The Mushrooming Regulatory Challenges to Banking-as-a-Service: A Field Guide
In the wake of regulatory scrutiny and a wave of enforcement actions, Jason Mikula's forthcoming book, Banking as a Service, casts a timely and critical eye on the future of BaaS. To understand whether the model is sustainable and can deliver on its early promise, Mikula argues in this exclusive excerpt that bankers and their partners need to grasp the full range of compliance and legal concerns. This excerpt from Banking as a Service by Jason Mikula © 2024 is reproduced with permission from Kogan Page Ltd.
By Jason Mikula
In today’s BaaS environment, middleware providers and fintechs function as third-party service providers to their bank partners. But, at the end of the day, it is the charter holder—the bank—that is ultimately responsible to regulatory authorities, including for the actions or inactions of its partners. The bank is responsible for effectively supervising that its partners are complying with applicable regulations for the activities they are undertaking just the same as if those activities were being undertaken by the bank itself.
While, at face value, this sounds simple, it can quickly become orders of magnitude more complicated to supervise external third parties than if the bank were undertaking such activities by itself. The number and variety of partners a bank has will increase the complexity of monitoring and ensuring their compliance, particularly if the risk profile of a bank’s partners’ activities differs substantially from the bank’s own activities. This is often the case, as many banks that engage in banking-as-a-service activities are relatively small and may have comparatively simpler businesses. The physical location, type of customer, and type of product of a bank’s third party can have a substantially different risk profile than the bank’s own customers and products.
The Regulatory Gaze
U.S. bank regulators have made it increasingly clear that they are paying attention to the unique risks posed by banking-as-a-service.
The three primary federal regulators, the Federal Reserve Board, the FDIC, and the OCC, have collaborated in issuing various guidelines in an attempt to provide a consistent framework for the banks they oversee. Between general guidance documents and regulatory enforcement actions against specific entities, a number of themes have become clear:
Initial due diligence. Before embarking on a partnership with a third-party, banks are expected to undertake due diligence of the prospective partner that is appropriate for the types of activities and level of risk. Areas of due diligence can include a counterparty’s business experience and qualifications; financial condition; legal and regulatory compliance; risk management and controls; information security program and systems; and operational resilience, including business continuity and incident response planning. Banks are expected to have a clear and documented system for evaluating potential partners, including a rationale for how a third party aligns with a bank’s strategic and financial goals.
Ongoing monitoring and third-party risk management. Banks’ obligations do not end when their third-party partners pass an initial due diligence screen. Banks are also expected to monitor their partners and, if applicable, their partners’ clients, on an ongoing basis.
Regulators expect banks to have adequate policies, procedures, processes, systems, and staffing in place to oversee third parties commensurate with the types and levels of risk they present. A comprehensive approach to third-party risk management should encompass the entire lifecycle, from initial planning and identifying prospective partners, negotiation and contracting, ongoing monitoring during the life of the engagement, as well as termination.
Bank Secrecy Act/Anti-Money Laundering (BSA/AML). Compliance with anti-money laundering requirements has been a key focus area, both of U.S. regulators and those in other countries. Regardless of service delivery through one or multiple intermediaries, these regulations still apply. Implementing the principles and design of effective anti-money laundering programs, including taking a risk-based approach, dual controls, and the three lines of defense can become more complicated with third parties in the mix.
Want to learn more?
- Is ‘Headless Banking’ the Next Evolution of BaaS?
- What Does the BaaS Crackdown Mean for the Tradeoff Between Innovation and Compliance?
- Banking as a Service Isn’t Over. It’s the End of the Beginning.
If a middleware or customer-facing fintech is handling customer onboarding, it is the bank partner’s responsibility to oversee that they are doing so in compliance with relevant regulations. Know-Your-Customer (KYC)/Know-Your-Business (KYB), customer due diligence (CDD), enhanced due diligence (EDD), transaction monitoring, suspicious activity monitoring and reporting (SAR) are all examples of key AML functions that, historically, would be managed directly by a bank, even if it made use of vendor capabilities to do so.
