The BaaS Model: Navigating the Future of Regulatory Compliance in Fintech Partnerships

As fintech partnerships and BaaS models reshape the financial services industry, understanding the regulatory implications of these innovations is crucial for ensuring compliance and fostering sustainable growth. This session will provide an in-depth look at the evolving regulatory landscape surrounding fintech partnerships and BaaS, discussing the challenges and opportunities they present.

 

Among the things you'll learn:

  • Best practices for managing regulatory risks.
  • How to navigate compliance complexities.
  • Best practices for building robust partnerships that align with regulatory expectations.


Transcription:

Chris Napier (00:09):

Thank you everyone for stopping into our session here on the future of the banking as a service model. Now, I think a lot has happened since we originally proposed having this session back in 2024 with the change of the calendar year to 2025. So we've rejiggered a few things and done more of a focus on what is in store in the road ahead and what does that mean in terms of when we think of a compliant BaaS program and having an effective risk management framework in this new potential era that we're going into. Now, to start with some stage setting here, I think it's useful just to define exactly what we're talking about. So I think a lot of times BaaS is used almost interchangeably with embedded finance, but they are two distinct things. So with banking as a service, and please pardon for those who have heard this a million times, but it is where a bank usually with the assistance of some intermediary, provides access to core banking functions and systems to a FinTech to enable the FinTech to provide new innovative financial products and services, essentially allowing the FinTech to act as a form of financial institution in its own right.

(01:42):

And this is distinct from embedded finance, which is really more the bank offering banking services to typically non-financial companies in order to allow them to facilitate transactions with their customers directly within their own platform. And one of the key distinctions other than the use case is there is often much more of a direct relationship between the bank and the FinTech involved as well as with the FinTech own customers. Whereas in the embedded context, the bank is often really behind the scenes and oftentimes invisible. But similar to embedded finance or any of these other kind of tech-based models, banking as a service involves a really complex ecosystem of, or usually a complex ecosystem of various stakeholders here. And I think Ruby, coming from a depository, you probably have the most visibility into kind of who these people are, at least the most critical ones.

Ruby Kaur (02:43):

Yes, that's right, Chris. And typically in any banking as a service model, when you think about the two key participants in such a partnership, it's typically you have the regulated financial entity, which is the bank, and they are typically sponsoring and acting as the acquiring or issuing bank for the FinTech. Who is that partner on the other side of that BaaS model? And as Chris mentioned, the bank really then allows that partner or the FinTech to enable a lot of the transactions for their end customers. So two main components for a successful BaaS relationship is that the financial institution that is regulated, and then the FinTech themselves. And of course in the middle there could be a slew of other stakeholders. There could be a processor involved who are moving the transactions, the bank is settling them. You could have third parties and fourth parties and some middleware as well. But technically it is usually the bank and the FinTech who are the key participants in BaaS. Yeah.

Chris Napier (03:43):

Yeah. And I think keep that in mind. I think it informs kind of the rest of what we'll be talking about later on. But now before we jump into what I'm sure you actually want to really hear about, right, which is the future, I think it is important to just kind of take stock of the environment that we may very well be leaving at this point. So what has that environment looked like in terms of bank partnerships? I think in the most succinct way possible, it has been a lot of regulation by enforcement. We will get into this a little bit more I think in terms of how different it really is going to be. But what we saw over the past four years has been consent orders and supervisory actions against partner banks, primarily focused on alleged B-S-A-A-M-L program lapses safety and soundness oversight lapses, sometimes oversight issues that presumably allowed a FinTech to violate consumer protection laws, et cetera. So you saw a lot of consent orders mixed with some be honest, fairly vague guidance around that you should treat these as third party as third parties and manage them accordingly and basically apply what you're already been applying to third parties. It has not been, at least in my view and in a lot of banks that consult with us particularly helpful in terms of telling them what to do or how to think about these things.

(05:27):

And then also in 2024, I think what we also saw was we began to see changes to rules or at least proposed changes to rules that were really getting at bank partnerships. So proposed changes to broker deposit rules, et cetera. And what those proposed changes were really trying to do was enhance scrutiny even further. And for a lot of banks, it also makes those programs even less attractive. But I think it's important to keep in mind that whatever you think about the way that the regulators approached this, they were addressing very real risks. What they were trying to do was ensure that everyone was acting in terms of a way that was conducive to safety and soundness. They saw risks which are very real risks, and they might have taken an approach that would not particularly helpful, at least the way that I think about it. But it's important to keep in mind that those risks are real, and we have seen how those risks can translate into fairly spectacular failure. But given all of that in that context over the past four years, how has that affected the way that stakeholders approach bank partnerships, at least in the past four years?

