Proactively Meeting DORA Supply Chain Resilience Obligations

Introduction to DORA and its Implications

PODCAST: Ransomware has the ability to instill fear in everyone from the smallest company to the largest corporation. It can affect operations on a global scale in minutes.

And while companies are acutely aware of ransomware’s risks, it reached a new high in the fourth quarter of 2024. According to a recent report from Travelers, this was due in part to bad actors focusing on repeatable methods to identify targets and access data. Today, ransomware still is very much a crime of opportunity. Joining me today to discuss ransomware attacks, how to mitigate their risks and how to respond if your business is targeted, is Dave Cunningham, senior case manager for Alvaka.

Courtesy of Patricia L. Harman, American Banker

The National Security Agency (NSA) and partners are releasing the joint Cybersecurity Advisory (CSA), “Fast Flux: A National Security Threat,” to warn about how cyber actors are using a technique called fast flux to conceal their activities by rapidly changing the IP address associated with a domain name.

The fast flux technique threatens national security as it enables cybercriminals and nation-state actors to create resilient, highly available command and control (C2) infrastructure and hide malicious activities. This infrastructure makes tracking and blocking malicious activity more difficult and can be used by threat actors to conduct espionage and obscure other cyber techniques, such as phishing campaigns and distributed denial of service attempts.

“Fast flux is an ongoing, serious threat to national security, and this guidance shares important insight we’ve gathered about the threat,” said Dave Luber, NSA Cybersecurity Director. “It is imperative cybersecurity providers, especially Protective DNS providers, follow these guidelines to safeguard critical infrastructure and sensitive information.”

NSA and the partnering agencies recommend cybersecurity providers implement a multi-layered approach to detection, and organizations leverage Protective DNS (PDNS) services that offer protection from fast flux enabled threats. Organizations—especially those within the Department of Defense (DoD) and Defense Industrial Base (DIB)—should use cybersecurity and PDNS services that aid in blocking malicious activity.

Additional co-authors are the Cybersecurity and Infrastructure Security Agency (CISA); the Federal Bureau of Investigation (FBI); the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC); the Canadian Centre for Cyber Security (CCCS); and the New Zealand National Cyber Security Centre (NCSC-NZ).

Additionally, NSA offers no-cost cybersecurity services to Defense Industrial Base companies, including PDNS services.

For further information on PDNS, see the joint guidance released by NSA and CISA, Selecting a Protective DNS Service.

Read the full report on Fast Flux here.

Visit our full library for more cybersecurity information and technical guidance.

Three federal bank regulators will propose to rescind the Community Reinvestment Act final rule due to pending litigation, they announced Friday morning.

Courtesy of Gabrielle Saulsbery, Banking Dive

The Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. also plan to reinstate the CRA framework that existed prior to the final rule, which was issued in October 2023.

“The agencies will continue to work together to promote a consistent regulatory approach on their implementation of the CRA,” according to a joint announcement.

The October 2023 final rule was the first major revision to CRA regulations, which were established in 1977, in nearly three decades.

Michael Barr, who was the Fed’s vice chair for supervision at the time the rule was finalized, called the final rule a “win-win for all” when it was announced.

“Fair lending is safe and sound lending, and the CRA regulations we promulgate today will help make the financial system safer and fairer,” he said at the time.

But updates drew ire and legal action from industry groups and were also blocked by a Texas judge. Regulators postponed their implementation until 2026.

Spokespeople for the agencies did not immediately respond to requests for comment.

Several financial industry groups, including the Independent Community Bankers of America (ICBA) are warning federal lawmakers not to intervene in the U.S. credit card market.

Dave Kovaleski, Financial Regulation News

The groups cited proposals like the Credit Card Expansion Act, which seeks to require credit card issuers to offer a minimum of two networks for merchants processing transactions, or the Durbin amendment, which would reduce interchange fees.

The financial groups say they would reduce consumer choice, increase costs and fraud risks, and create economic challenges for smaller financial institutions.

“The payment card system is convenient, secure, and hassle-free,” the groups wrote in a letter to Congressional lawmakers. “It protects consumers against fraud, guarantees businesses receive timely payments, funds reward programs like cash back, and powers the American economy, from brick-and-mortar establishments to innovative e-commerce platforms 24 hours a day, seven days a week, 365 days a year. The Durbin-Marshall bill, and any other legislation that intervenes in the credit card market, puts all that in jeopardy.”

