Over the past few years, fintechs and the banks they partner with have increasingly run afoul of compliance regulations, and Sima Gandhi has seen the issues play out first-hand. In late 2021, she launched Creative Juice, a San Francisco fintech startup that provided creators like YouTube Influencers with digital banking services and funding of up to $500,000. Since Creative Juice lacked a bank charter, it partnered with Charlottesville, Virginia-based Blue Ridge Bank to hold customer deposits.
But the next year, the 130-year-old bank was accused by a federal regulator of “unsafe or unsound practices” in areas including risk management and anti-money-laundering practices. Blue Ridge entered into a consent order that required regulatory review for any new fintech partners it wanted to take on or new products its fintech partners intended to launch. Gandhi soon found it hard to get Blue Ridge’s timely approval for new Creative Juice product releases and marketing campaigns. “The strain our partner bank was under made it difficult for us to move at the speed we wanted to,” she says.
By 2023, she realized she needed to change bank partners, which would probably cost her six months to a year of work and severely restrict growth, a daunting prospect for an early-stage startup in the middle of a struggling fintech market. That fall, she decided to sell Creative Juice’s assets in a small acquisition to Rho, a six-year-old New York company that provides digital banking services to businesses. Rho absorbed some of Creative Juice’s larger customers, and Gandhi shepherded some of her sole-proprietor clients to Relay, a Toronto-based digital bank. “As a former founder, I never thought I’d find myself saying that compliance can be a key to innovation, but that’s exactly what I’m saying now,” Gandhi says.
The ordeal inspired her to start a membership organization called the Coalition for Financial Ecosystem Standards (CFES), where she’s now creating compliance guidelines for fintechs. She aims to help startups and their bank partners avoid the missteps of recent years, which have led to everything from the dramatic collapse of Synapse (with thousands of consumers losing access to their money) to a surge in regulatory enforcement actions against fintech sponsor banks. “Fintechs need to step it up and understand that regulatory requirements are real. Compliance rigor is an expectation. And until now, we have not had aligned expectations around what that looks like,” she says.
Gandhi is partnering with Washington, D.C., compliance consulting firm FS Vector to create guidelines in areas including Bank Secrecy Act and anti-money-laundering (AML) regulations, marketing, compliance management software, complaint handling and operations risks.
Given her background, Gandhi’s new regulatory project isn’t so surprising–her career has spanned law, government and tech. She earned an engineering degree from Stanford and a law degree from NYU, then did stints as a tax lawyer and a policy advisor at the Department of Treasury during the Obama Administration. In 2015, she joined Plaid as its 15th employee and rose to become its head of business development, policy and strategy before leaving in 2020 to start Creative Juice.
Gandhi began working on CFES in March 2024 and has since convinced eight fintech companies to sign on, pay annual membership dues and provide feedback on the guidelines she’s developing with FS Vector. Rho became the first CFES member. Jack Dorsey’s Block, payments giant Stripe, corporate credit card company Brex and digital banks Mercury and Relay are also members.
Relay, which provides banking services like checking accounts to small businesses, previously used Synapse and Evolve as its technology and banking partners. But when Relay CEO Yoseph West saw how the companies handled know-your-customer and know-your-business regulations, he grew nervous. He began moving off Synapse in January 2022, a process that ultimately took two years, cost millions of dollars and caused Relay to lose around 5% to 10% of its customer base, West estimates. Fortunately, he got out just in time, before Synapse failed and customers were left scrambling for funds.
Now West sees CFES as a way to create a compliance manual for startups. “One of the challenges we all have today–in a world where there isn’t a regulatory standard–is trying to define what excellence looks like,” he says. He thinks CFES’ guidelines will be “transparent for the bank, transparent for us, and hopefully for regulators. That enables us to serve our customers better, so we’re not spending time trying to define the standards.”
Gandhi wants CFES’ guidelines, which she’s still developing and hopes to start scoring fintechs on this fall, to raise the bar for fintech compliance and introduce more accountability. An example of one standard she has tentatively landed on: All fintech startup employees should receive anti-money-laundering training at least once a year.
Another CFES draft guideline is that a CEO needs to appoint a Bank Secrecy Act officer who leads compliance. Historically, nascent startups have often used outside consultants for compliance support. Rho, for instance, initially relied on consultants and hired a head of compliance in 2021, more than a year after its launch, when it had roughly 1,000 customers.
But today, Rho CEO Everett Cook says startups need an in-house compliance leader much earlier. “Given the shift in the regulatory environment over the past five years, I’d recommend that any new fintech companies staff dedicated compliance pre-launch.” Gandhi declines to draw a clear line for when startups need to make this hire and says, “The key factor is that there is a plan, early on, even if that plan is not a full-time compliance officer.”
Startups also need to take customer complaints extremely seriously. When fintechs receive complaints, they often need to tell their bank partner, especially if those complaints touch areas like fair and equal-opportunity lending, according to other draft CFES guidelines. Startups should also store those complaints securely and permanently.
Gandhi wants fintechs to adopt her standards voluntarily and regulators to embrace them, in the same way that SOC2 standards provide a voluntary cybersecurity compliance framework that has been widely adopted by companies and regulators. Eventually, Gandhi believes the standards could form the basis of regulatory rules, perhaps issued by the Federal Financial Institutions Examination Council (FFIEC), an interagency group of bank regulators. “If we’re doing it well and rigorously, then we’re laying out a path for what good regulation should look like,” she says.
After the guidelines are developed, Gandhi also wants fintechs to hire qualified compliance advisory firms to audit them, scoring them on a scale of one to five on different CFES dimensions. Small, early-stage companies will likely draw low scores on some measures, but the guidelines will presumably help them set goals and decide where to focus. And if a 10-year-old company scores poorly, the audit will identify what it needs to address. “Each year, as a company is assessed and it grows, there’s going to be a conversation around whether its score needs to be moving up,” she says. She wants the standards to spawn more frequent and productive compliance discussions between fintechs and their bank partners.
While Gandhi is targeting fintechs to adopt her guidelines, a five-year-old consortium, Alloy Labs, is already setting standards for banks that partner with fintechs. Led by former consultant and financial services executive Jason Henrichs, Alloy has a membership of nearly 90 banks that have nearly $500 billion in combined assets. Gandhi says she’ll be taking Henrichs’ input as she develops CFES’ standards, and Henrichs says he’ll direct startups to CFES if he comes across any that need to improve their compliance practices.
Gandhi points out that the health of bank-fintech partnerships isn’t just important for startups. It helps the small banks that partner with the fintechs. In the third quarter of 2023, banks with fintech partnerships grew their deposits 2.2%, while other American banks with less than $10 billion in assets saw a 0.8% decline, according to research from S&P Global.
Read the full article here