Ruby Kaur (06:55):

And maybe I can start on that. As Chris mentioned, the last four years and more so the last two years has really paved the path for a lot of new innovative products and services being a part of it. Given the BaaS model and the participants that we just mentioned, that FinTech bank relationship has common scrutiny in, I believe it was June or July of 2023, the OCC released an interagency publication whereby they basically put fintechs under the third party risk management policy. That is how the bags are required to ensure that they are managed appropriately. Those kinds of things that are new right now. So now you're in a whole completely different playing field where once the regulators weren't quite sure how these relationships work or what the BaaS model looks like today, now they're actually saying, this is how we would like you to do it, or this is what we would expect.

(07:49):

You guys need to figure out the how. That has sparked a lot of debate over the last couple of years and since that release of that publication around a lot of the risks surrounding BaaS inherent to bass, given those consent orders that have been raised, given a failure of a major FinTech in May of 2024, given some of the regional banks enforcement actions or are these types of risks really preventable? But right now that scrutiny is really, really high. But if we think about it, it's we then need to take a step back, not just from a banking institution, but as a FinTech partner to the bank. It's enabling us to take a step back and relook at and re-strategize our risk and compliance frameworks whilst the regulators have a certain requirement of us, how do we build that infrastructure? How do we build that solutioning?

(08:49):

And it's the marrying of the two now, which once upon a time banks were a little disintermediation, risk was important to them. They're like, fintechs are coming in, they're coming into the banking arena only for them to realize, well, the fintechs can't keep up with the regulatory requirements and the adherence that is needed of them, hence why they need the banks. So all of a sudden they went from being disintermediated, they being the banks, to having this little marriage with the fintechs, hence now the requirements, the oversight, what do we need to do in that partnership? So all that to say is that that extreme scrutiny that we are still seeing and facing today only enables both the bank and that FinTech and the partnership between them to just take a second look, right? How should we build a risk and compliance and what is it all that we need to do, taking lessons learned from some of these consent orders and some of those failures. So I think it's very important to say here, there's not a one-stop shop solution to this. It's how that partnership forms to become what it ultimately needs to.

Chris Kushmider (09:59):

Piggyback up what Ruby was just saying, these arrangements, they have to be structured in a manner where the bank exercises control and oversight over the FinTech. The FinTech is not a regulated entity itself. It doesn't understand the regulations or requirements that the bank is subject to. These are structured as service provider relationships very frequently. So the bank is in charge of overseeing the FinTech and then the contract bears that out in certain ways. But to what Chris said, it's fuzzy banks and fintechs have been trying to navigate how to draft these agreements so that they appropriately reflect the requirements under the OCC and our agency guidance from the prudential banking regulators. And so you see things like the oversight plays out, for instance, in terms of monitoring, getting reporting from the fintechs on a regular basis, the fintechs being subject to third party audits for their B-S-A-A-M-L especially, but also just their general CMS, their general compliance with other laws that may be applicable to that exact program.

(11:17):

And so it's arrived at this point where although there's some variation with how these agreements read, there's a consistency in terms of oversight. There's a consistent theme of the bank exercise and control the bank having the right to maybe throttle the activities under the program if it's starting to present all kinds of risks, not just legal risk, reputational risk, risk of all flavors. And so that's how the guidance has started to become enacted in these agreements. And that's what we see out there When there are these enforcement actions that come out, you see where things are breaking down in that process when there's not a lack of B-S-A-A-M-L oversight. And it may not be a contract deficiency, by the way. It might just be something else. The contract may read perfectly well, but in terms of executing on the contract, executing on the bank's rights under the agreement, that's where there's slippage. That's where there are issues that arise.