The letter was signed by ICBA along with the American Bankers Association, America’s Credit Unions, Association of Military Banks of America, Bank Policy Institute, Consumer Bankers Association, Defense Credit Union Council, Electronic Payments Coalition, Mid-Size Bank Coalition of America, and National Bankers Association.

The associations said that government intervention in the credit card market would disadvantage small businesses, citing a 2024 paper by a University of Miami finance professor who said small businesses would be put at a competitive disadvantage to large corporate megastores if the Credit Card Competition Act is passed.

The groups also noted that consumers would lose access to rewards programs and the reduction in rewards and cash back opportunities would significantly harm minority and lower-income consumers.

“The International Center for Law and Economics found that ‘77% of cardholders with a household income of less than $50,000’ have an active rewards card. The Durbin-Marshall bill would take away rewards options from lower-income Americans who value those rewards benefits, not just wealthy individuals,” the associations wrote.

Finally, the associations stated that the U.S. payments ecosystem is rife with competition and choice.

“Credit cards, debit cards, buy-now-pay-later, checks, cash, ACH transactions, wire transfers, and real time payment rails provide businesses and individuals with a multitude of payment options. There is no evidence of significant concentration in the credit card market. In fact, the market for consumer cards concentration is far below the DOJ threshold and is far less concentrated than other industries,” they added.

Several financial industry groups, including the Independent Community Bankers of America (ICBA) are warning federal lawmakers not to intervene in the U.S. credit card market. The groups cited proposals like the Credit Card Expansion Act, which seeks to require credit card issuers to offer a minimum of two networks for merchants processing transactions, or the Durbin amendment, which would reduce interchange fees.

The financial groups say they would reduce consumer choice, increase costs and fraud risks, and create economic challenges for smaller financial institutions.

“The payment card system is convenient, secure, and hassle-free,” the groups wrote in a letter to Congressional lawmakers. “It protects consumers against fraud, guarantees businesses receive timely payments, funds reward programs like cash back, and powers the American economy, from brick-and-mortar establishments to innovative e-commerce platforms 24 hours a day, seven days a week, 365 days a year. The Durbin-Marshall bill, and any other legislation that intervenes in the credit card market, puts all that in jeopardy.”

The letter was signed by ICBA along with the American Bankers Association, America’s Credit Unions, Association of Military Banks of America, Bank Policy Institute, Consumer Bankers Association, Defense Credit Union Council, Electronic Payments Coalition, Mid-Size Bank Coalition of America, and National Bankers Association.

The associations said that government intervention in the credit card market would disadvantage small businesses, citing a 2024 paper by a University of Miami finance professor who said small businesses would be put at a competitive disadvantage to large corporate megastores if the Credit Card Competition Act is passed.

The groups also noted that consumers would lose access to rewards programs and the reduction in rewards and cash back opportunities would significantly harm minority and lower-income consumers.

“The International Center for Law and Economics found that ‘77% of cardholders with a household income of less than $50,000’ have an active rewards card. The Durbin-Marshall bill would take away rewards options from lower-income Americans who value those rewards benefits, not just wealthy individuals,” the associations wrote.

Finally, the associations stated that the U.S. payments ecosystem is rife with competition and choice.

“Credit cards, debit cards, buy-now-pay-later, checks, cash, ACH transactions, wire transfers, and real time payment rails provide businesses and individuals with a multitude of payment options. There is no evidence of significant concentration in the credit card market. In fact, the market for consumer cards concentration is far below the DOJ threshold and is far less concentrated than other industries,” they added.

Arizona-based Western Alliance Bank is notifying nearly 22,000 customers their personal information was stolen in October after a third-party vendor’s secure file transfer software was breached.

By Sergiu Gatlan, Bleeping Computer

Western Alliance is a wholly owned subsidiary of Western Alliance Bancorporation, a leading U.S. banking company with over $80 billion in assets. The bank first revealed in a February SEC filing that the attackers exploited a zero-day vulnerability in the third-party software (disclosed by the vendor on October 27, 2024) to hack a limited number of Western Alliance systems and exfiltrate files stored on the compromised devices.

Western Alliance found that customer data was exfiltrated from its network only after discovering that the attackers leaked some files stolen from its systems. In breach notification letters sent to 21,899 affected customers and filed with the Office of Maine’s Attorney General, the company said it has since “determined that the unauthorized actor acquired certain files from the systems from October 12, 2024, to October 24, 2024.”

