As Regulatory Scrutiny of BaaS Grows, Rumors Swirl
Banking-as-a-Service Providers Told to Slow or Freeze Client Onboarding, Sources Say
Hey all, Jason here.
Welcome to the 504 new subscribers who’ve joined since last week! And, thanks to the generosity of paid subscribers, Fintech Business Weekly made a donation to the Accion Opportunity Fund, a non-profit focused on supporting small businesses, including those typically shut out from traditional financing options.
The next organization we’ll be supporting is Justine PETERSEN, a St. Louis-based not-for-profit that serves as a port of entry to mainstream finance, equipping and empowering individuals and families with the necessary knowledge, tools and products necessary to build intergenerational assets and wealth. Fintech Business Weekly will donate 15% of net subscription revenue earned during July and August to the organization.
Existing subscriber? Please consider supporting this newsletter by upgrading to a paid subscription. New here? Subscribe to get Fintech Business Weekly each Sunday:
Crypto Capabilities Bring Engagement, Revenue, and New Users to Neobanks
Sponsored content: By the end of the year, more than half of the 10 largest neobanks will be offering clients cryptocurrency products.
So said Mark Daly, Vice President of Growth at Zero Hash, a B2B2C crypto infrastructure provider that offers a range of products including crypto trading and custody, staking, crypto rewards, and non-fungible tokens (NFTs). There are two main reasons for that, Daly said.
Zero Hash is a B2B2C embedded infrastructure platform that allows any platform to integrate digital assets natively into their own customer experience quickly and easily. Clients include MoneyLion, Transak, Deserve, Step, MoonPay, tastyworks, and DraftKings.
As Regulatory Scrutiny of BaaS Grows, Rumors Swirl
“Banking-as-a-Service” (or BaaS, for those in the know) has grown in popularity as a term, though, at the highest level, it describes product structures that have long existed: non-bank companies leveraging banks’ unique capabilities — usually, their license and all that goes with it — as a key part of their business model.
With the explosion of consumer fintechs and “embedded finance,” in which many non-financial companies began including banking-like functionality in their apps and products, a new market opportunity emerged: abstracting the complexity of partnering with banks.
These days, “Banking-as-a-Service” is generally understood to refer to (at least) two related but distinct models.
First, what might be thought of as “BaaS classic”, is the direct bank partnership model. In this approach, a startup works directly with a bank to design and operate a financial product, most commonly a bank account/debit card or lending program.
While the non-bank fintech in this approach (eg, Chime or Affirm) would own the customer-facing brand and user experience, its product design, marketing, and compliance infrastructure would typically need to be reviewed and signed off on by its partner bank.
The second key model, which really began taking off around 2018, is defined by a “middleware” layer that sit between clients — the companies building consumer-facing financial products — and the licensed, regulated banks. Examples of US companies in the space include Synctera, Synapse, Bond, Treasury Prime, and Unit.
The primary problem this crop of companies arose to solve was the slow, expensive process of building on top of banks’ legacy tech stacks. They were designed to appeal to product managers and software engineers at fintechs and non-financial companies looking to launch financial products more quickly and cheaply.
But it’s not only antiquated code and a lack of APIs that make it slow and expensive to work with banks.
It’s also the substantial work necessary for banks to onboard a new vendor, which, technically, is what third-party fintechs using their charter are considered. Due diligence can include everything from personnel background checks and understanding a company’s financial condition to verifying business continuity plans and information security policies.
BaaS providers that sit between their clients (fintechs or other companies adding financial capabilities) and banks generally take on many of these onboarding responsibilities, under the guidance of and in accordance with their bank partners’ policies (at least, in theory).
Why Banks Have Adopted the BaaS Model
For smaller banks, the appeal of BaaS programs has become obvious over time.
With about 5,000 chartered banks in the United States, most are small, local affairs. Of two key competitive advantages — geography and a bank license — one has been rapidly diminishing in its importance.
The silver lining to being small, however, is that these institutions are exempt from the Durbin amendment, making them logical partners for companies seeking to launch debit cards (primarily neobanks, like Chime, Aspiration, Current, etc.) and use uncapped interchange income to power their business models.
Banks that were early to the partner banking model, like Bancorp and MetaBank for debit programs and WebBank for lending, have been able to post impressive financial results by leveraging these “capital light” revenue streams.
As the fintech and embedded finance trends accelerated, particularly amidst the pandemic, more and more banks have clamored for a piece of the action.
How Does Regulation Work in BaaS?
