Applause for Regulators’ Better Grasp on BaaS
By: Tyler Brown
AUGUST 6, 2024
Regulators’ views on Banking-as-a-Service (BaaS) are maturing. The OCC, Federal Reserve, and FDIC just published a joint statement on banks providing deposit products and services through third parties — a classic BaaS use case — and the risks to end users. It addresses specific and timely issues in the BaaS space and drills down deeper than guidance on third-party risk management.
The statement is part of a regulatory normalization that we’ve seen coming. It follows guidance earlier this year that, as we discussed, covered community banks’ relationships with third parties. That guidance was particularly apt given community banks’ overrepresentation among BaaS sponsor banks. The agencies reiterated the need to make risk practices appropriate for a bank’s size, complexity, and risk profile — but plenty was left to interpretation.
The recent statement looks at BaaS with a focus on safe and sound practices and financial-crime prevention. The core problem it addresses is how fintechs’ claims that customer deposits are federally insured hides risks to consumers’ ability to access their funds. It adds to regulators’ body of work just as BaaS technology providers are at pains to assure regulators, investors, partners, and customers that they’re competent and compliant.
The document demonstrates regulators’ clearest understanding yet of factors behind the BaaS crisis. It also implies guardrails informed by examinations and, as we’ve covered, enforcement actions. It cites potential problems with operations, compliance, growth, governance, and third-party risk — all those factors get more complicated as the number of program partners multiplies, which may be exacerbated by a poorly designed or poorly managed intermediary.
The flip side of the problems regulators highlight are risk management goals for BaaS sponsor banks. Sponsor banks should:
Another potential problem with BaaS is hard to police, but crucial considering recent lapses: End customers could be misled about deposit protection when a fintech advertises pass-through FDIC insurance but hides the consequences when a third-party partner fails — likely a violation of regulations governing the marketing of banking products.
The BaaS drama hasn’t yet played itself out — the messy aftermath of the BaaS platform Synapse’s collapse is evidence of that. But regulators getting a grip on the space sets the foundation for predictability and long-term success with the model.
Phone: +1-480-744-2240 • Contact Us