Hey all, Jason here.
I recently partnered with Cable’s Chief Product Officer Katie Savitz to present a Masterclass at the Empire Fintech Conference during NY Fintech Week. We profiled six recent developments impacting Banking-as-a-Service and how stakeholders can use technology to respond.
If you weren’t able to attend (or just need a refresher!), this podcast/post combo is for you!
(And extra great timing, as Cable today announced it raised an $11M Series A to automate effectiveness testing of financial crime controls!)
Six Key Developments in Banking-as-a-Service
The U.S. banking system is experiencing its greatest stress since the 2008 Great Financial Crisis and regulators are seeking to address risks being revealed. BaaS may make the banking system more resilient, but it also introduces new risks. Six recent developments shed light on how BaaS may evolve going forward.
OCC Office of Financial Technology. One explicit mandate of the OCC’s Office of Financial Technology – recently formally established and led by Prashant Bhardwaj – is to support “high-quality supervision of bank-fintech partnerships,” which portends continued regulatory scrutiny, but also opportunity for industry engagement with regulators.
OCC 2023 Bank Supervision Operating Plan. Further signaling the OCC’s increased focus on BaaS, the agency’s 2023 supervision operating plan calls for specific focus on third-party risk management and highlights BSA/AML risk.
Acting Comptroller Hsu 2022 TCH+BPI Conference Remarks. Acting Comptroller Hsu’s speech specifically addressed the growth of BaaS operating models. Hsu expressed concern about the growing complexity associated with BaaS and reiterated the primacy of “safety and soundness” concerns, while acknowledging opportunities from technological innovation.
November 2022 U.S. Treasury Department Report on Non-Bank Firms in Consumer Finance Markets. The Treasury Department report specifically flagged “new risks to consumer protection and marketing integrity” from fintechs and called for enhanced supervision of bank-fintech partnerships.
CFPB Invokes Dormant Authority to Examine Non-Bank Companies. While the CFPB is focused first and foremost on consumer protection, it has shown a willingness to use its authority to supervise non-bank entities that may pose a risk to consumers, potentially including non-bank fintechs and platforms.
OCC-Blue Ridge Bank Agreement. The OCC’s formal agreement with Blue Ridge – arguably the first major BaaS enforcement action – provided a wealth of detail about regulatory scrutiny of risks in bank-fintech partnerships, and areas of financial crime compliance tech stacks that may need uplifting.
Increasingly, growth and innovation in the banking industry is happening outside the banking regulatory perimeter and, for BaaS-focused banks, asset size is no longer a good reflection of risk.
With the sector’s growth now attracting more regulatory attention, to survive, all stakeholders need to adapt.
The era of banks onboarding fintechs with little to no insights is finished.
For bank-fintech partnerships to be sustainable, they must be done in compliance with regulatory requirements. While the knee-jerk response is to throw bodies at the problem, this not only is an expense, but also has scalability limitations. Instead, a new approach enabled by new technology is needed to make these partnerships not only possible, but profitable.
The Compliance Problem for BaaS
Rapid customer growth and disaggregated responsibilities are primary drivers of compliance breakdowns. Both factors are especially prevalent in BaaS.
In BaaS, compliance teams used to managing one institution and their own direct customer pool now have to deal with multiple fintechs, each with their own controls and indirect customer pools.
This demands a whole new level of compliance capabilities. Many banking providers still rely on legacy systems and manual processes, but those are no longer fit for purpose.
As a result, regulators are already focused on this question for bank-fintech relationships: Who is responsible for what when things break?
The Fincrime Tech Stack & Why Effectiveness Matters
Over the last decade in BSA/AML compliance, banks and fintechs have added more controls, with little idea about how effective they are. Over $270 billion is spent worldwide each year on financial crime compliance, with the majority of that spent on people.
Despite this spending, less than 5% of accounts are tested to understand effectiveness. If banks can't even be sure how effective their own controls are, how can they do that for their fintechs?
But this same exact approach is being used in BaaS – partner banks are adding more fintechs with little idea how effective their controls are, even as the compliance challenges multiply.
Increasingly, regulatory pressure is demanding that you be able to “show, not tell” that your program is effective. Compliance teams need to ask: What part of your tech stack helps you answer questions about effectiveness?
In BaaS, technology solutions for oversight, monitoring, and assurance are essential. For banks, how do you know everything is working at all levels across their fintechs? And for fintechs, how do you reassure bank partners everything is fine?
How can you understand risk better?
The first key compliance task in BaaS is understanding risk better: banks’ own risk, fintechs’ risk, and how fintech risk impacts banks’ risk. Below are practical tips and steps to achieve this:
Review your own risk assessment more than annually, as circumstances can change quickly in BaaS.
Update your risk assessment when control failures are discovered, so that you can discuss priorities with senior management.
Leverage available risk assessment technology solutions to get out of spreadsheets and onto a smarter platform with better workflows.
Banks should require fintechs to perform a risk assessment using the same methodology and should collect standard information and documents from each fintech, in order to compare and understand risk across the bank’s fintech portfolio.
Fintech risk assessments should also be easily updated for changes in circumstances at the fintech level.
Consultants can provide templates and methodologies, and technology platforms can help with document collaboration. Cable also offers the ability to collect company information and documents, and conduct the same risk assessment for each fintech.
Bank and fintech risk
Banks should incorporate their fintechs’ risk into the bank’s own risk.
Banks also need to understand how each new fintech affects their current risk profile and any impacts to their risk appetite.
Some compliance teams have built out complicated spreadsheets with the help of consultants to do this. Cable also offers the ability to roll up fintechs’ risk assessments into a bank’s risk assessment.
How can you improve oversight and monitoring?
The second main compliance task in BaaS is oversight and monitoring of controls. Below are practical tips and steps to improve these processes:
Banks and fintechs should have a shared understanding of the controls in place at each fintech.
Banks should request a controls register as part of standard onboarding documentation collection from fintechs.
Assess control effectiveness
To the effectiveness point, partner banks must sufficiently monitor and test accounts to understand how all the controls are working at the fintech level.
Key questions to address include: What data is needed by the bank to conduct oversight? How will data be sent or received timely, and in what format? If supplemental data or information is needed, how will the bank get that promptly? What do each of the bank and fintech need to do to facilitate data sharing?
Both banks and fintechs need to have a team and technology to handle this monitoring, especially as the bank's fintech program scales.
Technology like Cable offers automated oversight and assurance processes to identify regulatory breaches and control failures in real-time across each fintech.
Fix and report issues
Banks and fintechs need to quickly remediate and report any issues, promptly after they happen instead of finding issues months later in periodic audits.
Banks and fintechs should ensure they have shared issue management tools that give visibility to both sides, as fintechs will most often remediate issues.
Banks and fintechs should define roles and responsibilities, and have shared understandings of issue prioritization, so the right issues receive proper attention.
BaaS is here to stay, but operational work will overwhelm banks and fintechs unless automated effectiveness testing becomes commonplace. Partner banks need to deeply understand their requirements and deploy technology solutions to enjoy the trifecta of full compliance, resource efficiency, and fast onboarding to grow their fintech programs.
Existing subscriber? Please consider supporting this newsletter by upgrading to a paid subscription. New here? Subscribe to get Fintech Business Weekly each Sunday: