In part one of this series, we tackled some of the industry jargon and definitions to better understand Banking as a Service (BaaS) and how its continued growth has become a disruptor of our traditional way of doing business. In this article we dive a bit deeper into the regulatory landscape around BaaS and provide some practical guidance of how to manage risks regarding your BaaS products and partners.
We begin with a description of the unique “double-edged sword” that a FinTech (FT) partner can be for a bank, and look at some recent examples of FTs running afoul of a regulatory body, in this case, the Consumer Financial Protection Bureau.
Regulatory Risk to Sponsor Banks
BaaS FinTechs(FTs) often partner with a chartered bank to be able to legally offer their financial services to customers. Because BaaS players strive to be nimble and innovative, they often can run into regulatory issues including fines and damage to brand image. This may, in turn, create exposures for the “sponsor bank” including increased strategic risk, regulatory penalties, and knock-on reputational impact. In fact, recent examples of FTs and sponsor banks experiencing such headwinds are not hard to come by. While a bank partnering with a vendor or third-party is nothing new, the risk exposures that these BaaS players bring to the bank represent a significant threat we have not traditionally seen.
CFPB Cracking Down on Financial Service FTs
In Q3 2022 alone we’ve seen the Consumer Financial Protection Bureau (CFPB) initiate the following regulatory penalties and lawsuits against FT players in the financial space.
Management of BaaS Risk to Banks
Whether a BaaS runs afoul of regulations due to greed, mismanagement, or ignorance, the risk to a sponsoring bank can be significant. Thus, new, specific FT risk management tools and techniques are essential for this aspect of a bank’s FT risk management framework. At a minimum, it is essential to have the following core elements in a bank’s risk approach:
The FT risk management framework should include traditional third-party and FT-specific risk management tools that analyze a FT’s financial resilience, cyber security, strategic direction and associated risks, as well as the FT’s legal and regulatory risks that may create potential contagion effects at the bank.
In the due diligence phase, it is crucial to identify and assess a bank’s potential partnership with a FT as well as conduct an analysis of how the FT may potentially create risk concentrations in light of the bank’s risk profile or that of its existing FT partners. Such an analysis should start with the FT’s intended service, its business model, and the space in which it operates.
Once a FT is onboarded, it is important to continue to manage its risk in isolation and also as a part of the bank’s “portfolio” of FT partners. The portfolio view illuminates risk concentrations, diversification and inter-relationships. This “ongoing monitoring” must occur on a regular cadence and leverage a set of key risk indicators which assess a variety of risk exposures. As the portfolio of the bank’s FTs grows, automation can help ensure the process remains both accurate and manageable.
In the next article in our series, we will explore an innovative approach for FT risk management including tools that provide customized FT risk assessment methods, a modern FT risk management framework and maturity assessment that is powered by an enterprise risk technology platform, offering intuitive data visualizations and on-going monitoring.