An analysis of the stolen files concluded on February 21, 2025, and found they contained customer personal information, including your name and Social Security number, as well as their dates of birth, financial account numbers, driver’s license numbers, tax identification numbers, and/or passport information if it was provided to Western Alliance.

“We have no evidence to believe that your personal information has been misused for the purpose of committing fraud or identity theft,” Western Alliance added, saying it’s also offering those affected one year of free membership for Experian IdentityWorks Credit 3B identity protection services.

“While we have no evidence that your personal information has been misused as a result of this incident, we encourage you to take advantage of the complimentary credit monitoring included in this letter.” A Western Alliance spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Breach claimed by Clop ransomware
While the secure file transfer software compromised in the breach was not named in the breach notification letters or the February SEC filing, the bank is one of 58 companies the Clop ransomware gang added to its leak site in January.

The cybercrime group was behind a series of attacks exploiting a pre-auth zero-day vulnerability (CVE-2024-50623) in Cleo LexiCom, VLTransfer, and Harmony software patched in October, when the company warned customers to upgrade immediately. In December, Cleo released security updates for a second zero-day (tracked as CVE-2024-55956) that the Clop threat actors exploited to deploy a JAVA backdoor dubbed “Malichus” to steal data, execute commands, and gain further access to the victims’ networks.

“This vulnerability has been leveraged to install malicious backdoor code on certain Cleo Harmony, VLTrader, and LexiCom instances in the form of a malicious Freemarker template containing server-side JavaScript,” Cleo explained in a private advisory.

While it’s currently unknown how many companies were breached in these attacks, Cleo claims its software is used by over 4,000 organizations worldwide. Clop was previously linked to several other data theft campaigns in recent years, targeting zero-day flaws in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA.

A federal judge has granted the CFPB 30 days to try to settle the lawsuit challenging the bureau’s credit card late fee rule that was issued during the Biden Administration.

By Ballard CFS Group on March 24, 2025

“The Bureau’s new leadership is currently reviewing and considering its positions on various agency actions, including the regulation at issue in this case,” the CFPB’s attorneys said, in filing the request with Judge Mark T. Pittman of the U.S. District Court for the Northern District of Texas.

The rule currently is under a preliminary injunction issued by Pittman blocking implementation of the rule.

CFPB attorneys said that the two sides in the case, which includes the U.S. Chamber of Commerce, are discussing ways to settle the case.

“Based on those conversations, the Bureau is optimistic that an agreement can be reached within 30 days, but the parties require additional time to see if an agreed resolution is feasible,” CFPB attorneys wrote. The bureau asked for a stay in all pending deadlines in the case and asked that the judge requires that a status report be filed within 30 days.

The Trump Administration’s CFPB has been contemplating ways to roll back rules and policies that were implemented during the tenure of former Director Rohit Chopra, who favored a strict regulatory regime.

On March 5, 2024, the CFPB released the final credit card late fee rule.  It reduced the late fee safe harbor amount for larger issuers to a proposed $8 amount and eliminated automatic annual inflation adjustments for issuers subject to the reduced safe harbor amount.

The reduced safe harbor late fee amount only applies to credit card issuers that have 1 million or more open accounts (“larger issuers”), who, according to the CFPB, constitute the issuers with 95% of total outstanding credit card balances.  The final rule also adjusts the higher, pre-existing safe harbor late fee amounts that issuers below the 1 million account threshold (“smaller issuers”) can charge for a first violation from $30 to $32 and for subsequent violations during the next six billing cycles from $41 to $43.

Two days after the rule was issued, the Chamber of Commerce of the United States of America, Fort Worth Chamber of Commerce, Longview Chamber of Commerce, American Bankers Association, Consumer Bankers Association, and Texas Association of Business filed suit challenging the rule.  They argued that in issuing the rule, the CFPB had ignored the fact that card issuers could charge a penalty fee.

The CFPB under Biden had asked that the case be transferred to the U.S. District Court for the District of Columbia. Pittman initially agreed, but the Fifth Circuit Court of Appeals refused to let him do so.

Subsequently, Judge Pittman issued the preliminary injunction blocking enforcement of the rule.

‘The CARD Act explicitly allows card issuers to impose ‘penalty fee[s],’” Pittman wrote in December, when he refused to lift the preliminary injunction blocking the rule.

He continued, “The point is that, under the CARD Act, card issuers have the opportunity to charge penalty fees reasonable and proportional to violations, and narrowing the safe harbor to cost-based fees eliminates that opportunity.”

