Examining the Top Lapses in BaaS Banks’ Compliance

CCG Catalyst Commentary

Examining the Top Lapses in BaaS Banks’ Compliance

By: Tyler Brown

April 9, 2024

It’s quite clear that Banking-as-a-Service (BaaS) banks need to think more carefully about risk and compliance as regulatory scrutiny of the space continues to ramp up. According to research by Klaros Group, 11 BaaS banks have received enforcement actions from their primary federal regulator, each of them for at least two categories of deficiencies and often failures related to third-party risk management.

As we’ve written, most of BaaS banks’ compliance lapses could just as well be by any other bank subject to typical scrutiny. What distinguishes BaaS banks is that issues are largely stemming from their partnerships with fintechs — in other words, third-party risk issues — and point to leaderships’ need to pay close attention to risk mitigation, regulatory compliance, and the infrastructure that supports third-party relationships.

The four most common issues BaaS banks have faced in consent orders are:

1. Board governance. A well-managed, risk-conscious BaaS strategy — like a plan at any bank — depends on a board that communicates a clear vision for the bank’s future while being thoughtful about risk and diligent in its oversight of controls.

“…the Board […] shall effectively supervise all of the Bank’s compliance-related activities, consistent with the role and expertise commonly expected for directors of banks of comparable size and complexity …” — FDIC Consent Order, First Fed Bank

2. Third-party risk management and oversight. Regulators have made clear again and again that the scope and quality of risk management related to third parties must be appropriate for the bank’s size, risk profile, and the nature of the third-party relationships.

“The Third-Party Risk Management Program shall be commensurate with the level of risk and complexity of the Bank’s third-party relationships.” — OCC Consent Order, Blue Ridge Bank

3. Restrictions on business. Nearly all the BaaS banks ensnarled by consent orders have faced restrictions on their businesses related to fintech partnerships. That has put a lid on their growth and interrupted the operations of a line of business.

“The Bank may not initiate, add a new product or service, or modify or expand an existing product or service in a way that is not consistent with the Board-approved Capital and Strategic Plans.” — OCC Consent Order, Vast Bank

4. BSA/AML. Fintech partners’ growth ambitions incentivize them to set a low bar for KYC, and their bank partners’ desire to appease them has led to increased risk of KYC failures. Those failures, along with lapses in transaction monitoring and other fraud concerns, have come back to bite sponsor banks.

“…the Bank shall develop and submit […] a comprehensive Bank Secrecy Act and anti-money laundering (“BSA/AML”) risk assessment program (“BSA/AML Risk Assessment Program”) …” — OCC Consent Order, B2 Bank

Acceptable risk management and compliance starts at the board level. But heading off compliance lapses common to BaaS banks may depend on expertise boards don’t have — particularly the community and small regional banks that make up most BaaS banks. It’s therefore crucial that a BaaS bank’s board includes expertise not only in areas like compliance, risk management, governance, and audit, but also technology — and that it hires senior management that can execute.

BaaS has been a lightning rod for regulators, but that doesn’t mean bankers should be afraid of investing in that line of business. It means that they should consider their board’s expertise and leadership needs as they lay out a strategy, and that they continue to evaluate the controls they need to run the business cost-effectively without attracting regulators’ attention.