Six Guiding Principles for BaaS Banks Seeking Strong Fintech Partners

Banking as a Service (BaaS), more recently referred to as embedded banking, is not new. We continue to see this evolve through successful use cases, retailers jumping into the space (i.e., Uber/Starbucks) and regulatory scrutiny and action.

There is a clear opportunity for financial institutions (FIs) that engage with technology providers. This change in basic assumptions is about engaging a broader base of customers, appealing to younger generations, providing financial wellness opportunities and creating a space where FIs can leverage their strengths (community and trust) in a trustless/faceless digital environment.

To make engagement safe for FIs and the customers they serve, some may say we need more regulation. However, things that happened in the BaaS market three to four years ago are now cautionary tales. Through evolved technology, clearer guidance and lessons learned, FIs have a more pronounced path to success.

One theme that has not tired is that due diligence is the key. Per the interagency guidance released last year offering oversight guidance, fintech relationships that support critical activities (loans, deposits, payments, investments) are in the spotlight for regulatory scrutiny and to help ensure due diligence practices are managed for new and ongoing relationships.

For any FIs considering new relationships, the guidance (Federal Register: Interagency Guidance on Third-Party Relationships: Risk Management) outlines the following key areas to be considered by the FI before engaging with a new fintech partner:

1) Business/strategic plan document. This should include recent and future mergers, acquisitions, divestitures, significant partners, etc. This could also address services, employment practices and other initiatives. When creating/updating this document, include information about the company’s relative business experience, its principals and any pending litigation and describe the workforce generally (contractors, employees, remote, domestic, etc.).

2) Legal and regulatory matters. Be sure to understand and document information on the ownership structure, licensing matters, legal counsel or internal capabilities and the compliance program. The FI and fintech should maintain a compliance program that consists of policies, procedures and controls that prove the fintech is operationalizing its responsibilities regarding the compliance regulations for which it is responsible with a clear understanding of the responsibilities within these relationships.

3) Financial condition. FIs should review audited or reviewed financial statements. It is common for fintech companies to not have achieved profitability. In those cases, the companies should provide a game plan for how the organization maintains resources, operations and controls in the near and future terms.

4) Risk management. This is usually communicated through a policy or program, written procedures and various third-party audits, including SOC 1 and/or 2 reports, penetration testing, and vulnerability scanning. Third-party vendor management assessments are also important evaluations of security. A robust risk management process would include several elements inherent in a SOC 2 audit, such as a comprehensive risk assessment, change management processes and access management processes.

5) Information security/information systems management/incident response plan. The fintech should have a written information security program that meets the applicable requirements of the FFIEC, including business continuity plan considerations. That includes the experience to assess and mitigate threats that could affect the fintech’s data and infrastructure. A comprehensive network diagram that illustrates controls and devices that limit access to critical data and transactions as appropriate — use of multi-factor authentication, encryption, secure code management, endpoint management and other controls — should be part of the program.

6) Contractual arrangements with significant third parties. The FI and fintech should have a process in place to assess the risk and monitor the activities of any third parties that are critical to the delivery of its services to the FI. The fintech should provide a list of all critical third parties, along with the risk ratings and the results of that monitoring.

Even under regulatory scrutiny, BaaS, or embedded banking, is here and will be part of the curated customer experience going forward. Referenced in our recent Growth Garage on BaaS, FI leaders have leveraged the regulators to create a good relationship and understand how to operate in new and challenging environments.

The biggest area of failures noted falls under BSA and customer due diligence — no matter what the product is. This will continue to be a challenge in the future. In the payments space, it will be important to spend a lot of time understanding whether the structure is correct and, in the credit space, looking at each product and how it complies with the relative consumer compliance laws, i.e., UDAAP. It is imperative to have a direct relationship with the fintech partner to help ensure processes and obligations are performed to the standard of the FI’s processes.

Mary Beth Marchione, MBA, CPA, CISA, CISSP is a RAS Partner at WIPFLI, a national accounting and advisory firm. She serves on the board of National Fintech Organization (NFO) and can be reached at [email protected]