Thread Bank entered an FDIC consent order effective May 21, 2024 requiring overhaul of its BSA/AML program, enterprise risk management, strategic plan, and banking-as-a-service operations including documented exit plans for fintech partnerships and enhanced suspicious activity monitoring.

Thread Bank — BSA/AML and Banking-as-a-Service Consent Order (2024)

Outcome: Rogersville, Tennessee-based Thread Bank entered an FDIC consent order effective May 21, 2024, with no stated monetary penalty, requiring comprehensive remediation of BSA/AML deficiencies, enterprise risk management gaps, and inadequate oversight of its extensive banking-as-a-service fintech partnership network.

Thread Bank, headquartered in Rogersville, Tennessee, had developed a significant banking-as-a-service (BaaS) and lending-as-a-service (LaaS) business that served as the regulated banking backbone for numerous fintech platforms, including Relay, Toolbox, Sequin, Currence, Arpari, and others — all accessed through Unit, a fintech infrastructure provider. The FDIC's consent order (FDIC-24-0022b), effective May 21, 2024 and published in June 2024, addressed broad deficiencies that extended well beyond the bank's fintech operations.

The consent order's scope was notably wider than most BaaS-related enforcement actions, encompassing not just AML/CFT remediation but also updates to the bank's strategic plan and enterprise risk management framework. Within 120 days, Thread Bank was required to fully document its BaaS and LaaS program policies and procedures, covering third-party partner and customer approval requirements, due diligence processes, growth and stress modeling, ongoing AML/CFT compliance monitoring, and — critically — documented procedures for unwinding third-party business lines including fintech partners.

The AML-specific provisions required Thread Bank to implement documented customer due diligence and suspicious activity monitoring processes for its BaaS program, ensure AML/CFT staff were adequately trained to identify suspicious activity, confirm that suspicious activity was reported within regulatory deadlines, and verify that third-party partners were actively meeting the bank's AML/CFT program requirements. The order also required the bank to develop a formal exit plan for fintech partnerships covering monitoring for service interruptions, response steps, staffing requirements, customer notification procedures, and protocols for notifying regulators and external stakeholders in the event of a disruption.

Primary Source: FDIC Consent Order FDIC-24-0022b — Thread Bank (May 21, 2024)