and the caution of the regulatory sphere, many banks powering banking-as-a-service (BaaS) solutions have found themselves under the barrel of consent orders from the Federal Deposit Insurance Corp.
Each bank attempted to scale a FinTech partnership model faster than its compliance infrastructure could keep up, requiring enhancements to risk management, Bank Secrecy Act and anti-money laundering compliance, and board oversight.
Most recently, Hatch Bank in California entered into a consent order with the California Department of Financial Protection and Innovation (DFPI).
The order, dated early April but recently made public, outlines a set of time-sensitive mandates to correct what regulators called “unsafe or unsound banking practices” and “deficiencies” in Hatch’s BSA and AML compliance programs.
These failings are tied directly to Hatch’s increasingly complex relationships with third-party FinTech partners, per the order.
Hatch Bank isn’t alone in navigating these challenges. What makes its consent order noteworthy, however, is not only its substance but its source. Unlike most BaaS-related enforcement actions over the past two years, which were typically issued jointly by a federal regulator (such as the FDIC or Federal Reserve) and a state banking department, this order comes solely from the DFPI.
That detail may seem procedural at first, but it could signal a strategic shift in how state agencies, especially in FinTech-heavy jurisdictions like California and New York, intend to assert their authority over the emerging financial landscape amid ongoing dynamism at the federal level.
Read also: Banking-as-a-Service Focus Turns to Managing Financial Crime Risks
While the BaaS model is attractive to banks and tech companies for its potential to scale quickly and reduce barriers to entry, it carries inherent risks. Unlike traditional banks, which maintain direct customer relationships, BaaS sponsor banks often serve as the back-end platform, relying on third-party FinTechs to onboard customers, manage compliance processes and monitor transactions. This fragmentation of responsibility is what makes the model efficient, yet it also is what makes it vulnerable to compliance lapses.
Founded in 1982 as Rancho Santa Fe Thrift and Loan, Hatch Bank operated for decades as a traditional community financial institution. In 2018, the bank’s board of directors decided to reposition the bank as a modern infrastructure provider for digital finance. By 2019, it rebranded as Hatch Bank, aligning its identity with the BaaS model that allows FinTechs to offer banking products such as checking accounts, savings and lending under the hood of a regulated charter.
Hatch Bank did not immediately reply to PYMNTS’ request for comment.
Jer Wood, the executive who spearheaded Hatch’s BaaS pivot and FinTech expansion, ultimately left the bank in January 2024 and has since joined Cash App as head of lending strategy, partnerships and operations.
The California DFPI consent order focuses on Hatch’s risk management infrastructure, specifically on how the bank evaluates and monitors its FinTech partners and the customer activity they bring into the bank’s systems.
Hatch must revise its enterprise-level money laundering and terrorist financing risk assessment to reflect the realities of its FinTech-driven business model, including partner types, customer demographics, transaction volumes and geographic exposure.
The bank must also conduct ongoing reviews of every FinTech or vendor partner that supports key BSA functions such as know your customer (KYC), monitoring and case management. Hatch must also obtain written DFPI approval before launching new business lines, branches or offices.
“Hatch Bank remains dedicated to being a trusted sponsor bank and empowering the growth and success of our partners. The order has no impact on our ability to support current partners and does not require regulator review or approval to onboard new lending partners either. Hatch has a very focused strategy — to be a great bank sponsor for fintech lenders and this order has no impact on our ability to deliver on our strategy,” the bank said in a statement to PYMNTS.
See also: Managing Third-Party Risks Emerges as Key B2B Issue
Historically, federal agencies have led the charge on BSA and AML enforcement. However, as FinTech business models become more intertwined with state-chartered institutions, and as the public appetite for stronger consumer protections grows, states are beginning to carve out a more assertive role.
“The regulators are now awake,” Thredd CEO Jim McCarthy told PYMNTS last year.
“At the end of the day, it’s the banks that sponsor these banking-as-a-service programs that will be the ones that are impacted … so they will take this all quite seriously,” he added.
If one lesson emerges from the Hatch Bank saga, it’s that compliance isn’t just a cost center, it’s a strategic imperative.
How BaaS firms navigate elevated regulatory scrutiny will determine whether it becomes a headwind or a tailwind, Ingo Payments CEO Drew Edwards wrote in the PYMNTS eBook “Beyond the Horizon: How to Identify Unexpected Threats That Could Impact Your Business.”
