How BaaS Compliance Normalizes

CCG Catalyst Commentary

How BaaS Compliance Normalizes

By: Tyler Brown

June 25, 2024

Compliance is hard, especially for Banking-as-a-Service (BaaS) sponsor banks. Risk multiplies with the number of partners, especially when those partners own the relationship with end customers — and banks aren’t always well-equipped for BaaS-driven growth. Enforcement orders made public as recently as this month highlight the challenges of running a compliant BaaS program, and increasingly, the associated third-party risks. With the Federal Reserve’s latest action, the number of sponsor banks that have run into trouble with regulators is now 12.

Despite the number of enforcement orders, the reasons for them often overlap. This month’s consent order had nothing new — it checked boxes for the most common lapses in BaaS risk management and compliance, including third-party risk management and oversight, restrictions on business, and BSA/AML. Most notably, references to third-party risk were everywhere in the consent order, and the Fed effectively froze the BaaS business by requiring written approval for “new partners, subsidiaries, lines of businesses, products, programs, services, or program managers.”

These endemic issues shouldn’t scare bankers away from BaaS. The regulatory action is uncomfortable for the BaaS industry because it calls into question the model’s viability for some participants. But for banks that commit to BaaS as a line of business, a byproduct of enforcement actions will be a roadmap that didn’t exist at the outset for BaaS-related compliance. Third-party risk, as most understood it before the fintech boom, was related to the systems banks used to serve their customers directly — the potential scale of third-party risk was small compared to today. Now, banks, vendors, and regulators are catching up.

Despite the uncertainty over BaaS risk and compliance, sponsor banks have some guidelines to go by. Recent interagency third-party risk guidance can be extrapolated to fintechs and other BaaS channel partners. According to the guidance, to quote another article of ours, sponsor banks need to:

  • Calibrate risk management to be “commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships.”
  • Evaluate “the effectiveness of a third party’s overall risk management […] and alignment with applicable policies and expectations” for fintech relationships.
  • Monitor the partner in a way that’s “appropriate for the risks associated with each third-party relationship.”

One outcome of the turmoil in BaaS will be modern frameworks for risk management and compliance tailored to the model’s needs. The fundamentals of BaaS are sound, and with help from both official guidance and the best practices regulatory action implies, BaaS will remain an attractive growth opportunity for banks.

Today’s phase naturally makes bankers nervous. It will pass, but sponsor banks must first weather the storm.

Subscribe to our Insights