A Look Back at Severe Enforcement Actions for BaaS Banks

Regulation and Banking-as-a-Service

Five Banking-as-a-Service (BaaS) banks faced severe enforcement actions from federal regulators in 2023. According to S&P Global, that was the highest percentage of overall enforcement actions that BaaS banks have represented since at least 2020. Three common themes were poor risk controls, compliance lapses, and poor partnership management and product development.

Scrutiny on BaaS banks increased in the last year or so as issues came to light, likely tied to the increase in BaaS activity over the last few years. Fintech growth, especially in 2021, led BaaS partnerships to skyrocket, inviting many more financial institutions (FIs) into the fray and leading to loose compliance practices and overextension in some cases.

Among those in hot water in 2023 were First Fed, which received a cease and desist order related to practices regarding credit products; B2 Bank, which was ordered to make changes to risk and compliance oversight, including affiliate risk management and senior executive appointments; Vast Bank, which received orders related to capital and strategic planning, liquidity and interest rate management, and risk management for new products; Metropolitan Commercial Bank, which agreed to pay $30 million to settle allegations related to know-your-customer (KYC) and third-party risk management; and Cross River Bank, which faced action over fair lending laws and internal controls, information services, and credit underwriting. (News of two additional consent orders, one for Choice Financial Group and one for Blue Ridge Bank, broke in late January.)

Notably, many of these problems are related to lapses in the boring aspects of banking — when a regulator goes after a BaaS bank for poor risk management, insufficient capital controls, an absent compliance committee, or fair lending practices, it could just as well be any other bank subject to typical scrutiny. A big difference for BaaS banks, though, is that the cause of a regulatory problem is often from one or more fintech partnerships, which means it is ultimately a third-party risk issue. This is complicated by the fact that fintechs’ breakneck growth and lack of experience in financial services can clash with banks’ risk and compliance obligations if they’re not careful.                           

Due to the recent scrutiny, BaaS is taking a reputational blow. But given these problems seem related to third-party risk management and oversight as opposed to deep issues with the model itself (there are BaaS banks operating today without issue), shying away from the BaaS opportunity may not necessarily be the answer. Rather, the goal should be to make sure you know what you’re getting into and that it makes sense for your FI — BaaS requires heavy investment in and a commitment to a mix of governance, risk management, and taking special care with new partnerships and products. A line from one enforcement action is particularly relevant, demanding a “written program for the review of new products, programs, services, business lines, [and] program managers,” in addition to close oversight of a fintech business unit and better KYC and third-party risk management.       

In the end, long-run demand for embedded banking services suggests such compliance imperatives (as well as high scrutiny) are here to stay, so BaaS banks will need operate with stricter controls if they want to remain in the game. That means BaaS needs to be a commitment rather than a casual experiment, and as such, we’re likely to see the market consolidate around those who make it a core competency. As John Soffronoff, partner and US head of community banking at Capco, recently told Banking Dive, “The infrastructure necessary to effectively manage third-party risk needs to be leveraged over a sizable portfolio. This is not an area a bank can dabble in.” In other words, the costs of appropriate compliance are raising barriers to entry and setting up banks who are dedicated to that line of business to dominate.