How BaaS Compliance Normalizes

How BaaS Compliance Normalizes

By: Tyler Brown

JUNE 25, 2024

Compliance is hard, especially for Banking-as-a-Service (BaaS) sponsor banks. Risk multiplies with the number of partners, especially when those partners own the relationship with end customers — and banks aren’t always well-equipped for BaaS-driven growth. Enforcement orders made public as recently as this month highlight the challenges of running a compliant BaaS program, and increasingly, the associated third-party risks. With the Federal Reserve’s latest action , the number of sponsor banks that have run into trouble with regulators is now 12.

Despite the number of enforcement orders, the reasons for them often overlap. This month’s consent order had nothing new — it checked boxes for the most common lapses in BaaS risk management and compliance, including third-party risk management and oversight, restrictions on business, and BSA/AML. Most notably, references to third-party risk were everywhere in the consent order, and the Fed effectively froze the BaaS business by requiring written approval for “new partners, subsidiaries, lines of businesses, products, programs, services, or program managers.”

These endemic issues shouldn’t scare bankers away from BaaS. The regulatory action is uncomfortable for the BaaS industry because it calls into question the model’s viability for some participants. But for banks that commit to BaaS as a line of business, a byproduct of enforcement actions will be a roadmap that didn’t exist at the outset for BaaS-related compliance. Third-party risk, as most understood it before the fintech boom, was related to the systems banks used to serve their customers directly — the potential scale of third-party risk was small compared to today. Now, banks, vendors, and regulators are catching up.

Despite the uncertainty over BaaS risk and compliance, sponsor banks have some guidelines to go by. Recent interagency third-party risk guidance can be extrapolated to fintechs and other BaaS channel partners. According to the guidance, to quote another article of ours , sponsor banks need to:

  • Calibrate risk management to be “commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships.”
  • Evaluate “the effectiveness of a third party’s overall risk management […] and alignment with applicable policies and expectations” for fintech relationships.
  • Monitor the partner in a way that’s “appropriate for the risks associated with each third-party relationship.”

One outcome of the turmoil in BaaS will be modern frameworks for risk management and compliance tailored to the model’s needs. The fundamentals of BaaS are sound, and with help from both official guidance and the best practices regulatory action implies, BaaS will remain an attractive growth opportunity for banks.

Today’s phase naturally makes bankers nervous. It will pass, but sponsor banks must first weather the storm.


The Tactical Plan for Working With Fintech

JUNE 27, 2024

By: Tyler Brown

Technology Implementation

Bankers’ commitment to working with fintechs is promising, suggests data from CCG Catalyst’s Banking Stability and Innovation Survey 2023. Working with fintechs was integral to business strategy for 58% of respondents, who are C-suite executives at US financial institutions (FIs). A challenge for bankers that have made that strategic decision is to define a tactical plan that makes sense for their organization with a focus on how innovation should work in practice.

As we wrote in our report “Successes in Transformation,” tactics that support innovation depend on both people factors and technical factors. People factors include the right hires, clear objectives defined by senior leadership, an environment of open mindedness, and an operational structure that supports continuous development. The technical factors often involve issues with legacy infrastructure, some of which the bank may need to solve for itself, and others that may require new partners. Both factors take time to address, and for some FIs, it’s an uncomfortable amount of change.

That process of planning, implementation, and normalization starts with structuring the organization to innovate. Innovative solutions may not even get on the agenda without the right mentality, sufficient expertise, and buy-in from the organization. Management’s deep understanding of its FI’s tech stack and its capacity to support fintech integrations follows. When the FI has those fundamentals in place, it can follow through with a technology strategy that novel fintech solutions may help fulfill. But not all fintechs fit into macro trends or the FI itself in the same way.

In the context of macro trends, bankers can divide today’s fintech solutions into two categories: Infrastructure fintechs (bank tech) and ecosystem fintechs (which connect to the FI’s technology to access data, products, or services). Those two categories increasingly overlap as infrastructure supports interactions with the fintech ecosystem via open banking or Banking-as-a-Service. That overlap is crucial particularly for banks that are exploring alternative distribution models and for correctly anticipating their customers’ desire for secure access to their financial data via nonbank solutions.

The ecosystem model has driven changes to a monolithic model for bank tech. First, the ecosystem itself is two-sided: There is ecosystem infrastructure, which enables interoperability with third parties, and there are ecosystem partners. Those partners may either be product or service-focused, like with BaaS users, or data-focused, like with apps that use open banking data. Second, the model for core banking is changing as next-generation infrastructure ties “traditional” core technology and ecosystem interoperability into the same system.

Amid those macro trends, and even for bankers enthusiastic about following them, there are sticking points to implementing a business strategy that includes working with fintechs. The biggest is likely the modernization budget , followed by inertia, fear of the unknown, or analysis paralysis . The last is the final roadblock: As we wrote , the freedom to choose integrations from fintechs or other providers requires a framework for decision-making and the capacity to evaluate products that meet the FI’s needs. For fintech solutions, that capability requires leadership’s deep knowledge of the fintech market, a nuanced vision for the bank’s technology stack, a detailed plan for the integrations they plan to add, and the right processes in place to evaluate options and onboard choices.

Debbi Roberts, GRCP

Partner, Compliance/Advisory/Core Modernization/Technology Innovation/Implementation

4 个月

Good insights Tyler, thank you!

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了