BaaS Banks Need a New Take on Risk and Compliance

BaaS Banks Need a New Take on Risk and Compliance

By: Tyler Brown

March 19, 2024

Banking-as-a-Service (BaaS) is in hot water, as we wrote in February, with BaaS banks increasingly facing regulatory actions and some dropping out of the business entirely. In March, for example, Metropolitan Commercial Bank (MCB) announced it would “exit all BaaS relationships,” to reduce its exposure to “heightened, and evolving, regulatory standards.” While there is still opportunity in BaaS, to withstand ongoing scrutiny, banks will need to shore up their oversight capabilities.

The Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) made clear in guidance published last year that the buck stops at banks for fintech partners’ compliance with banking rules. But those partnerships are primed to cause problems because, as the guidance put it, they “reduce a banking organization’s direct control over activities and may introduce new risks or increase existing risks, such as operational, compliance, and strategic risks.” Nothing a partner does can reduce the bank’s obligations, it added.

The length and complexity of the guidance gives an idea of just how much BaaS banks must do to stay on the right side of regulators. Tasks include:

Calibrating risk management to be “commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships.”
Evaluating “the effectiveness of a third party’s overall risk management […] and alignment with applicable policies and expectations” for fintech relationships.
Monitoring the partner in a way that’s “appropriate for the risks associated with each third-party relationship.”

This burden is exacerbated by the fact that BaaS banks tend to be smaller institutions: According to CCG’s proprietary research, about 30% of BaaS banks have assets under $1 billion, and about 60% have assets under $5 billion. A small size makes compliance more difficult, particularly when fintech relationships grow quickly. Regulators “plan to develop additional resources to assist smaller, non-complex community banking organizations in managing relevant third-party risks,” but self-help is the only option available now. And, unfortunately, current practices have shortcomings.

Today, a bank has two options, according to Alloy’s interpretation of a Fintech Takes article: It can require fintechs to adopt the bank’s compliance infrastructure and policies or it can set guidelines that it expects partners to follow. In the first case, compliance may not be scalable. In the second case, sponsor banks may struggle to manage the risk regulators say they’re responsible for. Solutions to these shortcomings must give banks oversight and ultimate control of partners’ compliance practices, give partners the flexibility to adapt within the bank’s requirements, and limit the costs to both.

Tools are emerging to provide support — for example, Alloy recently announced a solution that advertises a “parent, child” compliance workflow that enables a sponsor bank to set risk and compliance restrictions that supersede fintech partners’ own settings. And we expect to see more such offerings coming to market. But for BaaS banks to overcome their current challenges, they need to come back to their strategy for risk and partnerships. It’s critical that they think through questions like, “How much risk can we handle?” What kind of partners should we work with?” and “What resources do we need?”

When BaaS was all anyone could talk about, a lot of banks jumped in. And it’s likely that many did so without crafting a strategy for success. It’s not too late to come back to that exercise with compliance in mind. For any institution, and especially for smaller institutions, it’s better to do the work upfront — even if it means learning that you can’t actually support a BaaS program — than risk regulatory trouble.