The smoke: A recent flurry of regulatory activity in response to poor application of risk and compliance requirements in the bank-fintech partnership model.

The fire: Existential risks to the bank-fintech partnership model and, by extension, the provision of financial services products.

The extinguisher: Clear-eyed assessment of the current state, commitment to principles of safety and soundness, and considered strategy to manage risk and compliance.

Let’s take a step back.

The last few years have seen an evolution in the nature of the relationship between fintechs and banks. Early theories that fintechs would pose serious threats to community banks haven’t quite proven to be true. Fintechs’ ability to fully execute on their value proposition – that, by using technology, they can service more people, more quickly, and at lower cost – has been hindered by regulatory complexities. Due to the financial, logistical, and political challenges associated with obtaining their own bank charters, fintechs have struggled to compete directly with banks. Although the number of community banks has steadily declined the last few years, this decline is not at the hands of fintechs. Other things, yes; but not fintechs1

Instead of direct competition, fintechs and banks have orchestrated mutually-beneficial relationships where fintechs create products and define the customer experience, while banks – the regulated entities – provide the infrastructure and regulatory authority to offer the underlying services and products. This is known as ‘banking-as-a-service’ (“BaaS”). In a traditional program manager relationship, the fintech is contractually required to maintain a subset of the regulatory compliance and risk management functions applicable to the products it offers.

This fintech and bank relationship also created a new layer of market participants, known as ‘BaaS platforms’ or ‘middlewares,’ whose principal value proposition is to negate the costly and time consuming interactions between banks and fintechs2. The BaaS platform pitch is straightforward; if you are a bank, enter into one commercial arrangement and submit to one technological integration, but get the financial benefit of many. If you are a fintech, integrate with sophisticated APIs (as opposed to an outdated bank core) while also handing off some (or in some cases, most) aspects of your risk and compliance program and focus on what is most important to you – customer acquisition. 

Commercially, this model has flourished. To provide just a couple of statistics, customer acquisition costs for financial institutions that partner with BaaS platforms are 82.5% to 95% lower than without3, and projections of global revenues for the BaaS platform industry are as high as $12.2 billion by 2031, up from $2.5 billion in 20204. Qualitatively, the model has catalyzed explosive growth in the volume and variety of fintechs in existence, giving consumers more options than ever before to spend, save, invest, borrow, lend, or earn. 

Unfortunately, a great deal of that commercial growth may have outpaced the maturity of the risk and compliance programs designed to support it, much to the discomfort of one group of stakeholders – regulators.

Regulators are charged with, amongst other things, ensuring that banks comply with a myriad of state and federal regulations, including those related to risk management, consumer protection, and anti-money laundering. The tools regulators use to oversee banks – such as mandatory reporting requirements and examinations – have sought to afford them a comprehensive and candid view into the relationships between banks and their end customers, and thus allowed regulators to observe banks’ compliance with applicable rules and regulations. The bank-fintech relationship has made this more difficult by placing the bank one or two steps removed from the compliance program and two or three steps removed from the customers. Commercial agreements by and between banks, BaaS platforms, and fintechs can be complicated, often leaving parties unclear about ownership of risk and compliance responsibilities.

This confusion can be compounded by the growth in capabilities of ‘regtech’ tools, which seek to expedite and automate many aspects of regulatory compliance. While these tools can be efficient, effective, and – in many cases – necessary, fintechs and BaaS platforms too often consider the adoption of a generic written policy and the acquisition of a regtech solution as satisfaction of their regulatory expectations. Then, instead of tailoring procedures and calibrating tools specific to each use case, some BaaS platforms adopt a one-size-fits-all approach. The end result is a ‘RACI’ matrix showing a bank that is not responsible or accountable, and a fintech that is not consulted or informed.

In the eyes of the regulator, however, there is no confusion about whom to blame. Banks are the regulated entities, customers are customers of the banks, and banks are accountable for weaknesses in risk and compliance programs. Recently, regulators have been making themselves clear:

  • An OCC-chartered fintech partner bank has been told it may no longer sponsor new fintechs, particularly those involving consumer use cases;

  • Another OCC-chartered bank was told to off-board its largest fintech client;

  • A state-chartered, Federal Reserve Board-supervised bank has terminated agreements with two promising, high-valuation BaaS platforms; and

  • An OCC-chartered, long-standing fintech partner bank has declined to support any new fintech programs proposed by its BaaS platform partner.

In contemplating this recent activity, four broad areas comprise the regulators’ concern:

  1. Onboarding – The diligence required to safely onboard a customer must be robust and quantitatively tied to risk tolerance.

  2. Compliance Management System (“CMS”) – Compliance programs must be risk-based, tailored to each fintech, and neither the fintech nor the bank’s CMS can stop maturing post-launch, particularly as transaction volumes and risk increases.

  3. Anti-money Laundering (“AML”) – AML programs should not be ‘cut-and-paste;’ they must be tailored to the unique activities and risks of the fintech.

  4. Electronic Funds Transfers: Regulation E (“Reg E”) – Statutorily-mandated statements provided to customers must meet regulatory expectations and customer disputes must be handled pursuant to requirements5.

