Article
Navigating BaaS: Key insights and compliance essentials
Aug 29, 2024 · Authored by Lauryn Jobb
The financial services landscape is rapidly evolving, and one notable trend is banking as a service (BaaS). In BaaS, nonbanks (such as financial technology (fintech) companies) collaborate with banks to offer banking services without requiring a bank license. This approach allows for faster and more cost-effective delivery of banking services through digital channels. However, it also introduces compliance risks that need careful consideration.
Regulatory horizon for BaaS
- Regulatory scrutiny is increasing for BaaS providers, leading to potential enforcement actions against both banks and nonbanks.
- Collaborating banks may face indirect pressure to enhance risk management and expand supervision of their third-party relationships.
In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders with two banks that collaborate with fintech companies to provide BaaS. These orders were prompted by safety and soundness concerns related to compliance with the Bank Secrecy Act (BSA), adherence to applicable laws and third-party oversight.
The FDIC’s scrutiny centered around the banks’ lack of adequate oversight of the anti-money laundering/countering the financing of terrorism (AML/CFT) regulatory compliance of their third-party partners.
These incidents are not isolated; a wave of regulatory fines has been levied against various institutions, underscoring the critical need to prioritize compliance in these relationships—from initial onboarding to ongoing monitoring throughout the partnership’s duration.
Compliance risks associated with BaaS
- Sanctions: Both banks and nonbanks must ensure strict adherence to sanctions imposed by regulatory bodies, such as the Office of Foreign Assets Control (OFAC).
- Know your customer (KYC)/Know your business (KYB): KYC/KYB regulations necessitate that banks and nonbanks verify the identity of their customers and evaluate the risk associated with their business relationships.
- AML compliance: AML regulations require banks and nonbanks to implement robust measures for detecting and preventing money laundering activities.
- Reputational damage: Noncompliance can significantly affect an organization’s reputation.
Tailored compliance programs
There is no one-size-fits-all approach to regulatory compliance. In BaaS partnerships, financial institutions and technology companies are separate entities that are third parties to each other. In any BaaS partnership, it is crucial for every party involved to establish a comprehensive and tailored compliance program. Each partner should understand which rules and regulations apply to their organization and build corresponding controls appropriate for their risk profile.
Compliance responsibilities should be explicitly outlined in the partnership contract to ensure that both partners are on the same page relative to risk management and compliance. The partnership agreement serves as a valuable tool for effective risk management.
Monitoring BaaS compliance
To ensure that the BaaS partner is delivering on their compliance obligations, the counterpart should periodically monitor their partner’s performance and determine if the agreed-upon conditions of the contract are being met.
Parties involved in the BaaS relationship need to focus on gaining an understanding of how their partner is verifying the identity of the customer, assessing the risk of the customer relationship, monitoring for sanctions, and performing transaction monitoring to identify any illicit activities.
Fintech companies that offer bank-like products are typically subject to the Bank Secrecy Act and it’s imperative that they assess their risk profile in order to establish and execute a robust compliance program to prevent their products and services from being used for criminal activities. Where some fintech companies fall short, is placing reliance on their banking partners to perform their BSA duties on their behalf. Likewise, the Banking partners fall short by not properly monitoring the fintech companies’ BSA programs.
Remember that adherence to compliance standards is essential for maintaining trust and integrity within the financial industry. Effective third-party risk management plays a crucial role in ensuring the safety, reliability, and compliance of products and services by both parties involved to mitigate the potential financial and reputational damage.
BaaS offers convenience but demands rigorous risk management and compliance efforts to navigate the regulatory landscape. The recent third-party risk management interagency guidance released by the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency underscores the importance of navigating the regulatory landscape effectively.