R.I.P. to BaaS and FinTech-Bank Partnerships?
It took a struggling economy, the collapse of regional banks, minimal funding from investors & VCs (venture capitalists), and increasing pressure from regulators to knock down the Banking-as-a-Service (BaaS) sector in the US.
Few platforms are launching new products in 2023 as partner banks are extremely cautious in working with fintechs & non-fintechs.
In lieu of interest rate and business continuity risk, all financial institutions are preparing for the worst when it comes to their next regulatory audit and potential enforcement. The regional, mid-size banks & credit unions running fintech partnership programs will have an even higher level of examination.
Let’s dive into the current state of BaaS in Q4 2023, highlighting (TL;DR):
Top partner banks are feeling the heat from regulators;
BaaS providers & other vendors can also come into question;
What non-bank intermediaries can do now;
Where the industry goes from here;
Partner Banks Under Fire
In speaking with multiple industry veterans, there’s a clear theme of the ‘party is over’ with bank-fintech partnerships.
Fintechs and financial institutions have worked together for the last 5-6 years with minimal oversight or commentary from regulatory agencies in the US.
The fallout of crypto players last year (such as FTX) and bank collapses at the end of Q1 has government officials demanding action.
For partner banks that rely on BaaS partnerships (either through an intermediary or their own channel), the anticipated scrutiny from regulators and risk of enforcement action is at an all-time high.
Auditors and examiners are rallying to get a firm grasp on how deep these partnerships go and if more oversight is needed. There are key examples in recent months of regulators making moves on existing providers:
Blue Ridge Bank — The Office of the Comptroller of the Currency (OCC) ordered the bank last year to improve how it monitors third-party fintech partnerships. The action forces Blue Ridge (from Virginia) to gain the OCC’s non-objection (aka approval) before adding new clients OR new products for existing platforms. After the regulator stepped in, the bank’s CEO stepped down, and a decision was made to wind down the BaaS division by migrating fintechs elsewhere.
Cross River Bank — The Federal Deposit Insurance Corp. (FDIC) tagged the New Jersey bank with an enforcement action in Q2 of this year regarding concerns with fair lending laws. The bank also isn’t allowed to start new lending programs without FDIC approval. Cross River is known for working with large enterprises (such as Affirm) and providing payments, banking, and lending infrastructure. In the midst of this action, there are no signs that CRB shuts down the BaaS channel.
The programs at some of these banks grew very quickly in a short span of time.
This pace of growth made it difficult to ensure proper processes and checkpoints were in place, which address all areas of risk (regulatory, financial, credit, legal, and reputational).
More REGULATORY action to impact banks, baaS enablers
The sentiment across the industry is more activity to come over the next year as regulatory agencies figure out how best to rein in BaaS and 3rd-party programs.
For financial institutions waiting for their next audit, the assumption is that the review will be in-depth and more thorough than previous examinations.
Regulators need to validate how a bank is actively managing fintech program partnerships.
Most partner banks aligning with fintechs are mid-size, regional banks with small teams and limited tech infrastructure to run ongoing reviews.
Even though there’s a more complex operational framework for banks serving fintech, the small size of their balance sheets had them going under the radar of regulators. By turning up the dial on bank audits, regulators are hoping to rectify the lack of supervision from the last few years.
There’s a trickle down effect from regulators applying pressure on financial institutions — banks deflecting some of this pressure to infrastructure players & vendors that connect banking products to end-users.
This middleware layer of connectivity comes with automation, speed, and overall lift in customer experience. However, there’s also an added level of risk as it puts a buffer between a bank (licensed entity) and customer consuming a financial product. It creates a gray area for regulators since these providers have no licenses AND don’t directly interact with clients.
More established fintechs are opting to skip over these vendors and plug in directly to bank partners. This makes sense once there’s a significant amount of scale from user growth and transaction activity. We’ve seen Mercury (business banking solution for startups) recently announce their intent to work directly with their bank partner (Evolve Bank & Trust) and terminate their ongoing contract with BaaS provider (Synapse).
For some mature players (especially those who aren’t focused on being banking-first), it may still make sense to keep a middleware partner involved that’s experienced in running bank programs at scale.