Despite the increasing number of parties involved in delivering products and services to end users, who has the ultimate responsibility for ensuring compliance in BaaS programs is clear: the chartered bank.
This is true even though the bank doesn’t own the customer-facing user experience.
Ultimately, BaaS middleware providers, like Unit or Treasury Prime, and those creating the products and services offered to end consumers are both considered third-party vendors of the bank.
For any compliance-related functions they are fulfilling, like KYC during onboarding, transaction monitoring, or handling customer complaints, the responsibility (and risk) sit with the licensed bank.
Much of the regulatory guidance on due diligence for banks’ third-party vendors comes from an era when those vendors were service providers to the bank, rather than the other way around.
Think of areas like an outsourced customer service call center or a core banking technology provider — banks leveraged these kinds of third parties to serve their own customers.
In the Banking-as-a-Service model, that dynamic is flipped — banks are, essentially, service providers to BaaS platforms’ customers and to fintechs.
This entails different kinds of risks to the banks involved and necessitates developing new approaches to monitoring and mitigating those risks.
What Might Regulators Be Worried About?
In a word, everything.
At the highest level, regulators like the OCC and FDIC that oversee banks that power BaaS relationships, supervise banks to ensure the safety and soundness of their business practices and monitor their exposure to “reputational risks” — mandates broad enough that they could include putting the brakes on otherwise-legal business models.
More specific areas of concern could include how banks are ensuring compliance with Bank Secrecy Act and KYC/AML requirements, transaction monitoring, business continuity planning, informations security, UDAAP, how fintechs are marketing themselves, customer complaints, and countless other areas.
A common approach banks use to facilitate non-bank fintechs accessing payment services and opening accounts for their end users can complicate banks’ ability to ensure compliance.
With the use of FBO accounts (“for the benefit of”), a bank account is typically established in the name of the fintech client itself, rather than each individual end customer. Instead, fintechs create “virtual” accounts that they track on their own ledger.
Fintechs often favor this approach to working with banks, as it gives them more control over the UX and tends to make account opening easier and faster for end customers.
But it also means banks may have significantly reduced visibility into who is opening accounts and what they’re doing with them.
These risks are magnified by the number of fintech clients and their end users. For banks operating through BaaS platform intermediaries, there is an additional layer between bank and end user, further complicating the task of monitoring for compliance.
Whether or not banks have appropriate compliance systems and personnel in place to oversee BaaS partners (if applicable), fintech clients, and end users is likely among regulators’ top areas of concern.
BaaS approaches to delivering banking services to consumers are relatively new, and banks, BaaS platforms, and fintechs are, no doubt, taking varied approaches in how they address compliance challenges.
In the absence of clear expectations from regulators for how oversight should work in these relationships, some approaches may pass muster and others likely won’t.
Improved clarity on compliance expectations is likely to come in the form of supervisory exam findings, enforcement actions, and consent orders.
Signs of Increasing Scrutiny
As the number of banks offering services through BaaS models has multiplied, there are some clear signs regulators are taking notice.
A Due Diligence Guide for Community Banks Working with Fintechs
Last August, the OCC published a 20-page due diligence guide specifically for community banks considering working with fintechs. The OCC Bulletin announcing the guide states (emphasis added):
“Community banks may approach relationships with fintech companies in a similar manner as they would any other third-party relationship. During due diligence, a community bank considers how the fintech company may assist the bank in meeting its strategic objectives and determines whether the relationship aligns with the bank's risk appetite.
A community bank evaluates whether the proposed activity can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements.”
The guide itself outlines six areas in which banks should be conducting due diligence on potential third-parties, whether BaaS platforms or consumer-facing companies, including: business experience and qualifications, financial condition, legal and regulatory compliance, risk management and controls, information security, and operational resilience.
Earlier stage startups historically tend to be focused on identifying product/market fit and achieving rapid growth, in order to raise subsequent rounds of financing. This increases the risk of under-investing in areas like compliance, risk management, infosec, and operational resilience.
Further, many fintech startups have young management teams or teams without any relevant experience, increasing the risk of gaps and oversights.
BaaS platforms specifically seek to enable non-financial companies to offer financial products within their applications. While in these arrangements the BaaS platform may provide oversight and domain expertise, the companies, which control the consumer-facing product, often lack any experience in financial services.
Modernizing the Financial Regulatory Perimeter
In November 2021, acting Comptroller Michael Hsu gave a speech at the Philadelphia Fed’s Fifth Annual Fintech Conference focused on “modernizing the financial regulatory perimeter,” including commentary on the potential risks of non-bank fintechs that have “synthetically” reassembled a full stack of banking services.
