Even before the FTX platform collapse and the depositor run on SVB shone a spotlight on regulation in the already heavily regulated banking industry, regulators were beginning to turn their attention to Banking-as-a-Service (BaaS) entities. One of the main advantages of BaaS is that it allows non-banks to offer banking services without the compliance issues facing standard banks. This lack of oversight worries regulators, who seek to reduce risk in the market. To prevent additional regulations, banks involved in BaaS will have to prove that current requirements are enough, and they have the ability to oversee compliance in their partners.
The growing dominance of data in financial services will lead regulators and lawmakers to zero in on who owns that data, how to protect consumers’ privacy and the risk of criminals using financial technologies to launder money. (American Banker)
Areas such as privacy and data portability are ripe for legislation. (American Banker)
The CFPB is now utilizing a dormant authority to hold non-banks to the same standards that banks are held to. (CFPB)
Throughout 2022, bank regulators around the world began to increase their attention on banks' third-party risks. In the past, regulating the banks seemed to be enough to reduce risk in the market. But, as BaaS strategies began to grow — and as most of these strategies involved small and mid-sized community banks that didn’t fall under the most stringent regulations instituted after the financial crisis — regulators began to wonder if consumers were being protected. Key areas of concern include banks' compliance with the Bank Secrecy Act regarding anti-money laundering, how deposits are held and how the arrangement is being marketed to consumers, and credit underwriting standards, particularly for consumer loans.
Regulators seem uncertain how to approach the BaaS industry. Should banking requirements be leveraged on the fintechs? Or should the banks be required to provide oversight of their partners? Should regulations come from a consumer protection agency? Between congress and the agencies, it seems everyone is talking about tightening the rules around BaaS—it’s just that no one knows how.
In an effort to ward off additional regulations, banks are likely to proactively tighten how they interact with fintechs. This could involve banks requesting more audit rights to inspect or monitor their fintech partners' operations. Banks could insist on a right to obtain sufficient information to oversee how the fintech handles customer notices and how it resolves disputes or harvests consumer data. They could also insist on a specific financial stability or level of liquid assets to ensure the fintech could cover any losses Banks will likely not simply rely on a fintech’s promises, but will set up mechanisms of information flow as a contractual right.
In addition to contractual compliance and oversight rights, banks could also include metrics that the third-party must meet to continue the relationship. Banks will be looking for the fintech to exhibit a level of sophistication in compliance that is expected of the bank by its own regulators.
Smaller banks, in particular, have gravitated toward BaaS because it brings in significant additional revenue without adding infrastructure costs. However, growth brings its own regulatory considerations. For example, banks with less than $10 billion in assets are exempt from the Durbin Amendment and eligible to charge higher interchange fees for processing debit card payments. These banks are also excluded from the Volcker rule and from CFPB oversight. Although many of the smaller banks in BaaS are choosing to manage their balance sheets to stay under the $10 billion threshold, they could opt to exceed it if they are swayed by the demand for scale.
Fintech partnerships can lead to cost savings for both fintechs and banks, increase competition, and provide faster, better, and cheaper banking products and services for consumers. Yet, the BaaS strategy has grown so fast that important questions have been pushed to the side. Where does the bank end and the fintech start? Who is responsible for the consumer if a bank fails? What happens if the fintech partner fails or is unable to meet compliance standards? Who is responsible for privacy and cybersecurity concerns?
And the question on everyone’s mind: Would additional regulations make the industry safer for consumers or simply throw up unneeded roadblocks for an innovative strategy that helps banks, fintechs and consumers? 2023 might just be the year we find out.