Regardless of program structure, all non-bank parties involved in delivering a financial product or service should assume that they may be on the hook for being in compliance with a banking law or regulation.
all INTERMEDIARIES being susceptible to regulation
Financial institutions aren’t the only ones that should be concerned with regulatory risk.
Non-bank entities (including tech, KYC, and data vendors) involved in any part of a financial activity may be scrutinized. With a banking product, the Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) Act broadly applies. This can come down to the way a program is marketed, promotional bonuses that don’t get paid, or even making it difficult for a customer to avoid a fee.
With credit, there are multiple fair lending laws and consumer protections to prevent discrimination and disparate impact.
This includes Truth in Lending Act (TILA), Equal Credit Opportunity (ECOA), and multiple laws regarding housing (such as the Community Reinvestment Act, Home Mortgage Disclosure Act, and Fair Housing Act).
Focusing on ECOA, the definition of creditor includes non-lenders involved in credit decisioning. This can be any company referring potential applicants of lending products — not just banks or BaaS tech layers.
In this era of alternative data & AI models, there’s a higher risk that blocks a protected group from obtaining credit. Even financial institutions with experience in lending must constantly verify their approval & decline processes are fair.
In banking activities where ECOA doesn’t apply, the Consumer Financial Protection Bureau (CFPB) is extending the rule to cover any business process that seems unfair, causes harm to consumers in a manner that can’t be avoided, AND the perceived benefits do not outweigh the harm caused. This brings advertising, marketing, and pricing policies into the spotlight for proper monitoring that prevents discrimination. Any entity that fails to comply can be sued by the CFPB.
Non-bank players shouldn’t assume the partner bank they work with has sufficient oversight of its programs either. The fragmented framework of BaaS and multiple players involved increases the risk of non-compliance (even if it may be unintentional). A change by one party can affect the other immediately.
WHAT NON-BANK BAAS PLAYERS CAN DO NOW
Change their mindset that broad considerations of fairness in financial services do apply to microservice offerings or programs.
Based on trending regulator activity and lack of previous enforcement, there will be some movement coming through in the next few months. Companies should be proactive and work towards building & implementing fairness in all their services, especially if underserved groups may be impacted.
In this forward-looking approach, non-banks must focus on:
Calling out any practices that may be questionable when it comes to fairness: this can include marketing, lead generation, collecting debt payments, handling fraud cases, and charging fees;
Rank these practices in order of negative impact: companies can focus on items with the most risk first since they may get on the radar of regulators sooner;
Leverage data on hand to evaluate outcomes: this requires ongoing review of user screening & business decisions compared against customer attributes (such as race and ethnicity). Get analytical when it comes to comparing statistics for different products and groups as even subtle disparities can be a cause of concern;
Make changes to reduce negative impacts: These disparities will exist for every company, but it’s up to risk teams and executive leaders to act quickly and identify if there’s a better (more fair) way to accomplish a specific task/function.
Since there are so many parties and moving parts within a banking program, partners should make sure to inform one another of negative findings in a timely manner. There needs to be a commitment to business continuity and providing a consistent experience to end-users. A disruption in a platform due to a vendor being suspended for risk practices should be avoided.
WHERE DO WE GO FROM HERE?
The current model (BaaS 1.0) will be no more in 2024.
In the short-term, we will see middleware providers minimize what they offer to only technology or a single business function. This will cause the ecosystem to become even more fragmented across numerous vendors that must find a way to work together.
The conservative theme will extend to all financial institutions as they await clarity from regulators in how to work with 3rd parties, what types of partnerships are allowed, and how to avoid findings.
There will be less program approvals for new products for non-banks. Any new programs that do get approved in the next months will be very limited in scope — payments-focused, serving US-based individuals or businesses. Most likely no international users or payments, no unsecured lending, and no crypto activity for the next 6-10 months.
With this backdrop, the stage will be set for BaaS 2.0. This evolution of the sector will see either (a) banks stepping up and becoming more adept with technology and automation to handle back-office processes and compliance checkpoints, or (b) an intermediary with program management and regulatory expertise working with both banks and non-banks for new programs.
Even though we’re 12+ years into FinTech, it’s still early days for the industry and much can happen in the span of a few months (as we saw in Q1 of this year).
Join our community @FinTechtris for more industry content & insights (including deep dives & sector spotlights).
As a bonus, access our subscriber-only resources for evaluating and building the next generation of financial services. Signup today —>