In a banking-as-a-service model, the policies, procedures, tech, and staff carrying out these functions are often at a third party. It is the bank partner’s responsibility to oversee its third parties’ compliance with regulatory requirements, including that they are appropriate given the products, customers, and geographies served.
Information technology governance. While perhaps not typically thought of as a "banking" risk, the development and deployment of information technology systems poses unique risks in financial services. When banks are working with third parties who are developing and deploying their own software, like middleware platforms or customer-facing fintechs, a bank must have adequate oversight of those processes. This would typically include ensuring that a bank’s third-party partners have their own appropriate policies and procedures as well as the bank having adequate systems and staffing in place to effectively monitor its third-party partners. An IT control program would typically address key areas like risk governance, business continuity, information security, and change management.
Consumer compliance. To date, surprisingly little regulatory attention has been focused on issues of consumer compliance. Examples of key consumer protection-focused regulations in the U.S. include the Electronic Fund Transfer Act, which affords consumers certain rights related to unauthorized transfers and requires timely resolution of errors, including bank transfers and card payments.
Other examples of consumer protection regulations include the Truth in Savings Act, which requires certain account disclosures, and the Gramm-Leach-Bliley Act, which requires covered institutions to formulate privacy policies to protect users’ nonpublic information. The prohibition on unfair, deceptive, and abusive acts and practices (UDAAP) is arguably the most far-reaching consumer protection doctrine, encompassing business functions from product design to advertising copy. While there has been little regulatory action on these issues to date, banks are still responsible for overseeing that their third parties have appropriate policies, procedures, systems, and staffing in place to comply with their requirements, if applicable.
Lending-related. The broad-based guidance on due diligence and third-party risk management is certainly relevant to banks supporting lending BaaS use cases. In addition to those higher-level principles governing bank-lender partnerships, banks are also responsible for ensuring their lending partners comply with applicable consumer lending regulations. The Truth in Lending Act (TILA) requires certain disclosures, including in advertising materials. The Equal Credit Opportunity Act (ECOA) prohibits illegal discrimination in making credit decisions, including in the use of automated credit underwriting models. Protections like the Fair Debt Collections Practices Act (FDCPA) and Servicemembers Civil Relief Act (SCRA) are also relevant considerations.
And more general consumer protections, like UDAAP, still apply. In a banking- as-a-service model, a third party is still generally functioning as a third-party service provider to the bank, making it the bank’s obligation to ensure compliance with relevant regulations. However, depending on how these arrangements are structured, some regulatory obligations, like FDCPA or SCRA, may fall only on the third party that owns and is servicing or collecting on the debt, rather than the bank that originated it.
Concentration risk and balance sheet management. To date, this also has not been as strongly emphasized by regulators in guidance or public enforcement actions, but it is still worth flagging. As discussed previously, a key component of the appeal of BaaS for banks is the ability to source deposits. But this also becomes a source of balance sheet risk to banks, particularly if a single partner brings a large proportion of their deposits or if they work with a middleware platform that, in aggregate, brings a meaningful proportion of their deposits. This kind of concentration exposes banks to the risk of a large volume of deposits leaving all at once. Proximate causes could include a partner or BaaS platform deciding to switch to another bank partner or winding down altogether. On the flip side, should a bank decide it wants to exit a specific program, for either business strategy, regulatory, or other reasons, a dependence on the deposits of said program would complicate parting ways with it.
Surely for all this trouble, banking-as-a-service must be a good business, right? For banks, it certainly can be, though that may be changing. For middleware platforms and for customer-facing fintechs that rely on BaaS, it is much more of an open question as to whether or not the economic models of their respective businesses are sustainable.
Jason Mikula is the Head of Industry Strategy, Banking & Fintech, at next-gen decision platform Taktile and the publisher of Fintech Business Weekly, a newsletter going beyond the headlines to analyze the technology, regulatory, and business model trends driving the rapidly evolving financial services ecosystem. He also advises and consults for and invests in early stage startups. Previously, he spent over a decade building and scaling consumer finance businesses, including at Enova, LendUp and Goldman Sachs.