Chris Napier (12:25):

Yeah. Yeah. I think one of the things I want to mention too, and at least acknowledge is for the banks that have figured this out, and I think your institutions and one of them has a really strong program here, I think what they've learned is that lesson, which is the regulator is not there to tell you what to do. The regulator is there to ensure a particular result, but that message I think has been muddied with the way that it's been communicated over the past four years where I think a lot of banks that have been on the sidelines have thought of this. There must be some magic formula that they're expecting me to follow, right? They just won't tell me.

(13:09):

And there's also a lot of banks out there that I think are very interested, this, at least among my clients, but have stayed on the sidelines because they just don't want to deal with the headache of the extra attention this brings from a regulatory standpoint. And they don't want to be the next bank that has this consent order against them for having what the regulator has kind of thrown out there as a lousy pass program. And so if we fast forward to today and what has been going around in terms of policy ideas, I think what we have been hearing from nominees from acting heads right now, the agencies has been a message that that is going to change. And I think we will mention a little bit, or at least I'll mention a little bit in terms of what I think it really, really means brass tax.

(14:03):

But what we have been hearing is we are going to pull away from regulation by enforcement. We are going to provide clearer guidance. There has also been, and this is specifically in the context of BaaS, Travis Hill, FDIC, he has mentioned this specifically in terms of bank partnerships, but this is something that sort of concept has also been echoed across other agencies as well. And there's also been talk about during supervision, just more broadly of focusing more on results and adherence to principles rather than check the box exercises and process and also revisiting certain rules that like the broker deposit rules, like the proposed custodial records, custodial account records rule to try to make these more right size to spur innovation rather than constrict. So I think these are great things that we're hearing now, but I wonder, given some of what we're hearing out of Washington now, do you see a real change in the way that stakeholders might be looking at this now? Do you think that this presents more opportunities now down the road?

Ruby Kaur (15:29):

I would say from a banking perspective, look, I think any administration coming in changes the rules from a bank's perspective. Regulation's never going to go away. The oversight requirements are never going to go away. And here's how it's a kin to saying because of the administration changed doesn't mean the risk changed, the risk didn't go away, nor did the risk shift. The processes, the controls, the ecosystem that has been built out upon existing robust foundation of your controls and policies and procedures from what has all of that's been guided from the prior four years and the prior administration, that still stands. And we shouldn't really lose sight. No one's taken the foot off the gas and nor should they, regulations will come and go, they will change. I think at a minimum there is a requirement for that adherence. So the short of it is from a banking perspective, certainly not being flexible or saying, oh, well now it's a little lax.

(16:32):

I have a little bit more freedom. We have the latitude to build our risk and compliance frameworks and programs as we see fit. What I would also add to that is, again, it doesn't matter who or what the administration is. We, at least with Huntington Bank, we are very aligned with our regulators. It's that open transparency. It is the periodic touch bases. It's the conversations we have with them and when they adjust their regulations in their requirements, we make sure that we are adhering. And it's not a knee jerk this is going to happen that we do that. It's not that. It's a very close alignment and a very close relationship we have. And also ensuring in every bank is different. What you are doing and building, when you're launching new products and services in your institution, you've already had the fundamental risk and compliance programs built out to enable that growth within your set risk tolerance for the bank. And every bank has a different risk tolerance, so you've got to look at it a little bit more broadly and across the board. So all that to say really is as the administration changes, we'll very closely keep an eye on what the new requirements are, but at a minimum, we will continue to build out on what we are required to do from a risk perspective in monitoring our relationships with our fintechs under the BaaS model.

Matthew Meyer (17:59):

Yeah, I think internally also, there's going to be a lot of shift in focus on the compliance side of things. I mean, with the current administration taking a lot of focus from traditional finance and bringing it over to the crypto side of things, we're seeing some changes in how much enforcement we're going to predict in the future, and they're going to bring a lot of that focus to go figure out how to regulate other industries. It's not necessarily saying that we're getting a little bit of a haul pass or a freebie to lighten up on things. But what I do predict in the future is that this general shift in focus with the current administration might trickle down to some of our business leaders within our institutions, and we might see a lessening of some internal resource or support from other business leaders with how we're going to enable compliance to do our jobs best. I do see one challenge in the future of compliance having to do more with less. And I do see an opportunity with us to embrace technology a little bit more. I mean, there's always been some hesitation in leveraging newer technologies, whether it be AI or new products in the market. But I think since the current administration is embracing a lot of this technology, we're going to see a lot more approval or acceptance of using these new technologies as well.