Considering the four areas above, one can see that regulators are taking issue with the very value proposition of this model. Consider the case of the typical BaaS platform, for example. A single BaaS platform will aim to take compliance responsibilities off the hands of one hundred fintechs — one hundred fintechs, with hundreds of thousands of combined customer accounts. That many customers naturally generate a lot of issues regarding AML, Reg E, and unfair, deceptive, or abusive acts and practices (“UDAAP”)6. That volume of activity cannot be resolved by a small bank compliance team, a small BaaS platform compliance team, and limited fintech compliance personnel. Furthermore, the BaaS platform will restrict the ability of its bank partners to interact with the fintechs, whose customers contractually belong to the bank. This creates safety and soundness concerns. When regulators eventually catch on, instead of working with the bank to remediate issues and build a regulator-approved model, the BaaS platform simply moves new or existing fintech partnerships to another bank, effectively trying to outrun the regulators’ implicit demand to modify the operating model.

Before I provide some guidance on how to address these issues, it is worth pausing to examine the big picture. As I mentioned at the top of this article, where there is smoke, there is fire. The potential impact of the recent regulatory activity could be vast.

  • For partner banks: Sponsoring fintech programs can be a profitable business line, in addition to allowing banks to command tech-like valuation multiples. Partner banks could face incredibly expensive enforcement actions and remediation projects. They also stand to lose a valuable revenue stream or, in egregious cases, their entire charter.  

  • For BaaS platforms: This business model relies on trust and volume; banks trust that BaaS platforms are owning or delegating compliance responsibility appropriately, while BaaS platforms onboard many fintechs, as quickly as possible. If banks are forced to monitor more closely, and BaaS platforms to onboard fintechs more slowly, the unit economics suffer, and the model becomes less viable.   

  • For fintechs: Cost and time-to-market for new products could increase exponentially if banks lose the ability to partner with BaaS platforms, requiring more fintechs to obtain state licenses and/or build full-fledged compliance programs.

  • For consumers: The majority of consumers will not suffer. However, any fintech serving the ‘unbanked,’ ‘underbanked,’ or ‘underserved’ should take note: the biggest impact on consumers of a collapse of the bank partnership model will be a restriction of fintech’s ability to foster financial inclusivity7.

Now, some good news. Although regulatory scrutiny is increasing, there are ways each of the market participants mentioned throughout this article can help inspire regulatory confidence in these partnerships. The table below illustrates, at a high level, how fintechs and banks should think about building programs that withstand regulatory scrutiny in the areas of concern.

In Conclusion

The advent of fintech marks one of the most significant developments in financial services since the Great Recession — it has created billions of dollars of fintech valuations and provided a lifeline to smaller banks that otherwise would have been limited by their traditional bricks and mortar footprints and local customer bases.

The bank-fintech partnership model can likely be thanked for much of the growth and success of fintechs. However, following years of sustained growth, this relationship appears to be under pressure.

The smoke led us to the flickers of a fire; it should be extinguished before it spreads. Now is the time for market participants to think carefully about their roles in managing risk and compliance.

Trevor Tanifum, Principal, FS Vector

FS Vector’s Advisory Practice works with 170+ fintechs and 15+ partner banks. We have deep, broad, and practical experience right-sizing risk and compliance programs, including designing compliance maturity models, risk assessments, and partner oversight models.

For more information, contact: [email protected]

  1. The decline of community banks began with a series of policy changes in the 1990s that allowed big banks to become giant conglomerates, thereby gaining market share from smaller competitors. After the financial crisis of 2008, the federal government encouraged further consolidation by adopting extraordinary assistance programs to ensure the survival of the biggest institutions. Wilmarth, Arthur E., A Two-Tiered System of Regulation is Needed to Preserve the Viability of Community Banks and Reduce the Risks of Megabanks (January 15, 2015). 2015 Michigan State Law Review, pp. 249-370, GWU Law School Public Law Research Paper No. 2014-53, GWU Legal Studies Research Paper No. 2014-53, Available at SSRN: https://ssrn.com/abstract=2518690.

  2. ‘BaaS’ is often used interchangeably with ‘middleware,’ but middleware is best thought of as a type of BaaS where a third party platform sits in between the bank and the fintech. 

  3. Dan Jones, Anosh Pardiwalla, Sara Zanichelli, The Rise of Banking As A Service, Oliver Wyman Insights, https://www.oliverwyman.com/content/dam/oliver-wyman/v2/publications/2021/mar/the-rise-of-banking-as-a-service.pdf. 

  4. PYMNTS, Why Every Bank Can Be, and Should Be, a Banking-as-a-Service Company, PYMNTS.com, (June 3, 2022), https://www.pymnts.com/news/banking/2022/why-every-bank-can-be-and-should-be-a-banking-as-a-service-company/.

  5. 12 U.S.C. § 5565. Section 1055(c) of the Consumer FInancial Protection Act (“CFPA”) authorizes the Consumer Financial Protection Bureau (“CFPB”) to administer monetary fines for violations of the CFPA.  

  6. 12 U.S.C. § 5536(a)(1)(B). Section 1036 of the CFPA prohibits “unfair, deceptive, or abusive” acts or practices. Areas that are prone to UDAAP risk include marketing materials, disclosures, product flows, and individual interactions with customers, including complaint management

  7. Without the bank-fintech partnership model, fintechs may be required to obtain requisite licenses or charters, which will drive up operating costs. This will make it difficult to provide certain types of products, such as low-cost financing, thereby denying valuable services to consumers. 

Reply

Avatar

or to participate

KEEP READING