X

CRS Considers How Bank-Fintech Partnerships Affect Regulatory Obligations

"Bank-nonbank relationships—particularly ones involving data transfers—are often subject to different regulatory requirements across a range of legal frameworks. When policymakers change or update one set of rules for banks, it could cause confusion, inconsistencies, or even conflicting incentives among market participants."
CRS Report
"Bank-nonbank relationships—particularly ones involving data transfers—are often subject to different regulatory requirements across a range of legal frameworks. When policymakers change or update one set of rules for banks, it could cause confusion, inconsistencies, or even conflicting incentives among market participants."
CRS Report

The Congressional Research Service ("CRS") reviewed how bank–Fintech partnerships are affecting compliance obligations on customer information.

In the report, CRS stated that customer information once flowed directly between a customer and a depository institution, but now travels through layered digital interfaces, data aggregators, and banking-as-a-service platforms. CRS explained that despite these changes, the underlying compliance obligations remain rooted in three statutes: the Bank Secrecy Act ("BSA"), the Gramm-Leach-Bliley Act ("GLBA"), and the Bank Service Company Act ("BSCA"). CRS detailed the tripartite compliance burden banks face in these arrangements: (i) verifying customer identities to prevent money laundering, (ii) protecting nonpublic personal information to ensure privacy, and (iii) overseeing third-party partners to ensure safety and soundness. CRS noted that because bank-nonbank relationships are subject to different legal frameworks, updating rules for one entity can create inconsistencies or conflicting incentives for market participants.

CRS described emerging policy concerns, for example, highlighting a gap regarding data privacy during the account opening process. CRS observed that privacy regulations generally apply to "customers" who have an established relationship with a bank, but the definition does not appear to cover "consumers" during the onboarding or application phase. CRS noted that this distinction is significant because the account initiation process exposes sensitive personal information. If privacy safeguards do not apply until the relationship is formalized, consumers relying on Fintech apps to enter the banking system may face vulnerabilities regarding the security of their nonpublic personal information.

CRS also focused on recent regulatory adjustments regarding how banks verify customer identities. CRS highlighted that federal regulators issued exemption orders in June and July 2025 allowing banks to obtain Tax Identification Numbers from third-party sources rather than the customer directly. Regulators justified this shift by noting that new technologies allow banks to form a reasonable belief of a customer's identity without direct collection. CRS questioned whether banks can effectively verify identities without in-person interactions.F

Primary Sources

  1. CRS: Report: Data Privacy vs. Bank Secrecy: Regulating the Flow of Information Within Bank-Fintech Partnerships

Tags

Regulated Activities
AML Compliance Data Protection / Cybersecurity
Regulated Entities
Banking Entities Other Financial Firms
Regulated Products
Data
Body of Law
AML Regulation Privacy / Data Protection / Cybersecurity
Jurisdiction
US - Federal
Organization
Research Agencies / Think Tanks / Academics
Sub-Author
CRS