Chris Kushmider (19:24):

Coming at it from the perspective of how these arrangements are structured from a contract perspective, what I do a lot of work with is negotiating the underlying bank partnership agreement, and we work for both banks and fintechs. So we come at it from both sides of the coin. And you could say, well, if you're the bank, these agreements are structured very purposefully to shift risk away from the bank wherever possible in general. And so I don't see that. I don't see that changing. I don't see the banks obviously wanting to relinquish any of that. Now you might start getting arguments from the FinTech side saying, well, we have to reevaluate this clunky old agreement that you drafted two years ago because everybody got scared of Blue Ridge Bank or something like that. And can we be flexible in terms of how this works? Can we, do you really need all of this reporting that we're going to have to set up in order to establish this program?

(20:26):

Do you really need five different flavors of third party audits that we have to get every year? Those are the kinds of questions that the fintechs might start asking, and it's a fair time to reevaluate how the terms read. But again, I think when you're coming at it from the perspective of the bank and the bank is often going to hold the cards in these negotiations, they're going to be less willing to change the way that these are structured. And so I don't necessarily see a lot of immediate changes, but I think it's also going to be the case where if you have some bellwether banks that do start changing the way that they're doing these, it's going to flow down throughout the whole ecosystem because everybody's going to want to do what somebody else changed the way that they're doing this. There's going to be a move to adopt that by other banks. But the question is at what point does that actually happen and what exactly does that look like? And that's just going to be born out by negotiating these transactions moving forward. And it's sort of an open question as to where that might come out.

Ruby Kaur (21:39):

And Chris, if I may just add to that, I think it's important to also note whether it's yesterday, today or tomorrow, what a fact remains is when you go into a BaaS relationship between a bank and a FinTech, just be very transparent and upfront right at the beginning level, set expectations. The last thing that you want anything to happen is that there's a commitment made to a client and there's an assumption made that, oh, regulation has now simmered down a little bit under the new administration. We're going to be great. They're not going to ask for this. That's not necessarily true. As I'd mentioned, banks already have very bolstered processes in place. There's no laxing on that right now at all. So really have that upfront. I mean, it's a given, like I said, we should already be doing this, but even in light of where the regulatory environment is moving into, be upfront with that relationship, it's only going to maintain a healthy balance and partnership as you progress in that bass ecosystem. It's a very long journey. It is both for the bank and the client upfront, be transparent level, set on expectations, and just make sure that everybody's on the same page so we know what's coming next, they know what's coming next. And I think that's going to be very critical, especially more so now. So you are eliminating any type of assumptions that can come up.

Matthew Meyer (23:01):

And with these partnerships, I think there's a lot of mentality around the current administration and how to operate in the future. And as you said earlier, don't take your foot off the gas pedal when thinking of compliance.

(23:16):

The Patriot Act isn't going anywhere. It's not getting redacted. It's here to stay. And just as we look back four years at the state of regulatory compliance in the administration four years ago, and we look at the state today and we know in another four and eight years things are going to shift again. So the pendulum swings one way and it swings back again. And so you always have to essentially be ready for whatever changes do come. And just because there might be less enforcement today doesn't mean that you shouldn't have a bulletproof audit trail on everything that you're doing.

(23:52):

And aside from that, compliance doesn't have to be a regulatory exercise. I mean it really leads to protection of the brand. There's still reputational risks that loom large, and there can be media backlash even with less enforcement. I mean, we've seen it with independent journalism, with ICIJ and with the Panama Papers, things can still happen regardless of what enforcement actions might be taken and end of day, don't forget that aside from meeting regulations and checking a box, our jobs are to ensure that consumer confidence is there behind the brand and good banks understand this. So just make sure you're operating like a good bank and a good FinTech. And that's usually where we see the best brands come out through. The other side of the storm is fintechs and banks that really doubled down on compliance and used it as a competitive advantage.

Ruby Kaur (24:50):

And really taking lessons learned right from the enforcement actions that have already been put out there. They're not in the rear view mirror. They should always be still at the four point of everything that the banks build out. They don't go away. They don't just disappear because administration changed. So nothing should be rear view mirror. It's all how do you build upon that?

