To the casual observer, it might appear that the emerging field of banking-as-a-service (BaaS) — in which banks partner with fintech firms to offer banking services outside the realm of traditional bank branches — is under assault.
In 2023, BaaS banks accounted for 13.5% of federal bank regulators’ severe enforcement actions, according to S&P Global. In a series of high-profile crackdowns, federal regulators slapped consent agreements and fines on numerous banks, including Blue Ridge Bank, Cross River Bank, First Fed Bank and Metropolitan Commercial Bank, the last of these facing $30 million in penalties.
Former Federal Deposit Insurance Corp. Chair Jelena Williams went so far as to suggest that the current crop of federal regulators simply don’t like BaaS. While they understand that they can’t completely stop the growth of partnerships between banks and fintech, McWilliams said, regulators are “trying to make it more difficult” for those partnerships to flourish by promulgating regulatory guidance designed to have what she called a “chilling effect” on its expansion.
However, in a recent panel discussion about the future of BaaS and strategies for compliance, a group of bankers were largely optimistic about the future. The current regulatory focus on the space, they said, represents an opportunity for the industry to develop best practices and open up even more options for the fintech-bank partnerships that could improve banking for everyone.
Banks Still See BaaS as an Opportunity
The current upheaval, said Andreas Westgaard, a director with Klaros Group, is more about the learning curve inherent to innovation in a regulated industry. “I don’t think that the regulators are rooting for bank fintech partnerships to fail or trying to set them up for failure,” he said on a panel hosted by compliance tech company Cable at the end of 2023. “I think they’re just increasingly scrutinizing the risks and wrapping their head around the fact that these types of relationships pose novel risks that weren’t previously supervised as closely as they could have been.”
To be sure, the increased regulatory scrutiny places a burden on banks to move safely into the BaaS space, a rising number still see it as an opportunity. Compared to yearend 2022, when there were 116 BaaS providers, the industry now has 136, according to analysis by Bobby Button, CRO at FedFis, a more than 17% increase.
Growth in the number of BaaS, while slowing, still rose quarter-over-quarter at the end of 2023, according to Button’s most recent count in “Data Timeout,” even as regulatory actions ramped up. In fourth quarter 2024, the industry had 136 BaaS providers, up from 131 at the end of the previous quarter.
Now, banks are in an “enviable position” Westgaard said. Because of the number of fintechs seeking bank sponsors, they can be “quite picky” in choosing partner organizations.
Learn from Others’ Mistakes in BaaS
While enforcement actions are painful for banks, said Jame Sloan, executive director at Main Street Bank’s Innovation Lab, the overall effect has been increased certainty about regulatory expectations.
“I think we’ve got a diminishing amount of uncertainty given the amount of enforcement activity we’ve seen in the banking-as-a-service space,” she said.
“Looking at criticisms play out in public gives us a lot more insights into what the regulators are discovering and learning from as they pursue enforcement activity. A natural evolution of what happens is that the regulators start to see what happens when it really goes wrong, and get smarter about what they’re looking for and more direct as they spread out into the array of financial institutions that might be occupying a certain space.”
“I think we’ve got a diminishing amount of uncertainty given the amount of enforcement activity we’ve seen in the banking-as-a-service space.”
— Jame Sloan, Main Street Bank
Natasha Vernier, co-founder and CEO of Cable, which provides automated account monitoring services, pointed out an obvious vulnerability for banks operating in the BaaS space, especially when it comes to embedded finance. There can be a major gap between the risk management gap culture of the operational “first line” employees at a fintech and the higher level “second line” risk management functions at a bank.
“You’ve got the fintech that might be the first line, and then you’ve got the second line at the bank,” Vernier said. “And it’s really interesting to put those two things together and think about how the core of the problem is here, perhaps.”
Janine Jakubauskas, chief risk officer of BankProv agreed, noting that some of the most valuable takeaways from recent enforcement actions is the evidence that many of the banks targeted by regulators appear to have failed to bridge that gap.
“As risk professionals we always hear that the risk culture has to be across the entire organization, not just at the second line,” she said. “These regulatory findings [indicate] that doesn’t seem to have been the case.”
A key lesson, Jakubauskas said, is that top management at the bank needs to set the tone for its fintech partners. “It’s really important for the CEO and the full executive management team, and the business lines to also support the risk and compliance function to ensure that they have the resources necessary so that they don’t [face] these potential enforcement actions,” she said.
