<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Regulators Crank Up the Heat On BaaS Banking. What Does This Mean for Third-Party Risk Management?

5 min read
May 7, 2024

BaaS banking faces an unusual predicament. As regulators become more aggressive in issuing enforcement actions against fintech banks, the desire for these partnerships remains strong. The rush to enter BaaS has slowed somewhat following a spate of regulatory actions in 2023 and 2024, but partner banking is still appealing to many financial institutions.

The BaaS model is too enticing to abandon. With its high growth potential, financial institutions must adapt to evolving regulatory requirements. The winners will be those who develop strong oversight and risk management programs tightly integrated into their banking-as-a-service operations.

Successful BaaS banking will require a blend of expertise and more mature systems and processes for managing third-party risk.

Experience matters in BaaS

Regulators have hit numerous BaaS banks with enforcement actions, which have only increased over the past two years. Despite a 3% industry market share, BaaS banks accounted for 13.5% of “severe enforcement actions” in 2023, according to S&P Global Market Intelligence. 

But reading through the most recent enforcement actions against BaaS banks reveals important differences in the severity of penalties. While a Wyoming-based bank holding company “voluntarily” agreed to unwind fintech partnerships for one of its subsidiaries following a cease-and-desist order, a consent order against an Ohio-based BaaS bank merely required it to inventory its third-party partnerships and revise its BSA compliance program.

What led to this difference in outcomes?

The answer: experience. The Wyoming bank was a newer market entrant in the fintech space, whereas the Ohio bank had a long history of partner banking. The Buckeye bank likely had better processes for vetting fintech partners and more robust third-party risk controls, showing that expertise and experience matter when it comes to BaaS.

That’s not the only example. A Tennessee-based bank entered a consent order with an FDIC in February 2024, shedding many of its fintech partners as a result, while a New York-based bank with a greater number of fintechs agreed to review its BSA compliance program to ensure Suspicious Activity Reports (SARs) are filed consistently.

This demonstrates that the number of fintech partners is not the issue when it comes to the severity of enforcement actions. It’s how BaaS banks manage the onboarding and oversight of these vendors.  

The New York bank had a reputation as a well-known BaaS bank focusing on building sustainable partnerships one fintech vendor at a time. On the flip side, the Tennessee bank grew 949% over two years.  

BaaS success depends largely on an institution’s knowledge of the fintech industry and its ability to navigate the risks in this space. The common theme of recent consent orders focused on banks’ compliance management systems (CMS), with board supervision and oversight also frequently mentioned. For financial institutions that suffered more severe enforcement actions, many moved quickly into BaaS, rapidly onboarding vendors, perhaps without the compliance management processes and systems to handle this growth.

Middleware providers: a solution in search of a problem

One Virginia-based BaaS bank was subject to two separate enforcement actions for BSA compliance from the OCC in less than two years. The bank relied on a middleware model that offered a shortcut for financial institutions seeking to enter banking-as-a-service. Under this system, financial institutions and fintechs connect through a middleware provider that builds the APIs between a bank’s core systems and fintechs, handling functions such as deposits and lending.

These BaaS intermediaries also promised to handle some of the fintech compliance burden. Although, as the case of the Virginia bank proves, responsibility for compliance can’t be outsourced. Synapse, the middleware firm in question, quickly encountered problems, with banks cutting ties with them in October 2023 over compliance failures. The company declared bankruptcy shortly after.

The Tennessee bank mentioned above also relied on a middleware company, and the New York bank has already exited relationships with most of its middleware platform providers.  

The problem with the middleware model should be immediately apparent: financial institutions can’t outsource compliance. In fact, FIs shouldn’t want to outsource compliance. Compliance and risk management are what financial institutions do. Relying on an intermediary to meet compliance burdens, such as the Bank Secrecy Act (BSA) and Know Your Customer (KYC), undermines an FI's responsibilities conferred by its charter.

Related: 3 Ways BaaS Platforms Can Help Fintechs Work with Financial Institutions – and 3 Ways Critical Ways They Can’t

Lack of oversight was ingrained in BaaS banking

Early BaaS banking looked very different from today. With the rise of prepaid cards in the early 2000s, financial institutions created a system that allowed fintechs to oversee compliance and operational risks (BSA, Reg E dispute resolution, fair lending, etc.). 

Lack of oversight was a feature of early BaaS programs rather than a blunder. As the industry grew, financial institutions began to ask for periodic reports and program testing, with some BaaS banks building robust third-party consumer compliance functions. Many others did not. 

The absence of reliable data on their customers has caused countless regulatory headaches for financial institutions. Regulators made quick use of last June’s Interagency Guidance on Third-Party Relationships: Risk Management to double enforcement actions against BaaS banks. The guidance requires FIs to thoroughly vet and perform due diligence on vendors and engage in ongoing monitoring to ensure they meet consumer compliance requirements. 

Regulators expect BaaS banks to have as much control over customer data as their fintech partners. Financial institutions can no longer afford to be vague regarding the responsibilities of fintechs handling consumer data. Contracts between FIs and BaaS providers must spell out obligations for both sides to avoid confusion, poorly managed programs, and potential regulatory violations.

Free Resource: How to Negotiate Bulletproof Vendor Contracts

The key to doing BaaS

The benefits of BaaS for traditional financial institutions hold great promise for those who get it right. Third-party risk management platforms can help FIs gain critical insights into fintech vendors with customizable risk assessments that identify, assess, and monitor the strength of a third party’s compliance controls. 

BaaS banks must: 

  • Assess the effectiveness of fintech BSA controls 
  • Evaluate partner banking data for adherence to fair lending protections and laws 
  • Ensure Reg E compliance from BaaS partners, including timely dispute resolution 
  • Confirm that marketing materials are reflective of the bank’s approved content 
  • Verify that BaaS providers have obtained the necessary disclosures and approvals from customers 
  • Regularly evaluate providers’ information security controls and ability to protect sensitive consumer data 

With the right vendor risk controls and ongoing monitoring, financial institutions can enjoy a competitive advantage over peer institutions without BaaS products and services. But having the infrastructure and processes in place before embracing partner banking is critical to this success.

What about FIs without fintech partners?

Financial institutions without banking-as-a-service products should not take any of this to mean they’re in the clear regarding third-party risk management. The Agencies don’t publish regulatory guidance as a thought exercise. 

Digesting the FDIC’s 2024 supervisory highlights, as well as those published by NCUA, financial institutions will discover a common theme: compliance violations from vendor mistakes crop up frequently during exams. 

Whether it’s fair lending violations in the form of exceptions in a credit union’s indirect auto loan portfolio, third-party service providers exaggerating or mispresenting the value of the products or services they offer, vendors failing to address account errors and respond to consumer complaints, or any of the hundreds of mistakes a third party might make, examiners are scrutinizing vendor risk with renewed intensity and holding financial institutions accountable.

Having a mature vendor risk management program is not optional – it’s a matter of survival in today’s regulatory landscape.

Grow your third-party risk management expertise and become a Certified Vendor Management Professional


Subscribe to the Nsight Blog