Chris Napier (25:10):

And I think it's important to remember that about that pendulum swing, right? It inevitably goes in both directions. And when someone gets in trouble, when someone has issued a consent order, it is not for the current state of the program. It is for what happened in the past three or four years. So what happens now when the pendulum swings would be the subject of the next round of consent orders later. But that's not to say that means there's no difference, right? So I'm glad you all brought up in terms of that. This isn't necessarily mean that we need to or we should be taking our foot off the gas, but it is a meaningful change, I think in terms of the tone that we're hearing now. And to me, it seems to signal, and I know Ruby, you don't like the word flexibility here, but from my perspective, this does seem to signal to me that there will be a greater degree of flexibility, not necessarily, it doesn't mean flexibility to violate the law. It doesn't mean flexibility to ignore safety and soundness. It's not flexibility to just pretend that these things can't go upside down. But it is a different kind of flexibility, I think mean. So do you see, even though if we're not taking the foot off the gas, what might change in terms of how people approach things like risk management?

Ruby Kaur (26:48):

So you're right, I don't like the word flexibility. So flexibility for me is just saying we have the latitude and the leeway to build the right risk and compliance solutions, framework and infrastructure. It's hard to really say what would change. What I can only really do is reinforce the fact that build upon what's already there that has foundationally been implemented and put in place to enable success for our clients. At the end of the day, it is around client impact or customer impact also. But in the BaaS ecosystem, that entire risk resides with the bank. It's a very different type of relationship. So we as the bank are enabling those fintechs as we sit at the top of this meeting for them to enable their customers to process transactions. And they're doing that on our license. So with that said, it's you already have a foundation in place to enable that type of activity to take place in the BaaS ecosystem.

(27:56):

Nothing really should change other than to improve it further. So it's having the latitude to maneuver what you already have with the intent to make it more strong rather than assume there's flexibility or maybe we don't need to do this anymore. You still need to diligence the FinTech as a bank, you still need to ensure they have the appropriate checks and balances in place on their part when they are onboarding and their onboarding processes, their credit underwriting processes, how they manage their merchants, how they perform A-M-L-B-S-A-K-Y-C-C-I-P OAC checks. They're still required to do that. There's no flexibility on that. So the latitude comes in and say, well, maybe in the past we were okay with them doing a sample. I don't know. I'm just making that up. But today we want a hundred percent. So that's the type of flexibility. But again, you've already built out the backbone of what is required for a successful relationship is how do you ensure that whilst you're level setting expectations, whilst you have two partners at the table wanting a very fruitful relationship in the base ecosystem, what can both sides do? And the onus is on the FinTech as well as the bank.

Matthew Meyer (29:18):

And on the tone of improving compliance further, one thing that's been resonating with me that I hear from many compliance officers is we want to innovate, but we don't want to be first. And there's a lot of banks that do want to innovate, but they're wondering if the regulators will really accept it. I know traditionally regulators, if there might be some signs of enforcement action coming, they want to see you staff up with consultants for example. But are we going to be able to leverage technology more in place of that in the future? I think again, with the current administration kind of taking the lead on changing things and accepting other technologies and focusing on new technologies, it kind of gives us a little bit of a green light to adopt some other tools that we keep the existing framework in place and we know what we have to do, but where can we make improvements to make our lives easier?

Chris Napier (30:20):

And I think going back to clarify my statement on flexibility, I think what I'm really trying to say is more breathing room. So what I have noticed in the past four years has been, and this is coming more from the FinTech side of things, is the bank partners that have been on the playing field to date because of that regulatory pressure, because of the need to essentially pre-clear all these things with the regulator, the programs have been very restrictive. We have this very narrow set of things we're willing to do with these programs, take it or leave. It has been kind of where it has gone. It started out much more flexible, but it has gotten to the point where I think a lot of the programs are very narrow. And from the FinTech side of things, from their perspective, it just doesn't work a lot of times.

(31:18):

And they struggle to find the right bank partner with the right program to really actually innovate, right? Because if we have very restrictive programs, very narrow sets of things we're willing to consider, that's not really innovating anymore. That's just providing the same products over and over again. So what I'm hoping with this new environment is that we will have the breathing room to be the first mover where we know we have some confidence that the regulator will not swoop in immediately and put a stop to it where we don't have to go run to essentially our parents and ask for permission before we do something, as long as we are approaching it in a smart way. And I mean the signals are there. That is what the environment is going to be. So when I say flexibility, I am saying I think there is going to be space now where if we have a properly structured framework in terms of managing risk, we can be more expansive in terms of the types of business lines, the types of products that we are willing to now facilitate to now put into the market.

