The price of investing in the technology and people to make banking as a service run smoothly is mounting, as are
There are nonmonetary costs as well. Banks must navigate more rigorous and nuanced questions from their regulators, "who want the banks to explain the fintech as they would explain their own consumer checking accounts," said Bryan Mulcahey, a managing partner at financial services consultancy FS Vector.
That should trigger
While the federal banking agencies are not changing any current rules, they issued a joint statement Thursday cautioning banks about risks in third-party deposit partnerships. They are also seeking public input on bank-fintech partnerships more generally.
"Every bank has to look itself in the mirror and ask the hard questions," said Konrad Alt, a partner at Klaros Group. "Do we have what it takes? If the answer is no, the next question is, what is it going to cost us to get there? It's all achievable at a cost."
Due diligence ratchets up
In the wake of
"In my experience, there is always some tweaking," said Alexandra Barrage, a partner at Troutman Pepper.
Leaders across the bank — from
To prepare for the more granular questions that are seeping into exams, Barrage recommends that banks engage in mock exams and analyze their weak spots.
"That kind of exercise has happened outside of banking as a service but more banks are thinking about it as a way of pressure-testing themselves," said Barrage.
Contingency planning also doesn't get enough attention.
"Most banks think about contingency plans in terms of cyberattacks, but they need to broaden their thinking," said Barrage. "Third parties could file for bankruptcy. They could hold the keys to customer data and reconciliation of accounts."
A wind-down exercise should determine how a bank would access its fintech partner's transaction monitoring system, customer complaints and more. Before
Coastal Community Bank in Everett, Washington, has conducted nine real-life fintech wind-downs already, which it says were successful.
"We have had the practice in making sure there is no harm to the consumer or small business," said Curt Queyrouze, president of the $3.9 billion-asset bank.
Financial institutions should also consider what differentiates them from other banking-as-a-service banks — say, an expertise in small-business lending — and approach new ventures carefully. Sunrise Banks in Saint Paul, Minnesota, specializes in prepaid debit cards, demand deposit accounts and consumer lending. It is planning to launch credit card issuance as well, but has spent the last year and a half preparing.
From the
"When describing how long something will take, startups and banks work on different time horizons," said Ravi Mikkelsen, co-founder and CEO of Atmos Financial, a nonbank company that invests customer deposits in solar and climate projects. "For a bank, 'not that long' may be several months, where for the fintech, it is days."
Finally, vetting a potential fintech partner should go beyond their financials to their professional reputations.
"We've looked at some banks' existing customer portfolios and said, why would you onboard some of these companies?" said Mulcahey. "Their answer was, there was a decent amount of money in the bank and they gave us a compliance program. Our response was, if you had asked anyone in industry whether to work with these characters, they would have said no."
Does banking as a service require a separate unit?
Experts, and bankers themselves, disagree on whether a dedicated team is necessary to manage banking as a service responsibly.
For Barrage, the bigger focus should be on internal stakeholders understanding the specific risks associated with banking as a service.
"In general I don't think these relationships raise any new types of risks," she said. "If the existing compliance team has a granular understanding of all of those risks, it's not clear to me that every bank needs to have a BaaS-specific compliance team."
Mulcahey feels differently.
"Don't try to use your existing compliance program to cover banking as a service because it doesn't stretch well," he said. For instance, the bank's existing anti-money-laundering or fraud transaction monitoring systems may not carry over sufficiently because they are built for the bank's existing customer base and do not account for the unique set of rules that a fintech — especially with a niche, such as payroll or workplace benefits — may require.
Overall, he recommends that one relationship manager not cover more than five fintechs, and that one person on the compliance side is responsible for three to five fintechs.
The financials could get muddled as well if the banking-as-a-service program is operating under the broader umbrella of the bank. It may be hard to recognize how financially viable the business is if legal and staffing expenses are commingled.
"[The bank] needs to understand that if something changes, is this still a good business to be in?" said Mulcahey.
The next puzzle is finding specialized talent.
Mulcahey recommends taking top performers from the existing bank compliance program and turning them into the banking-as-a-service team, then backfilling the roles they vacated.
"There are not a ton of experienced bank compliance people out there with banking-as-a-service skills," he said.
Alt suggests that community banks — frequently the purveyors of banking as a service — seek talent from regional banks.
"The challenge is, they often have significantly higher pay scales," said Alt. "You may have to pay more for this talent than you are used to."
Banking-as-a-service banks themselves have different stances on whether they separate units for this work.
Lead Bank in Kansas City, Missouri, has 185 employees. It operates as one unified institution. But it constructs cross-functional "pods" to oversee each of the bank's 30-odd fintech partners, with employees representing product, engineering, design, compliance, legal, audit and financial reporting assigned to each pod.
Many of these hires have once built products in fintech or been immersed in engineering, "so they know what to look for and the likely mistakes that will happen," said
The $2.3 billion-asset Sunrise assigns different compliance teams to its core bank products and to its fintech program, overseen by one director. But it has a single team handling Bank Secrecy Act and anti-money-laundering for the entire bank.
"In that area, you need a global overview of relationships," said Teri Hodgett, the bank's chief risk officer.
Coastal Community's CCBX division is dedicated to banking as a service and comprises more than 100 employees who are responsible for processing payments between Coastal and its partners, record-keeping, providing customer service to its fintech partners and serving as first line of defense oversight for compliance and auditing. The same risk and technology teams handle both banking as a service and Coastal's core banking activities. To find people with the right expertise, Coastal will hire remotely.
Calculating the costs
"There is some assumption that getting into BaaS is an easy way to get deposits, and it's not," said Hodgett. "Your overhead cost is going to increase if you want to do it correctly."
Sunrise Banks invested in a separate AML monitoring system for its fintech programs, and "they are not cheap," said Hodgett. But Sunrise plans to combine AML monitoring for its core activities and its fintech programs into one system, likely next year, to account for the small degree of overlap between bank customers and fintech program end users.
Sunrise has built some of its own technology and looked into buying other products to automate certain processes. It uses software to collect and review partners' marketing materials. Its risk team is exploring technology that helps the bank communicate and trade documents with its partners more efficiently. The bank has built data warehouses to house information from its fintech partners and its own Office of Foreign Asset Control monitoring system with fuzzy logic to perform periodic OFAC scans on its fintech customers.
Lead Bank provides its fintech partners with APIs for lending, card issuing, accounts and money movement functionality, so they can, for instance, originate loans to their end customers.
Coastal has invested in cloud computing, namely Microsoft Azure and Databricks, to remain nimble in its banking-as-a-service business and share data between itself and its partners more efficiently.
"Be prepared to take a lot of the money you make initially and invest it back into your infrastructure," said Queyrouze.