In his speech, Hsu stated (emphasis added):
“Today, a range of fintechs provide seemingly the full suite of banking and investment services—including in cryptocurrencies—with the convenience of tech.
These fintechs are reassembling the three legs of banking synthetically, outside of the bank regulatory perimeter. This is what I mean by the term ‘synthetic banking.’”
…and he continued, specifically highlighting Banking-as-a-Service by saying (emphasis added):
“To some, ‘banking-as-a-service’ is a harbinger of the future, in which the comparative advantage of technology firms to amass users shifts the bank business model away from consumer interaction and towards facilitation.
To others, these are simply ‘rent-a-charter’ arrangements, which allow fintechs to skirt a host of rules at the expense of customer protection and bank safety and soundness.
Thus, modernizing the bank regulatory perimeter cannot be accomplished by simply defining the activities that constitute ‘doing banking,’ but will also likely require determining what is acceptable in a bank-fintech relationship.”
CFPB’s “Dormant” Authority & Renewed Attention to “Rent-a-Bank”
While much of the discussion of regulation of banking-as-a-service focuses on banks’ prudential regulators, the CFPB’s potential involvement shouldn’t be discounted.
As a reminder, banks with less than $10 billion in assets and most non-bank fintechs historically haven’t been subject to supervisory oversight from the CFPB, though they do fall under the agency’s jurisdiction when it comes to enforcement actions.
But with the consumer protection agency’s recent declaration it would leverage its “dormant” authority to examine non-bank companies that “pose a risk” to consumers, fast-growing fintechs like neobanks, payment apps, and online lenders could see additional scrutiny.
Where these companies leverage an underlying bank, that bank could be drawn into any supervisory activity. BaaS platforms themselves could also be a potential target of the CFPB.
The CFPB has also recently upped its rhetoric on so-called “rent-a-bank” arrangements used by fintech lenders, particularly those using them to originate loans above states’ usury caps.
While the lending question is somewhat distinct from “banking-as-a-service,” the consumer regulator could see them similarly, particularly as fintechs like Dave (partnered with Evolve) and MoneyLion (partnered with MetaBank) offer short-term loans and as more BaaS platforms offer credit products.
State-Level Regulatory Actions & Press Scrutiny
Finally, there have been a number of developments that suggest regulators across state and federal agencies are paying more attention.
Examples include California and Illinois’ cases against Chime (partnered with Bancorp and Stride) for describing itself as a “bank,” Connecticut and Minnesota’s cases against SoLo Funds (partnered with Evolve via Synapse), numerous investigations into MoneyLion, DC and California’s cases against OppFi (partnered with FinWise, First Electronic Bank, and Capital Community Bank), and Blue Ridge’s failed merger with FVCBancorp (Blue Ridge partners with numerous fintechs directly and with Unit, a leading BaaS platform).
There also hasn’t been a shortage of press scrutiny, with Chime coming under the microscope for closing vulnerable users’ accounts with no warning, neobank customers having their cards refused by merchants because of the industry’s pervasive fraud problem, and reported bad behavior and questionable management at one BaaS platform.
Rumor Has It
Sources across the fintech and banking ecosystem — at banks, fintechs, BaaS platforms, VCs, and in the regulatory sphere — broadly confirmed significantly stepped up scrutiny, particularly from the OCC.
In conversations with participants across the ecosystem, there was a sense of, when is the other shoe going to drop?
Specifically, regulatory exams of Blue Ridge and Evolve, which have rapidly scaled their BaaS businesses both through platforms and direct relationships, have yielded “serious issues,” according to sources. It’s possible Blue Ridge’s issues led to its attempted merger with FVCBancorp being blocked, as well as bringing increased scrutiny on the sector as a whole (Blue Ridge didn’t respond to a request for comment.)
The impacts of the increased scrutiny include many banks slowing or ceasing to onboard new BaaS clients altogether.
Column, which made a splashy debut just three months ago after acquiring Northern California National Bank, has ceased onboarding new clients, multiple sources indicated (Column didn’t respond to a request for comment.)
Sources also indicated some banks are terminating relationships with BaaS platforms and fintechs, particularly smaller players where the risk/reward no longer makes sense.
Even for fintechs that are able to get or keep their banking relationship, they may face caps on how many end user accounts they’re able to open and strengthened oversight from their BaaS platform and/or bank, particularly around account opening processes and documentation.
