Managing Banking as a Service (BaaS) Third Party Risk

Part 3 of 3

In our previous blogs in this series (Part 1, Part 2), we have covered the rise of sponsor banks offering Banking as a Service (BaaS) to fintech clients, the regulatory actions impacting these practices, and how compliance teams have traditionally approached assessing the 3^rd party risk of these clients.

Recently, Yanez has partnered with leading sponsor banks in the United States to facilitate robust, metric-based certification processes to elevate their compliance and risk teams’ ability to assess the financial crime prevention technology of their BaaS clients in an independent manner. Using Yanez’s Financial Crime Prevention Vulnerability Scanner, these banks are establishing a transparent and reuseable framework for evaluating the outcomes of the client fintech’s systems for Sanctions Screening, Know Your Customer (KYC), Transaction Monitoring for Anti-Money Laundering (AML) and Fraud Prevention in comparison to the standards that the Bank has established programmatically as a baseline metric for offering BaaS services. This framework is being developed to support recent recommendations from regulators regarding effectively managing risks associated with 3^rd party risk within banks’ relationships with FinTech clients.

Let’s discuss how this works. 

Yanez’s Financial Crime Prevention Vulnerability Scanner is a provider agnostic platform that can measure the efficacy and robustness of systems used for sanctions screening, and in the near future for KYC, transaction monitoring for AML and fraud prevention. Using the platform’s Comparison module, sponsor bank compliance teams can establish a standard based on quantifiable metrics that must be met by the output of the fintech’s systems in order to be certified by the sponsor bank. For the purpose of this discussion, we’ll use sanctions screening to further illustrate the process the compliance team at a sponsor bank would follow to “certify” that a fintech client’s system meets the Bank’s standard.

As mentioned, the standard is a collection of metrics. These metrics are relevant to sanctions screening practice like false negatives (e.g. there are no literal misses to entries in the list), list update (e.g. how fast the screening system updates their lists when there is an update), coverage (e.g. ensuring that all the required lists are taken into consideration for a given jurisdiction), and name variation detection (e.g. how good is the system in detecting different type of name variations). The bank’s standard can be established based on their current system’s results to these metrics or in general to the benchmark set by Yanez Compliance.

Yanez provides an offline “sandbox” environment, within the Yanez platform, to run transactional scenarios in comparison to the client’s system. The standard is “loaded” into this sandbox environment. The Bank’s model will have the proper attributes and “fuzziness” for matching that the bank deems necessary for their risk appetite. Next, the fintech will load a copy of the configuration for their sanctions screening provider into the Yanez platform for comparison testing. 

To test the two systems, a data set of those sanctioned within the desired jurisdiction is sourced directly from the appropriate authority. Then a broader data set is developed from that source, using Yanez’s proprietary AI technology. This broader set is built specifically to statistically measure the response of the systems.   

When run against the Bank standard and the fintech’s setup, the output provides a side-by-side comparison of the sponsor bank system to the client system, as to whether it meets, exceeds, or falls short of the Bank’s risk benchmark. For a fintech using the same screening system, it’s a straightforward exercise of ensuring the geographic and jurisdictional parameters are aligned with those of the sponsor bank, along with setting the fuzzy percentage to the same level as the sponsor bank. For those with a system that is different than the Bank’s, the platform acts as a translator to represent how the values in the "challenger” system equates to the Bank’s.

An analyst ensures the integrity of the results and the process by manually going over the results. First, by Yanez and then by the bank. Once the results are verified by both Yanez and the Bank, the platform issues a certificate of evaluation that is valid for as long as the bank’s process requires it. This process can be run as frequently as the bank deems necessary.

If further tuning of the client system is required to meet the set metric, the vulnerability scanner platform provides a report of the areas in need of modification and, if appropriate, additional attributes that may be required to be gathered by the client system in order to match the risk threshold. The risk comparison process and subsequent report provide a valuable, tangible means for a sponsor bank to assess their 3^rd party risk, and a framework for communicating areas of concern or deficiency with prospective clients as well as with their portfolio fintech clients utilizing the Bank’s BaaS offering, during reviews with the Bank.  

Using the Yanez Compliance platform to assist in the framework of assessing 3^rd party risk results in not only a faster onboarding for clients wanting to use a sponsor bank’s services but also provides its regulator(s) with the ability to readily understand how the Bank is evaluating third party risk as an iterative process that is part of their client relationship lifecycle. The enhanced visibility and oversight an independent resource provide addresses concerns raised and remediations mandated in the regulatory actions discussed.  Further, it allows sponsor banks to expand their client base, knowing that it has sound evaluative metrics to effectively measure 3^rd party risk in supporting that growth.