As consumer preferences have shifted toward online banking and other digital products, many traditional financial institutions have sought BaaS fintech partners to generate new sources of revenue. However, these partnerships introduce greater risks for community banks and credit unions, which must compete to attract the best fintech programs.
Competition for lucrative fintech partnerships sometimes encourages cutting corners. Financial institutions that rush digital banking products to market without the proper guardrails are beginning to see regulators crack down on them.
A Virginia bank entered a consent order with the Office of the Comptroller of the Currency (OCC) that requires it to strengthen its compliance with BSA/AML and other risk areas and seek prior approval from the Agency before onboarding new fintech partners.
A New Jersey BaaS bank recently encountered similar issues with its fintech partners. The FDIC issued a consent order requiring the bank to address deficiencies in fair lending compliance. Like the Virginia bank, it also must seek out regulatory approval before offering new fintech products to consumers.
Increased regulatory oversight of BaaS fintech partnerships gives financial institutions pause. For community banks and credit unions, financial technology offers enticing opportunities. At the same time, FIs need sound strategies for managing the compliance risk of their fintech partners.
Related: Regulators Crank Up the Heat on BaaS Banking. What Does This Mean for Third-Party Risk Management?
Banking-as-service refers to the partnership between traditional financial institutions and technology-driven companies that offer products and services directly to consumers. At its most basic, a fully licensed bank or credit union allows a non-bank fintech to access its core systems and infrastructure through an application programming interface (API) in exchange for a fee.
Fintechs love the interchange fees, and financial institutions love the growth that fintechs promise. For community banks and credit unions, growth is difficult to achieve without paying a hefty price. BaaS fintech partnerships shorten the innovation lifecycle, giving financial institutions an inexpensive route to increased revenue.
As the financial services industry evolves, more consumers demand a seamless customer journey. From e-commerce platforms that offer single-touch payments to retailers that store customer data for easy checkout, financial technology is the future of banking.
Community banks and credit unions understand all too well that they need financial technology to remain competitive. The drive toward consolidation looms for smaller FIs as larger banks gobble up more market share.
The appeal of fintech for smaller institutions isn’t difficult to appreciate.
Financial institutions with under $10 billion in assets with BaaS outperformed their non-BaaS peers by a net interest margin of 4.11% compared to 3.41%, according to S&P Global Intelligence
With Millennials set to inherit $68 trillion in wealth, financial institutions that fail to embrace technology will be at a distinct disadvantage. Nearly 80% of Millennial consumers are interested in digital banking compared to 30% of their parents.
Fintech partnerships give community banks and credit unions a puncher’s chance in the growing market for digital financial products.
The emerging problem with financial institutions’ BaaS fintech partners is clear enough: FIs are responsible for all the compliance risks under their charters. You can’t outsource compliance risk to a third party.
Under one model, financial institutions and fintechs outsource BaaS to a third-party platform provider. These middleware providers build the APIs that connect to a financial institution’s core systems, handling functions such as deposits and payments for fintechs.
Middleware BaaS firms also claim they manage compliance, although financial institutions should take such statements with a grain of salt. When one bank cut ties with their middleware BaaS provider Synapse in October, the reason cited by those with knowledge of the relationship pointed to Synapse’s “inattention to compliance matters” as the primary motivation.
The bank suffered several regulatory infractions from its partnership with Synapse, associated in part with the collapse of FTX.
Related: FTX and Bankruptcy: What It Means for Your Financial Institution
Industry insiders believe that the BaaS middleware model, where a service provider aggregates fintechs and connects them with chartered banks, will experience further contraction. Financial institutions have realized these companies cannot handle regulatory compliance as promised.
A better alternative to outsourcing compliance to a BaaS provider is for financial institutions to manage all the compliance risks of their fintech partners. Such an approach gives FIs complete control over risk, governance, and compliance functions.
However, managing the risk of potentially dozens of fintech partners runs into another problem: community banks and credit unions lack the resources for all this compliance work. FIs might try to have their fintech partners foot the bill for work, but this arrangement soon becomes too expensive for both sides.
Fintechs also aren’t designed for the regulatory scrutiny financial institutions require to satisfy examiners. Fintechs' emphasis on the customer experience does not mesh well with intense regulatory oversight.
Community banks and credit unions need a sound fintech onboarding process. While there is not necessarily an easy way to make the most out of fintech partnerships without increasing compliance risk, financial institutions need to lean on technology to mitigate it.
Compliance officers do a great job in risk management, but they often run up against a limit regarding how many fintech partnerships they can reasonably oversee.
Financial institutions invest in technology to make the most out of their fintech relationships and capitalize on opportunities while avoiding the fate of institutions that have run into compliance issues.
To accomplish this, FIs need the following:
Risk Assessment Scoring – As with any third-party vendor, you want to know the level of risk a fintech or BaaS provider poses to your institution. With access to your core infrastructure and systems, the risk of fintechs or BaaS providers often falls within the critical category.
Document Collection and Capture – If you’re using manual processes to collect essential documents, such as SOC reports, compliance policies, business continuity plans (BCP), etc., from your BaaS fintech partners, you may be setting yourself up for a regulatory disaster. You need a comprehensive system for collecting, storing, and managing documents.
Real-Time Monitoring – Let's say your institution also partnered with the BaaS provider Synapse mentioned above. If you have a platform with negative news monitoring, you can discover and proactively react to any information in real time.
Updates on Regulations – Compliance laws and regulations can change quickly. You want a platform with regular updates on any impending regulatory changes.
Recent Interagency Guidance does not split hairs regarding financial institutions’ responsibilities in managing the risks associated with using third-party vendors. “The use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed safely and soundly and in compliance with applicable laws and regulations.” In other words, when fintech partners have a regulatory problem, the banks and credit unions they work with have a regulatory problem.
It would be nice if BaaS providers could vet fintechs on behalf of the banks and credit unions they serve, but this is simply not the case. Financial institutions must take a decisive role as quasi-regulators, consistently monitoring fintechs partners’ internal processes and controls by leveraging technology.
Safely Grow Your Fintech Partnerships