Navigating BaaS: Key insights and compliance essentials

The financial services landscape is rapidly evolving, and one notable trend is banking as a service (BaaS). In BaaS, nonbanks (such as financial technology (fintech) companies) collaborate with banks to offer banking services without requiring a bank license. This approach allows for faster and more cost-effective delivery of banking services through digital channels. However, it also introduces compliance risks that need careful consideration. 

Regulatory horizon for BaaS 

• Regulatory scrutiny is increasing for BaaS providers, leading to potential enforcement actions against both banks and nonbanks. 
• Collaborating banks may face indirect pressure to enhance risk management and expand supervision of their third-party relationships. 

In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders with two banks that collaborate with fintech companies to provide BaaS. These orders were prompted by safety and soundness concerns related to compliance with the Bank Secrecy Act (BSA), adherence to applicable laws and third-party oversight.  

The FDIC’s scrutiny centered around the banks’ lack of adequate oversight of the anti-money laundering/countering the financing of terrorism (AML/CFT) regulatory compliance of their third-party partners.  

These incidents are not isolated; a wave of regulatory fines has been levied against various institutions, underscoring the critical need to prioritize compliance in these relationships—from initial onboarding to ongoing monitoring throughout the partnership’s duration. 

Compliance risks associated with BaaS 

• Sanctions: Both banks and nonbanks must ensure strict adherence to sanctions imposed by regulatory bodies, such as the Office of Foreign Assets Control (OFAC).  
• Know your customer (KYC)/Know your business (KYB): KYC/KYB regulations necessitate that banks and nonbanks verify the identity of their customers and evaluate the risk associated with their business relationships. 
• AML compliance: AML regulations require banks and nonbanks to implement robust measures for detecting and preventing money laundering activities.  
• Reputational damage: Noncompliance can significantly affect an organization’s reputation.