Unit reached out to confirm temporary slowness in new client approvals on Blue Ridge and emphasized that there’s no effect on existing or new clients (Unit assigns new clients to banks that have capacity and currently works with five banks). The company’s approach to growing a sustainable platform includes having multiple partner banks, investment in compliance, legal and oversight (40% of current headcount), and turning down risky clients (like crypto or cannabis companies).
Column co-CEO William Hockey reached out and provided the following statement: “We are supporting our existing clients and onboarding new clients assuming they fit our risk and onboarding criteria. We are still a small team, and are only onboarding clients of a certain sophistication, size and industry - just like any bank is legally obligated to do. Because of this we've had to say no to a lot of amazing companies and potential developers, just like anyone who works in a regulated industry.”
Evolve Bank & Trust provided the following statement: “Evolve Bank & Trust takes compliance and regulatory exams very seriously and we expect all of our customers to do so as well. Evolve is not regulated by the OCC and has not been made aware of any exam or investigation that Evolve’s business practices are under scrutiny, or that ‘serious issues’ have been found in such investigations. We continue to onboard new clients and customers every day. Evolve’s reputation as an ethical and innovative business partner to fintechs is unparalleled.”
Where Things Go From Here
Given how much of this is unfolding behind the scenes, as part of banks’ confidential supervisory exam process, it’s difficult to get a sense of where this is going.
On the one hand, the worst could be over. Banks may have received feedback through supervisory findings and are in the process of remediating them, together with their BaaS platform partners and fintech clients.
But given the fragmented regulatory landscape, it seems unlikely all of the issues here will be resolved without spilling out into public view, in the form of enforcement actions and consent orders.
Particularly when it comes to consumer protection matters, the CFPB under Rohit Chopra has taken an aggressive turn. Fintechs, and their BaaS platform and bank partners, are likely to experience continued heightened scrutiny, particularly is it relates to UDAAP, high-interest lending, and those using Banking-as-a-Service to offer ‘novel’ product formulations.
Even if and when some of the current matters are resolved, any “new normal” is likely to entail more robust, and thus slower, more expensive, processes for operating BaaS partnerships.
Perhaps the best banks, BaaS platforms, and fintechs can hope for here is clearer rules of the road by which to operate in the future.
Mexican President AMLO Weighs in on Citi’s Banamex Sale
Mexico’s left-leaning populist president, Andres Manuel Lopez Obrador, is throwing a wrench in Citibank’s ongoing efforts to shed its international retail operations.
AMLO, as he’s popularly known in the country, said he wants Citi’s Banamex unit to go to a Mexican-backed company, rather than a foreign bidder.
Additional restrictions he is seeking to put on any potential deal include a prohibition on mass layoffs as the result of an acquisition, that any buyer be fully up-to-date on its tax obligations, and that Banamex’s extensive art collection remain in the country.
While Lopez Obrador doesn’t directly have the authority to impose conditions on any sale, officials that answer to him do. According to Bloomberg:
“Lopez Obrador doesn’t have the direct power to weigh in on the sale, but his finance officials do, as will the central bank and the country’s antitrust regulator. In addition to the informal influence the administration can wield, Mexican law allows any deal to be at the discretion of the presidentially appointed bank regulator, Barclays Plc analyst Gilberto Garcia said in a note.”
Contenders for Banamex include Banorte, Santander, Carlos Slim’s Inbursa group, mining baron German Larrea, and a small Mexican lender run by the current head of the country’s banking lobby.
Additional Signs Funding Environment is Cooling
New analysis released last week validate that the venture funding environment is continuing to cool.
A report from Crunchbase found that funding in Q2 dropped to some $120 billion — a significant decline from pandemic highs but still elevated compared to historic norms.
Crunchbase found late- and growth-stage deals were the most impacted, with funding dropping 38% compared to Q2 2021. Early stage funding volume dropped by 9%, while seed stage funding bucked the trend and actually grew by 9% year over year.
A fresh monthly report from FT Partners confirm those broad funding trends generalize to the fintech sector. Its report showed funding volume in June continued to edge down, though deal volume actually increased month over month .
Other Good Reads
El Salvador’s Bitcoin Paradise Is A Mirage (Nelson Zablah)
You Are Your Business Model (Fintech Takes)
How Banks Can Compete in the Post-Neobank Era (Ron Shevlin)
Contact Fintech Business Weekly
Looking to work with me in any of the following areas? Email me.
Sponsoring this newsletter
Content collaboration or guest posting
News tip or story suggestion
Early stage startup looking to raise equity or debt capital