Once upon a time, fintech companies (especially riskier business types, such as money transmitters and crypto exchanges) encountered many difficulties offering products and services that would require interlay with traditional banking services, such as lending and deposits. Products such as these often require bank accounts, which are heavily regulated in the US. As time, technology, and innovation have evolved, the fintech ecosystem has seen an explosion of buzzwords permeate the landscape, not least of which is Banking as a Service (BaaS).
Banking as a Service is a model in which licensed banks integrate their banking services directly into the products of non-bank businesses. This way, fintechs can offer their customers digital banking services, such as mobile bank accounts, debit cards, loans, and payment services, without needing to acquire banking licenses of their own (a concept known as “embedded finance”). In return, BaaS providers get a whole new sector of customers and new revenue streams to tap into. The quid pro quo nature of this arrangement has been very attractive to both sponsor banks and fintechs needing banking services alike.
The term BaaS is usually seen in tandem with the phrase “sponsor bank.” This term is typically used to describe a regulated financial institution with a US banking charter. These traditional financial institutions, such as Coastal Community Bank, primarily serve non-bank businesses, such as fintechs, to provide:
- Use of a banking license
- Banking and card-issuing technology
- The corresponding products and services that come from having such licenses and technology
- Regulatory and compliance expertise and oversight, program management functions, and other services
These services are often referred to colloquially as “payment rails,” and are what define the BaaS model. They allow fintechs to bypass the costly and time-consuming practice of acquiring their own banking licenses that they would ordinarily need to offer banking services. Additionally, partnering with a sponsor bank affords a fintech’s customers FDIC protection, as deposits are held by the bank, not the fintech.
Due diligence: Too much is never enough
Sponsor banks are interesting entities as they themselves are strictly regulated, but they also have agency in how they monitor and regulate their fintech partners. The fintechs themselves, depending on their business model, may or may not be subject to the same level of federal and/or state regulation.
For example, a fintech that transmits money would likely be classified as a money services business (MSB) and would need to register as such — and be regulated at the federal and state levels. This means they’d need to follow certain regulatory regimes with regard to laws and standards such as the Bank Secrecy Act. However, the partner bank would still have its own duties to follow these same regimes as well.
Other types of fintechs aren’t subject to the same levels of regulation by federal or state agencies, so the question becomes, what is the correct governance structure in this landscape?
Before fintechs and sponsor banks can untangle those webs, they need to conduct appropriate due diligence on each other as a prerequisite to even signing their partnership agreement. This concept was fairly arbitrary until mid-2022 when the Office of the Comptroller of the Currency (OCC) declared that Blue Ridge Bank had failed to properly oversee their fintech partnerships and mandated that the bank take specific actions to remedy risks and gaps in their compliance program as it relates to their BaaS business line. Specifically, the OCC issued directives that Blue Ridge Bank must come into compliance with; including:
- BSA/AML compliance
- CDD and EDD
- A stronger transaction monitoring program
- Development of an Information Technology Control Program
- Development and implementation of a Third-Party Risk Management program
The implication of this for BaaS providers and their fintech partners is that both parties need to take a more prescriptive approach to due diligence to ensure both sides of the relationship are meeting these minimum requirements and complying with any other enhanced due diligence that might be required to mitigate identified risks.
For example, a sponsor bank might also want to ensure their potential fintech partner has appropriate consumer protection policies and procedures in place. Or, they might want to review the company’s financials and organizational structure.
On the other hand, a fintech might want to ask for proof of controls and mitigation efforts to close the gaps and assess their potential banking partner for:
- Enforcement actions
- Product fit
- Speed to market
- Cost and commercials
- International coverage
In both instances, a thorough risk assessment is the best first step toward choosing the appropriate partnership.
Operationalizing your compliance program: Why your tech vendors matter
Once a partnership has been established, the sponsor bank and fintech have to formalize who is responsible for each aspect of the compliance process. This means getting down to the nuts and bolts of who’s drafting and revising the program documentation, conducting all aspects of Know Your Customer (KYC), investigating suspicious activity and conducting transaction monitoring, filing SARs, responding to law enforcement requests, and so on. In most cases, the sponsor bank has the final say on which party is responsible for performing each task.
Regardless of who is responsible for operationalizing each aspect of the compliance program, the importance of having the right fintech tools and resources in place can’t be underestimated. The core components of a fulsome, risk-based approach to a compliance program include complying with all pillars of the BSA, not least of which is ensuring appropriate KYC is being conducted.
KYC includes customer onboarding and identity verification — in other words, having a reasonable belief that you know who your customers are to prevent bad actors from transacting in your ecosystem. Having a scalable compliance program means having the right tech in place to handle operations such as identity verification.
Here at Persona, we serve some of the top fintech companies, including Square and Empower, and understand the unique challenges they face as they seek to comply with regulations while managing risk. That's why we’ve designed our unified identity platform with these challenges in mind. Interested in learning more? Start for free or get a demo today.