Hatch Bank, a California institution specializing in Banking-as-a-Service (BaaS), entered into a consent order, a binding document made by a court that formalises an agreement between parties, with the California Department of Financial Protection and Innovation (DFPI) to drastically change and improve their Risk Assessment and Know Your Customer (KYC) practices.
Background
Hatch Bank, originally established in 1982 as ‘Rancho Santa Fe Thrift and Loan’, transitioned into the BaaS space in 2019. By partnering with fintech companies, Hatch provided backend banking services, enabling these firms to offer financial products without holding a banking charter themselves.
Regulatory findings
The DFPI's consent order stemmed from a joint examination conducted with the Federal Deposit Insurance Corporation (FDIC) in March 2024. The examination identified "unsafe or unsound banking practices" and violations related to the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations. These issues were primarily associated with Hatch's oversight of its fintech partners and the management of third-party relationships.
Mandated actions
Hatch Bank is required to undertake several corrective measures:
- Risk assessment overhaul: Within 60 days, Hatch must revise its enterprise-wide risk assessment to accurately reflect the complexities introduced by its fintech partnerships, including customer demographics, transaction volumes, and geographic exposures
- AML/CFT program enhancement: Within 90 days, the bank must update its AML and Countering the Financing of Terrorism (CFT) programs to address identified deficiencies.
- Third-party oversight: Hatch is to conduct periodic reviews of all third-party relationships, especially those involved in critical compliance functions like KYC processes and transaction monitoring
- Staffing and training: The bank must assess and ensure that it has adequate staffing with the necessary expertise to manage its compliance obligations effectively.
- Regulatory approvals for expansion: Prior written approval from the DFPI is now required before Hatch can engage in new lines of business or establish new branches or offices.
Implications for BaaS and FinTech
This development may indicate a growing willingness among state regulators, especially in fintech hubs like California and New York, to take a more proactive role in overseeing BaaS activities. Hatch Bank's experience underscores the importance of robust compliance frameworks in the rapidly evolving fintech landscape. As partnerships and supply chains become more complex, banks must ensure that their risk management and compliance programs are sufficiently agile and comprehensive to address emerging challenges.