On February 25, the Congressional Research Service (CRS) published a report examining the regulatory complexity posed by increasing partnerships between banks and nonbank financial technology providers. The report explained how compliance with the BSA/AML, the GLBA’s data privacy provisions, and the oversight framework under the Bank Service Company Act (BSCA) can be complicated when a fintech serves as the consumer interface while a bank provides core services, particularly when it involves data transfers. CRS noted that these relationships often face different regulatory requirements, and changes to one set of rules can lead to confusion or conflicting incentives among market participants. The report raised questions about whether banks can securely transmit data, verify customer identities without in-person contact, ensure privacy protections during onboarding when fintechs act as the consumer interface in banking-as-a-service arrangements, and whether regulators can adequately examine these partnership operations.

The report also underscored that GLBA protections apply only to “customers” with established relationships, potentially excluding consumers in onboarding stages, which CRS noted may leave sensitive information vulnerable during account opening. The report further noted that fintechs are not explicitly covered by the BSA/AML or the BSCA. However, under the former, certain activities may fall within scope if designated by the Treasury secretary as relevant to criminal, tax, or regulatory matters; and, with respect to the latter, BSCA oversight applies to permissible bank service functions often performed by fintechs, even if not expressly referenced. CRS also highlighted orders issued in 2025 from the OCC, the FDIC, the NCUA, FinCEN, and the Fed, allowing banks to obtain Tax Identification Number information from third parties, as opposed to from customers directly as previously required (covered by InfoBytes here), citing a reduced need due to the availability of other verification methods.