(32:27):

And someone's not going to just slam down on me immediately once they see something that's a little bit novel, but it's always within that framework of it still needs to be within my risk appetite. It still needs to be something that I can effectively manage and I'm confident that I can manage and that I understand before we get too far down the road in terms of contracting, in terms of due diligence, every thoughts that we've done, enough homework upfront where we are not over promising what we're going to be able to deliver and that we get into a fight with a FinTech and nobody wants that.

(33:03):

So I think we've already kind of hit on in terms of yes, this does not mean that I think we're going to slow down or that we necessarily are going to lighten up on the expectations in terms of managing risk, but I think it does mean that we will just have more of that space that we need to make investments where we think it's necessary in terms of compliance and B-S-A-A-M-L where it makes sense for us. So it is less about pleasing an outside party looking in and more about brass tacks. What are my specific risks? I want to now do this. I understand what this product is, what this idea is. I'm willing to do it. It makes sense to me. I can invest now in what I need to do to demand that risk rather than more of this. I have the right reporting lines to satisfy everyone, and then everything's being cleared through the correct committees and everything. That stuff is important, but one size fits all does not work. And I think that's where we're going to get the freedom is to design things in a way that makes a lot more sense.

(34:21):

Now, I feel like for any technology focused conference, no session is really kind of complete unless we somehow have a discussion about AI and crypto and blockchain. And unless you've been living under a rock, that is obviously a policy priority for this administration is to foster those kinds of things. I think it is no secret that fintechs are already deeply embedded and fully embraced AI and these other technologies. They're developing these things they've already incorporated into their tech stacks. But I wonder, do you think there will be a shift in the way that banks approach these technologies?

Matthew Meyer (35:00):

Yeah, definitely. I mean, I think the AI genie is out of bottle and there's no putting 'em back in. And I think at the very least, everybody needs to start learning about AI and how other companies are using it. Otherwise, I'm not necessarily saying you're going to get left behind, but I do believe that it's going to be embedded in a lot of tools and technology inside and outside of compliance in the future. I do see challenges in the FinTech and banking sector around leveraging ai. There's going to be learning about it and how to adopt, and then there's going to be regulating it. There's many ways that you can implement AI after you do learn about different tools that are out there on the market. I mean, there's many providers that have AI embedded into their compliance tools. You can look at enterprise wide platforms for full system revamps that have AI modules built into everything for A-M-L-K-Y-C fraud compliance.

(36:09):

And there's also single point solutions for AI tools like a AI agent that can fit into existing workflows with existing tech stacks. There's different tools and technologies for everybody. I'm happy to point you in the direction of some of the AI providers in the market that I know of, but again, it's learning about what's going to fit into your compliance program, and then there's learning how to regulate it. And don't forget that when a regulator knocks if and when they're essentially going to want to see this wizard of Oz behind the curtain that's clearing all your false positives. And so you're going to have to justify as is any other compliance program what decisions you're making and why. And the same goes with AI tools. I mean, if you have a AI tool that's helping do basic data remediation to match customer information against possible risks and clear out false positives, a regulator might want to know how the AI model is tuned so that it can better understand why this decision is being made.

(37:18):

It's not like AI tools are going to be doing our jobs for us. They can definitely detect risks and they can even write a SAR narrative, but they can't send the SAR on your behalf. You still have to review it. But if you are approving some of the things that it's helping you do, which is the goal of a lot of these tools, then a regulator might want to understand a little bit more about how the decisions are made with the AI models. So just make sure whether if you're fortunate to be a large enough institution to have data science teams that can build AI models in-house, that those teams are going to be able to speak to regulators or show some type of documentation on how things are tuned. And if not, make sure you're third party provider that you're partnering with is going to be able to show some of that information as well, because they might hold a lot of that information close to them.