Westgaard, of Klaros, urged banks to pay close attention to interagency guidance released over the summer when they structure their relationships with BaaS partners.
“A critical component in many of the breakdowns that we’ve seen in these partner banking relationships — I would say one of the root causes — is a lack of clear delineation in terms of roles and responsibilities and who is doing what.”
He recommended that banks consult the guidance closely, and treat it like a checklist for assuring that all areas of responsibility for risk and compliance management are specifically defined.
“Heading into 2024, that will be a really critical aspect: To make sure you know that gaps are identified,” he said. “If you have policies where you’re saying ‘Everyone is responsible,’ then oftentimes, in effect, that means that nobody is responsible.”
Read more about BaaS trends:
- Will Federal Guidance Have ‘Chilling Effect’ on BaaS?
- Is BaaS the Last Strategy Your Bank Should Be Looking At?
Even More Active Due Diligence
The participants on the panel were unanimous in their assessment that banks need to do extensive due diligence when they choose which fintechs to partner with, developing a deep understanding of the kinds of products and services potential partners are offering and of their corporate culture.
Sloan, of Main Street Bank, urged banks to drill down into the way their fintech partners have approached key issues, like growing their businesses.
“FinTech firms looking to scramble to offer more products and services may not be paying as much attention to building out risk and compliance as they build out new products and features,” she said. “And so, they accumulate ‘compliance debt.’ And that comes with a cost.”
Donald Todd, director, financial crimes, at Midland State Bank in Wisconsin, said that assessment of potential fintech partners needs to start with background checks of executives and directors, and an analysis of employee turnover rates.
However, he stressed that the process “is not just an exercise in checking boxes,” emphasizing the importance of on-the-ground, face-to-face meetings with potential partners.
“I can’t stress enough to the banks out there: Go on-site and meet with potential partners. Zoom or Teams calls are not a natural conversation,” he said. “You really want to make sure that you have these free-flowing conversations and get a better sense of what these fintechs are saying and what they plan on doing.
“Ultimately, what you want to make sure is that everything is matching up from a capability standpoint to your company’s goals and objectives,” he said. “We’re all in there to generate revenue, but there’s different ways of going about that, and you want to make sure that they align appropriately with your bank’s goals and objectives.”
Create Networks of Cooperation
Because of the nature of the BaaS space, where a fintech may partner with multiple banks, and a bank with multiple fintechs, the experts on the panel pointed out that these relationships can create self-supporting networks of compliance professionals able to share insights and best practices.
Jakubauskas, of BankProv, urged her fellow bankers to view compliance as something that happens outside the realm of day-to-day competition among institutions operating in the same market.
“Traditionally, one might have thought that if a competitor was under an enforcement action, ‘Well great, that’s more business for us.’ But I think that kind of attitude is not the case at all, especially now and in this industry,” she said. “Ultimately, we all benefit if we can all stay out of trouble, because we want this industry to maintain a good reputation, both from a regulatory standpoint, from a congressional standpoint, and also with the general public.”
“I can’t stress enough to the banks out there: Go on-site and meet with potential partners. Zoom or Teams calls are not a natural conversation.”
— Donald Todd, Midland State Bank
Midland Bank’s Todd agreed. “I see an opportunity for the platforms and the banks that are within those platforms of having more open information sharing. That might be contractually or through memorandums of understanding. We’re all in this together, right?”
Under such an arrangement, he said, it would become possible for banks to compare notes about how different compliance regimes are functioning and develop best practices.
“If one of us fails, that’s going to have huge reputational effects on all of us,” he said. I think in the future, we’re going to see a lot more banks working together to ensure that…compliance is in place, and it will be great because we can share stories as to what we’re seeing, how we’ve corrected those issues and really work together. So, if one bank finds an issue, then all of the banks across the platform can also fix that.”
Dig deeper: Value of Embedded Finance [Webinar]
Develop Regulatory Communication
If there is anything that’s certain about the next few years of development in the BaaS space, it’s that bank regulators will continue probing the bank-fintech relationship for weaknesses and potential threats to banks’ safety and soundness.
For that reason, maintaining a close and open relationship with a primary regulator is essential.
“What was good enough during the last examination might not be good enough now,” said Westgaard. “Think about your regulatory communications and how you are managing ongoing supervision between exams. It will mean being really transparent about the risks associated with your BaaS program and [talking with regulators] about how to mitigate those risks.”