Managing Banking as a Service (BaaS) Third Party Risk

Part 2 of 3

In our previous blog post, we discussed the rapid rise of sponsor banks providing BaaS solutions in the United States, and the corresponding increase in regulatory actions targeting those banks and the services they provide. Those actions highlighted concerns with the 3^rd party risk practices of those banks, notably in the areas of Know Your Customer (KYC), anti-money laundering (AML) and Bank Secrecy Act (BSA) policies and programs for their FinTech clients utilizing the Bank’s BaaS offerings. This second post of three examines how sponsor banks are managing these relationships now. 

A Veiled Dance

When a prospective FinTech or BaaS client comes to apply at a sponsor bank, there is an awkward dance that occurs between the two sides - as well as within the sponsor bank itself - comprised of three distinct parties: the Bank business development managers, the Bank risk and compliance teams, and the applicant FinTech client. 

Bank business development managers are tasked with bringing new business into the bank and growing it steadily. They actively solicit and engage FinTech firms to utilize the Bank’s depository accounts, payments, credit, or other financial products, which will bring revenue in the form of new cash-flow and transactional fees. Their goal is to onboard and grow the new client’s BaaS utilization swiftly to realize revenue sooner.

At the same time, the FinTech is eager to move as quickly as possible and are likely to engage multiple sponsor banks to maximize deal value and to get to market with their offering, expeditiously in an economically viable manner. They’ll want to minimize up-front cost, while maintaining flexibility in growing their offering to the largest target audience that they are able.   

However, the Bank compliance team’s directive is to protect the Bank and its shareholders, ensuring that risk areas are reviewed and vetted, before providing these new FinTech clients with access to their BaaS services. The Bank business development team and the FinTech want to move fast, but the compliance team's priority is to be certain of their assessment, heedless of speed concerns.   

The manner in which this dance unfolds depends on the sponsor bank’s own maturity in the market, and its level of well-defined processes for compliance and risk. The sunk cost of evaluating and approving a valuable FinTech is the same as rejecting one that is a poor fit. The undesirable outcome for the Bank is to onboard a BaaS client that depletes its investment capital and doesn’t have enough revenue to cover expenses, resulting in the closure of associated BaaS accounts and services used by the customers of the FinTech, causing disruption and harm. In assessing a potential BaaS client from a business development perspective, the Bank will want to understand the FinTech’s business model, the issue it is looking to solve in the market, the types of services it will need from the bank, it’s product offering roadmap and growth projections, funding and sources of those funds, cash flow and “run rate”, as well as the makeup and experience of the team. These are all crucial aspects for the Bank to determine from a business perspective if the prospective client will be a good, revenue-producing partner that is likely able to sustain its business.

On the other hand, from the compliance team’s seat, they must also understand what BaaS services the FinTech prospect is wanting to contract for, to what demographic, and in what geographical area.  From there, the effort begins to determine whether the FinTech has the proper policies in place to support those desired services to those customers in that area.  Bank compliance will ask for the policies that the FinTech has developed to support the services in question. These policies will span from regulatory issues concerning anti-money laundering and sanction screening, to those related to fair lending and consumer privacy.  This effort is done in parallel to similar inquiries regarding information security, operational controls, and business continuity/resilience.

This is clearly a broad and expansive area of purview that falls on the risk and compliance teams to assess and determine fit, oftentimes under time duress from the expectations of the bank business development team and the prospective FinTech client. In many ways, it is like standing up a wholly new risk and compliance program, from scratch, with each new FinTech client they onboard. And this is where the lack of visibility and understanding of the clients’ programs can cause misalignment, errors in understanding risk, and subsequently even possible regulatory corrective action as exampled in our previous blog post. Having the right knowledge and transparency lays the foundation for creating a framework for applying the appropriate compliance processes. Furthermore, it informs how and when to update those processes to keep pace with the innovation of the Bank’s FinTech clients.

To assess that the proper systems and controls are in place to support the stated policies effectively, the Bank compliance team will conduct interviews with the FinTech. This should include a review of the systems used for on-boarding, enhanced due diligence, sanctions screening, transaction monitoring, and fraud detection to support their services. The proper application of compliance processes in these systems is one of the keys to a successfully regulatory compliant program, as compliance is a heavily manual process that relies on technology to successfully execute its policies. Having a framework for evaluating the execution of these policies is the most common recommendation coming from the recent regulatory actions involving BaaS providers.

Reviewing the outcomes of a financial crime prevention system is one notable area where technology can provide a lift to the heavily time intensive and manual process of the compliance team’s 3^rd party assessment. Currently, to support this effort, a compliance analyst from a sponsor bank must pour over reports from the FinTech’s KYC, sanctions screening, transaction monitoring, and fraud systems to evaluate whether those systems are following ascribed policy for the BaaS services they are providing to end customers. This overtly manual and often disparate process can take months of effort and may not provide the confidence desired nor the transparency and accountability that regulators want.   

This difficult task becomes underscored when considering that these risk assessments should not only be conducted thoroughly at the initial prospective FinTech onboarding but re-examined regularly during quarterly reviews, when that FinTech is a portfolio client. Think of that: a sponsor bank can have dozens of BaaS FinTech clients that they are providing services for, with each of those clients having multiple financial crime prevention solutions in deployment that need to be reviewed; the task is herculean. This is an area of the compliance team’s third-party risk assessment that would benefit from the utilization of technology to assist in measuring the efficacy of the FinTech’s AML/KYC and anti-fraud solutions. While technology by itself cannot address all the areas that are inclusive of a comprehensive review process, like Operational Resilience, it can provide a much-needed lift in addressing the issues highlighted in this discussion of Regulatory Compliance and Operational Controls. These key issues are outlined in the regulatory actions concerning sponsor banks and their third-party risk management. 

In our next blog, we will cover how Yanez is partnering with leading sponsor banks to facilitate robust, metric-based certification processes to elevate their compliance and risk teams’ ability to assess the financial crime prevention technology of their BaaS clients in an independent manner.