The UK government is proposing regulatory reforms of the financial services sector as part of its agenda for boosting economic growth. The main focus is on encouraging domestic investment by pension funds and relaxing household access to credit. The chances of success are highly uncertain.

A central component of the new UK government’s economic agenda involves reforms of domestic financial regulation to encourage growth. The proposed changes are part of a broader financial services growth and competitiveness strategy to revive the country’s financial services sector, a component of the new industrial strategy. They also reflect a wider move by the government to encourage regulators to liberalise rulebooks in order to deliver growth.

Unlike in other sectors, in financial services, deregulation to deliver growth was started by the previous government through its Edinburgh reforms. Under these measures, the industry regulator – the Financial Conduct Authority (FCA) – has already been assigned a ‘secondary objective’ to its primary one of ensuring that financial markets work well: namely, facilitating the international competitiveness and growth of the economy.

In this article, we examine the two main pillars of financial services reform within this strategy: increasing domestic business investment through reform of rules relating to how pension funds and consumer savings are invested; and increasing consumer demand through relaxing the supply of credit to households.

Encouraging pension fund investment in the UK
A first element of reform of UK pension funds is the creation of larger pension schemes, which can take advantage of economies of scale. In a series of measures including a forthcoming pensions schemes bill to be put to parliament, the government is seeking to create what are referred to as pension ‘megafunds’ – for example, by pooling local government pension schemes (of which there are currently 86 in the UK) into fewer, larger funds.

The new megafunds will be required to specify a target for the pool’s investment in their local economy, working in partnership with local and mayoral combined authorities to identify the best opportunities for supporting local growth. The government hopes that this could increase local investment in the UK by £20 billion, and total UK investment by £80 billion.

A second element of this reform is to encourage households to put more of their savings at risk by buying investments, such as equities listed in the FTSE100 index. Many individuals with investible financial assets choose to hold them mostly or wholly in cash.

The FCA estimates that 11.8 million consumers in the UK have £10,000 or more of investible assets, yet hold the majority or all of these assets in cash. Survey evidence suggests that of these, 44% (5.2 million) have some appetite to take investment risks (Financial Lives Survey, 2023).

Click here to read the entire article.

---

Courtesy of John Gathergood and Sarah Hall, Economics Observatory

Ilaria D’Anca, 44, in Mesa, Arizona felt that she had everything going for her with a graduate degree in advertising and public relations, with honors. She worked 20 years as a healthcare executive, earning as much as six-figure salaries for half of those years.

But between 2016-2019, she hit a rough patch that included a career change, an unprecedented flooding of her home and property, a legal battle and a falling out with family members that depleted her savings.

“I had an 806 credit score and nearly $150,000 saved in bank accounts prior to this financial crisis,” she said. “I went through every penny of it. We had three vehicles re-possessed and lost our home to foreclosure.”

“Bad financial products,” she said, worsened her situation. “Before this experience, I had no idea of the existence of these. I had 3 traditional mortgages and government-backed school loans prior.”

What are “bad financial products”?
When you’re down and out, the last thing you need is another blow to the knees. But that’s exactly what an increasing number of Americans, including those in the middle class, say they feel when they need access to short-term cash.

To cover unexpected medical bills, car repairs or other surprise expenses, Americans living paycheck-to-paycheck often turn to expensive short-term loans that can further erode their finances, according to community finance platform SoLo’s 2025 Cash Poor Report. Americans paid more than $39 billion, or 34% more than in 2023, in fees to borrow money to pay their unexpected expenses, SoLo said. Fees were on top of the advertised Annual Percentage Rate (APR), which often already reaches into the 20% range and higher for credit cards, it said.

Cash-poor Americans, or those who don’t have enough liquid cash on hand to cover unplanned expenses, often used some of the following to cover the average $1,825 emergency last year, it said.

