The quickening waves of consent orders slamming into financial institutions engaged in banking-as-a-service is spurring change among banks who want to get it right.
"The number one takeaway for banks has to be that banking-as-a-service is not the silver bullet many of them thought it would be for deposit gathering," said Jason Henrichs, founder and CEO of community bank consortium
Banks are
At the same time, crackdowns on banks partaking in BaaS are on the rise. Financial institutions including
The challenge for the institutions engaging in banking-as-a-service, or BaaS, "is that most regulation and guidance for BaaS is coming via enforcement instead of clear, consistent communication and formal guidance from regulators," said Phil Goldfeder, CEO of the American Fintech Council, which counts BaaS-oriented banks among its members.
To get it right, banks must rethink their risk and compliance practices as they relate to BaaS, from automated monitoring to being selective about which tasks they delegate to third parties, if any.
Fintechs that jump ship to more stable sponsor banks need to prove they have a solid business and take compliance seriously.
The $6.2 billion-asset Five Star operates its own BaaS platform, where the customer records and accounts of its fintechs are onboarded directly onto Five Star's core. In addition, Five Star uses Unit, an embedded finance platform that helps companies launch banking products, and Helix by Q2, another embedded finance platform, to support its work with other partners. But Five Star still has direct oversight over a company's customer onboarding, account opening and transactional activities on these alternate banking cores, and discretion over which partners are brought on board. The bank believes these two companies complement its internal risk oversight and controls rather than serving as middlemen, and emphasizes that most of its partnerships are direct.
"Fintechs are happy to see we started our journey as a direct program rather than indirect," said Abraham Rojo, head of digital banking and BaaS at Five Star. The bank's fintech clients need to follow Five Star's know-your-customer standards and allow for full oversight over their compliance practices and product roadmap. As a result, Rojo does not anticipate having to make changes in light of heightened regulatory activity in this space.
"We do not cut corners," he said.
Coastal Community Bank, which has $3.8 billion of assets, is exploring ways to improve its technology infrastructure to better manage its BaaS relationships. The goal is a ledgering system that operates in real time and handles complex product changes that come up in BaaS, such as the higher transaction volumes that occur when a fintech client has a debit roundup program, and the asynchronous nature of dealing with multiple systems of record.
Curt Queyrouze, president of Coastal, expects that putting such a system in place will necessitate both building and buying.
"The recent consent orders have only served to accelerate our plans, but we haven't had to change course," said Queyrouze. "We set this plan in motion in 2022."
There are other steps banks can take to put themselves in a better position. One is more consistent compliance monitoring.
"I've had several conversations recently where banks are getting into banking-as-a-service and they realize they might be good at risk and compliance for their existing business, but that's very different from being good at risk and compliance in managing someone else who is also managing risk and compliance for the end customer," Henrichs said. "That kind of channel relationship is different from a direct relationship with the customer."
He also foresees an uptick in tracking.
"Increasing regulatory scrutiny, the prevalence of consent orders, and shifting expectations on oversight will drive a need for new approaches and tools to deliver monitoring of entire programs in near real time," said Henrichs.
One company that Alloy Labs invests in, Themis, has developed a communication platform for banks and fintechs to draft and finalize policies, store documents, collaborate on sales material, track vendors and more. When Themis debuted in the middle of 2021, founder and CEO Neepa Patel noticed a trend of banks accelerating fintech onboarding. In 2023, that gave way to ongoing and periodic monitoring of existing fintech relationships.
Banks primarily use Themis to review a fintech's marketing materials, receive complaint logs and inquire about information technology, business and other changes. The last one has seen a particularly sharp rise.
"Most banks weren't doing this originally, and now almost all are to demonstrate they are monitoring fintech risk," said Patel.
Adam Shapiro, a partner at Klaros Group, sees value in banks running automated, ongoing tests to check for compliance, which could include using software that checks that all new customers have been through a Customer Identification Program and sanctions screening. Some BaaS banks use Cable, a financial crime management platform, for this task, he said.
"Using software that focuses on compliance outcomes on an ongoing basis provides much greater assurance to banks about client controls than approving policies upfront and then conducting annual or quarterly sample testing," he said.
Shapiro also sees wisdom in banks taking the reins of operational controls rather than leaving it up to their partners.
"Five years ago, it was common for banks to expect partners to conduct automated AML transaction monitoring and report results to the bank in cases where the bank may need to file a SAR [suspicious activity report]," he said. "Now, the leading partner banks get the underlying data from partners and do the automated monitoring themselves."
Rafael DeLeon, senior vice president of industry engagement of risk performance management software provider Ncontracts, has heard that regulators are asking more questions about fintech partnerships to understand their place in each bank's overall strategy.
"They want to ensure that banks have a well-defined rationale for these relationships beyond short-term revenue streams," he said.
He finds that banks are feeling pressure to conduct more frequent reviews of fintech partners.
"The bottom line is that banks working with BaaS providers are worried," he said. "They don't want to be the next headline and are thinking about how they can best demonstrate to regulators that their fintech partnerships are strategically aligned and diligently managed."
Because official guidance is still murky —
"I do believe that the agencies, specifically the FDIC and the OCC, already have a work program that has been developed and they are using with their examinations," she said. "I have been told by banks that there are 'specialists' in these partner arrangements and these 'specialists' are being allocated to examinations with banks that are actively engaged with partners."
As a result, she recommends that banks read all publicly available regulatory actions against financial institutions that operate in this space and build a checklist for themselves.
She also recommends that even small banks build an enterprise risk management framework.
"Most banks in the U.S. don't develop an enterprise risk management framework until their balance sheet is in the eight billion dollar range," she said. "The banks engaging in these activities with partners need to think about building that framework out sooner."
Banks may also wonder about the value and stability of middleware providers. Synapse, for instance, laid off nearly half its staff in October after one of its partner banks, Evolve Bank & Trust, and a large fintech client both broke ties with Synapse and decided to work together directly.
There is the question of, "now that banks know BaaS is under greater scrutiny, is that actually a responsibility that [they] can offload to a third or fourth party?" said Henrichs.
"What I hear more and more is when banks have more developed relationships, and as the fintech gets more mature in their product offerings, they'd like to go direct," said Clayton Mitchell, principal at consulting firm Crowe.
The American Fintech Council does not currently accept middleware providers as members.
"It's important as an association that represents the biggest BaaS banks to demonstrate a clear message that we represent regulated entities and not further confuse the BaaS ecosystem," said Goldfeder.
Ultimately, direct access to a fintech client may be best.
"If you're going to do this type of partner business, you need to know as much about the products and services of your partners as if they were your own products," said Shapiro.