July 25, 2024

Considerations for RDFIs with Fintech Relationships

the word nacha with colors

When an RDFI enters into a relationship with a fintech that provides consumers or businesses (“customers”) with an account the customer can use to receive ACH transactions, the RDFI should consider the specific roles and responsibilities that the fintech will perform and the implications for both onboarding the fintech and ongoing monitoring and oversight of the relationship. Such arrangements can encompass a wide range of fact patterns, and the RDFI’s relationship with the customer of the fintech platform can range from a direct relationship where the RDFI holds an account in the customer’s name to one in which the RDFI deals solely with the fintech intermediary and has no relationship with the fintech’s customer. 

Nacha’s Risk Management Advisory Group (RMAG) recommends a documented process for onboarding these relationships that differentiates among key relationship structures and aligns with the risk appetite of the RDFI. The RDFI should carefully consider its role in the ACH transactions that will take place as a result of establishing the fintech relationship, and consider risks that could impact the customer’s access to funds held by the RDFI under the various models. In particular, an RDFI should assess what, if any, obligation the RDFI will have to provide access to funds if the fintech fails or is otherwise unavailable, including reputational risks to the RDFI even if it is not under a strict legal duty to deliver funds other than at the instruction of the fintech intermediary. 

In addition, in some models the fintech may be a Third-Party Service Provider to the RDFI, in which case the RDFI should follow its supervisory agency’s guidance and the Nacha Operating Rules with respect to such relationships. In all cases, RDFIs should be mindful of the growing wave of agency enforcement actions related to insufficient diligence and oversight of fintech relationships, particularly those involving Banking as a Service (“BaaS”) platforms.

Because RDFI risks vary significantly depending on program structure, a critical first step is for the RDFI to define the types of program structures that fall within its risk tolerance and the types of diligence and oversight that it will associate with each such program structure. The more the RDFI has direct obligations to customers but is dependent upon the fintech to perform those obligations, such as in certain BaaS models, the greater the risk to the RDFI.

For that reason, an RDFI might consider establishing within its agreement with a fintech intermediary the key responsibilities that the fintech must perform in processing ACH Entries and Returns, in addition to other compliance areas such as anti-money laundering and compliance with consumer protection regulations. For example, an RDFI may consider the following in connection with the ACH elements of its fintech relationships:

  • The nature, format, and medium of Entries, or Entry information, to be furnished by the RDFI.
  • The requirements of the Nacha Operating Rules and Regulation CC regarding the availability of funds to a Receiver.
  • The requirements of the Nacha Operating Rules and applicable regulations regarding information about Entries that must be provided to a Receiver.
  • A Receiver’s Regulation E rights with respect to unauthorized transactions.
  • The requirements of the Nacha Operating Rules with respect to the return of unauthorized transactions, including the requirement to obtain a completed Written Statement of Unauthorized Debit, and the timing of returns.
  • Each party’s role and responsibilities in processing both unauthorized returns and administrative returns, recrediting accounts, as well as Notifications of Change, dishonored Returns, refused Notifications of Change, and requests for Stop Payments.
  • The responsibility to monitor incoming credit Entries suspected of being initiated due to false pretenses (as of the effective date of the new rules – either March or June 2026).
  • The RDFI’s procedures for terminating its receiving agreement to provide a deposit account, and time frames under which the processing of Entries under the receiving agreement will cease.
  • The ability of the RDFI to get access to data necessary to reconcile funds flows, address garnishment and related process against customer assets, as necessary, and make disbursements where required to do so.
  • The ability of the RDFI to effect reclamations.

Where the fintech or other entity is the Receiver at the RDFI, rather than the ultimate customer, the RDFI could consider what contractual obligations to place on the fintech to replicate the rights and protections the customer would have had if the customer were the Receiver. Such pass-through obligations may depend on the nature of the fintech relationship and its role in acting on behalf of customers.

The above list is not intended to be exhaustive. The nature of the fintech—bank relationship can be complex and is governed not only by the Nacha Operating Rules but also by federal and state laws and regulations. In all cases, however, a deliberate consideration of program structure and the management of customer relationships with the RDFI and its fintech intermediaries, will better enable the RDFI to manage the ensuing risks.

For further information and an opportunity to weigh in on this topic, see the joint statement published by the federal banking agencies.