• Subprime credit cards: The most expensive option, with an average cost of 48%, up from 41% in 2023. Maximum fees can reach 90% of the principal borrowed, driven by high total fees, penalties, and monthly maintenance fees.
• Payday loans: The average cost is 35%, up from 33% in 2023. Maximum costs reached 67%, fueled by origination fees, late fees, and penalties.
• Buy now pay later, or BNPL: A relatively affordable option that allows people to pay in installments. It has minimum fees averaging just 2%. However, costs can climb to 45% due to interest and additional fees.
• Earned wage access, or EWA: Tapping into your earned wages before payday has one of the lowest average borrowing costs at 13%, but fees can rise to 26% if including optional tipping and transaction charges.
• Bank small-dollar loans: Growing in popularity, these are typically less than $1,000 and repaid in a few weeks or months. Average borrowing costs were 25% in 2024, with a minimum fee of 12%, mostly because of mandatory account balance and deposit requirements.
• P2P, or peer-to-peer, loans: The most affordable option in terms of aggregate borrowing costs, but average costs may reach 17% due to tips and late fees.
• Friends & family: 43% of people surveyed borrowed from friends and family last year. That’s up from 38% in 2023. These loans generally have no fees.

Hard lessons
D’Anca had her first taste of these short-term, high-interest loans when her pickup truck broke down.

“They (lenders) were willing to pay my $2,200 bill for the truck’s fuel pumps, but I had to pay it back in full within 3 months, or the interest would go from 0% to 169% with the back 3-months of interest due immediately,” she said. “Let me tell you, I believe most Americans would take the bad loan over being stuck in a parking lot indefinitely. So, I did.”

Click here to read the entire article

---

Courtesy of Medora Lee, USA TODAY

The company says new consumer loans to be made by its Square bank through the digital wallet are a less expensive alternative to predatory short-term financing.

The payments giant Block is positioning its Square bank to offer short-term consumer loans through its Cash App digital wallet as an alternative to payday lending, targeting borrowers who are unable to access traditional credit.

Loans made through its Cash App Borrow program, which were previously originated by Salt Lake City-based First Electronic Bank, will be administered by Block’s industrial bank, Square Financial Services, after the company received FDIC approval to offer consumer loans, the company said Wednesday in a news release.

The Cash App loans are about one-sixth the cost of a typical payday loan, a Block spokesperson contended in an email announcing the FDIC approval. The spokesperson declined to elaborate. Consumers are charged a one-time set-up fee for Cash App Borrow loans that usually equal 5% of the loan, the Block spokesperson said in an email.

Based on state law limitations, a typical two-week payday loan might have an annual interest rate approaching 400%, the Consumer Financial Protection Bureau said in a May 2024 post on its website, citing a loan that charged $15 for $100.

The average Cash App loan is less than $100 and roughly one month in duration, Block’s release said. The app originated roughly $9 billion in loans in 2024 through First Electronic Bank, the release said. Block and First Electronic Bank began working together in 2022.

Square Financial Services, which is based in Salt Lake City, launched operations in 2021 and also offers business loans. Consumer advocates have long criticized the payday loan industry for trapping low-income families and cash-strapped borrowers in cycles of debt and perpetuating poverty.

The payday lender industry has argued that it offers credit products to those who can’t get traditional loans.

Click here to read the entire article

---

Courtesy of Patrick Cooley, Payments Dive

The Office of the Comptroller of the Currency (OCC) today took action to reaffirm that a range of cryptocurrency activities are permissible in the federal banking system. 

The OCC published Interpretive Letter 1183 to confirm that crypto-asset custody, certain stablecoin activities, and participation in independent node verification networks such as distributed ledger are permissible for national banks and federal savings associations. The letter also rescinds the requirement for OCC-supervised institutions to receive supervisory nonobjection and demonstrate that they have adequate controls in place before they can engage in these cryptocurrency activities.

---

Read the NASCUS Summary on Interpretive Letter 1183 (login required)

---

“The OCC expects banks to have the same strong risk management controls in place to support novel bank activities as they do for traditional ones,” said Acting Comptroller of the Currency Rodney E. Hood. “Today’s action will reduce the burden on banks to engage in crypto-related activities and ensure that these bank activities are treated consistently by the OCC, regardless of the underlying technology. I will continue to work diligently to ensure regulations are effective and not excessive, while maintaining a strong federal banking system.”

Consistent with Interpretive Letter 1183, the OCC also withdrew its participation in the joint statement on crypto-asset risks to banking organizations and the joint statement on liquidity risks to banking organizations resulting from crypto-asset market vulnerabilities.

Related Link: Interpretive Letter 1183 (PDF)

Regulatory scrutiny of the bank-fintech relationship intensified last spring after middleware provider Synapse collapsed, leaving thousands of online customers’ deposits in the lurch.