Ruby Kaur (38:18):

I'll just add to that, AI does bring, bring with it a tremendous amount of opportunities. And for Huntington, AI is absolutely a priority for the bank as well. Adopting AI, there's different flavors to it. Are you utilizing it for in-house purposes within the institution or are you adopting it for external customer facing type activities and experiences? And with those two flavors brings different types of risks and compliance needs and oversight as well. I think at the end of the day, how we adopt it, how we utilize it, how we manage it, how we keep a finger on the pulse with it for the different uses, the different flavors is what we should be ensuring that we can explain to the regulators when we think about the BaaS ecosystem. Even if a financial institution perhaps may not have the appetite for AI today, for them, it's still an emerging risk because there's still a lot to learn.

(39:22):

They have to appreciate in the BaaS ecosystem. Somewhere along that value chain, somebody will more than likely be using AI. It could be your end client, it could be one of your processes, it could be your client's customers. So at some point in that end to end, there will be a touch point on ai, which ultimately is the bank, assuming the risk inverse in these types of relationships, you will still be held accountable to talk to how you are managing or at least having some element of oversight on that AI usage by someone across that value chain. So definitely exciting. I don't think we can, to your point, Chris, I think there's no, getting away with it into what you just said, Matt, I think it's a case of how do we prepare ourselves? At what point in your relationships and partnerships, whether it's BaaS or otherwise, are you impacted by AI? It could be directly or indirectly, but then how do you keep a finger on the pulse?

Chris Napier (40:19):

Yeah. Yeah. And I think we only have a few minutes left here, but one final point I do want to emphasize in here so that you don't all leave here being worried about or scared of AI because I think there has been a lot of messaging over time that this is black box technology and it's just incompatible with financial services and being able to explain the things that you need to be able to explain to comply with regulations, et cetera. I think a lot of the issues around AI has been more about a sort of miscommunication between AI and blockchain and these other technologies, which is the world of engineers and data scientists and tech people versus on the banking side is more about risk and finance, et cetera. And when compliance or legal or risk needs to talk to the engineers, they find that they're talking different languages.

(41:12):

So it's not that it is truly black box, it is that they haven't figured it out. I think a lot of times to communicate so that both sides understand each other and come to an understanding of what these tools actually do. Because when I have seen communication be effective and both sides really understand what a model does, it turns out it's really not that scary, right? It turns out you can actually understand what it's doing, be able to predict where those risks are coming from and account for it. And a lot of the back box program problems that have come up has been more of an issue of when the thing was being developed. It just wasn't top of mind when it was designed that it needs to do all of these things around transparency to be able to make it work in the banking context.

(42:01):

And in part, that's that language barrier where banks aren't able to communicate it to the people developing these things to tell them this is what it needs to do. So I think as we become more educated, if we make a concerted effort to try to understand these things, then I think collectively banks can start pushing the vendors and developers and everything to design these in a way that works for us. And I think that's starting to happen because on the technology side, they're recognizing that this is an issue we have to address. So I think if we apply the pressure from the banking side too, this will move along much faster and just create much more opportunity for all of us and be able to still fit it within our risk framework. So I think we have maybe two minutes, but I invite anyone who has any questions, please feel free. Otherwise we're open afterwards if you want to come up and chat.

Matthew Meyer (43:00):

I think we have a mic coming.

Audience Member 1 (43:08):

Two question, two part question. In terms of a banking model and banking business model, when we talk about BaaS banking as a service, you are basically just confining yourself to payments, but you are going to have competition, which are non-bank payments. So isn't that a way of restricting yourself in terms of the future going forward?

Chris Napier (43:47):

Yeah, well, I think with BaaS, it is actually much broader than payments. So we're out of payments forum, obviously, right? So we kind of put things in the context of payments, but BaaS is actually just a much broader concept of being able to offer bank functionality to create new products for fintechs to create new products. But that can be in the credit space, it can be in the deposit space, wallets, payments, et cetera. And we see, at least in my practice, I've seen that model being used by say, a FinTech to provide earned wage access and sort of the infrastructure behind that that makes that a viable business product. But behind the scenes, there is a bass model that's powering that stuff. So I think the use cases are actually very broad with BaaS, but it's just a matter of what you're willing to do. If you're a bank that's facilitating these, what you're willing to accept, maybe you do just restrict it, just payment applications, I'm just going to do this for merchant settlement or merchant services, that sort of thing. And you can have a very narrow program, but you can also have a very broad program that does all kinds of things. So yeah.