Courtesy of Trading View

Last summer, federal banking agencies released an interagency statement providing guidance for banks working with third parties on deposit products, as well as a request for information related to the bank-fintech relationship. In September, the Federal Deposit Insurance Corporation (FDIC) proposed new recordkeeping rules for banks that take deposits from fintech customers.

Several consent orders against banks concerning their partnerships with fintechs followed. In the first half of 2024 alone, over a quarter of the FDIC’s enforcement actions were found to have targeted bank sponsors involved in embedded finance partnerships.

Though the bank-fintech honeymoon may be over, it’s less certain what will come next. Lumping all fintech providers together and placing additional burdens on the smaller lenders that disproportionately rely on their services isn’t the answer. Done wisely, fewer—and more effective—regulatory bodies and rules would make for a more innovation-friendly environment.

Though much remains to be seen, this year may offer something of a clean slate following the flurry of activity in 2024—presenting an opportunity to develop smarter policies moving forward.

A New “Regulation-Lite” Framework is Needed

2024 saw plenty of promising bank-fintech regulatory developments. But we also witnessed overregulation and indiscriminate application of rules that sowed further uncertainty.

Community banks, in particular, have suffered in the aftermath of Synapse’s failure, as regulatory bodies threatened to paint every institution with the same brush regarding their third-party partnerships. At the same time, some FDIC field examiners have been interpreting rules differently depending on the examination in question.

Before advancing any additional regulation, it’s critical that regulators focus their efforts on the real culprit rather than placing all fintech-bank partnerships in the same bucket. In other words, deposit-oriented solutions—and related consumer protection and money laundering risks—should be prioritized, given the complexity of ongoing reconciliations and the potential fallout for consumers (e.g. with Synapse).

Other functions, like digital loan participation platforms, should be treated differently, as they represent a healthy model of strong bank-fintech governance and partnership.

Once they’ve homed in, regulators should consider a “regulation-lite” framework that encourages ongoing innovation and collaboration while ensuring both parties meet appropriate standards. This could take the form of a relatively simple checklist for both parties that factors in relevant questions, such as:

• Do you have robust due diligence programs in place (e.g., related to anti-money laundering, know-your-customer, and adequate recordkeeping for deposits received from third-party/non-bank entities)?
• Do you have full visibility into relevant ledgers and your partner’s financial performance?
• Do you have a contingency plan in place should the partnership fail?
• Are roles and responsibilities clearly assigned between you and your bank/fintech partner?
• Have you identified an appropriate scope and frequency of reporting (e.g. on partner’s performance, risk management audits)?

Best Industry Practices

Several organizations offer useful blueprints for others to follow. Banking-as-a-service vendor Treasury Prime fully integrates its ledgers with its client banks’ core systems and holds its application programing interface’s underlying code in escrow—so if the company went offline, banks would still have access to the fintech’s database and could continue leveraging its API.

Similarly, Chime Financial designs its relationships with banks to protect its customers in case of failure.

“Not only does each of our partner banks have complete access to the relevant ledger, they also each have full visibility into Chime’s financial performance, enabling them to plan for and anticipate potential disruptions,” Chime said in response to the federal agencies’ RFI last year. “Consequently, our members would be protected in the event of an operational disruption.”

Similarly, Chime Financial designs its relationships with banks to protect its customers in case of failure.

“Not only does each of our partner banks have complete access to the relevant ledger, they also each have full visibility into Chime’s financial performance, enabling them to plan for and anticipate potential disruptions,” Chime said in response to the federal agencies’ RFI last year. “Consequently, our members would be protected in the event of an operational disruption.”

On the bank front, a recent report from law firm Troutman Pepper suggests that compliance teams should focus on “ledgering hygiene” that requires fintech firms to have separate accounts that “more clearly delineate funds for customers, operations, payment fees to third parties, contingency reserves, and network settlement.”

More Collaboration Equals More Innovation

Fortunately, last year’s tumult stimulated more cooperation and information sharing. This is a positive indicator of where the bank-fintech relationship could be heading.

For instance, since launching in the fall of 2024, the Coalition for Financial Ecosystem Standards has worked among its members and alongside regulators to develop standards for third-party relationships.

Yet more can be done. As I’ve previously argued, bringing back regulatory sandboxes in this area would allow fintech to gain needed experience in the banking world while fostering continued innovation in a safe, monitored, and risk-averse manner.

Though there may be more twists and turns ahead, banks and fintechs need each other more than ever. A regulation-lite framework that fosters innovation, transparency, and proactive engagement among key stakeholders can help both parties reach their full potential.