The Evolution of BaaS: Redefining Risk and Responsibility in Banking

The financial services landscape is constantly evolving, especially as new technology enables dramatic changes in how financial institutions (FIs) do business. Banking as a Service (BaaS) is one such major technological innovation, emerging as a game-changer by offering banks an avenue to augment revenue streams without needing physical expansion.

BaaS is also a huge hit with customers, speeding up the banking process through low-friction, highly-customized experiences. This transformational way of banking relies, at its core, on a strong relationship between sponsor banks and their fintech partners. However, the journey from BaaS inception to its current state has been marked by significant shifts in risk management practices and regulatory scrutiny.

To see how we got to the current state of BaaS, where new regulatory requirements can pose an existential threat to some institutions, we need to trace the history of BaaS, including its pitfalls, and understand where it will be heading in 2024 and beyond.

How Banking as a Service took over the financial playing field

BaaS was initially conceived as a means for banks to capitalize on digital innovation. To say BaaS reached that goal is a massive understatement. It fundamentally altered the traditional banking model, allowing banks to leverage partnerships with fintech firms and extend their reach and services to a wider audience while offloading operational risks onto their technology-savvy counterparts. Those partners can offer financial services thanks to their ability to utilize their sponsor bank’s charter.

These contractual arrangements were clearly advantageous and at the same time held the promise of allowing banks to focus on core competencies. While banks stick to what they know best, fintech companies handle the technological intricacies, paving the way for a more efficient and customer-centric banking experience.

The fintech partners win by having time-to-market for financial products cut down significantly, while also enjoying reduced overhead costs and complexity overall. The banks win because they unlock new revenue sources, gain critical insights into customer behavior and desires, and can offer modern technology within their platform without needing to invest in building it themselves.

Of course, no business model can survive without customer approval—a benchmark BaaS exceeded with ease. Modern customers prioritize speed, smooth user experiences, and flexibility. It can only help if that user experience is highly customized as well. BaaS ticks each of these boxes, while also putting the most up-to-date technology in users’ hands.

The benefits for every party involved in the BaaS equation are clear, but nothing in the banking or finance industry comes without fraud risk.

BaaS risks arrive—and evolve

In a traditional banking setup, the banks themselves are responsible for mitigating fraud risks, preventing attacks to protect customers, and enforcing strong anti-money laundering (AML) protocols. They typically invest heavily in either building their own comprehensive fraud solution or selecting leading fraud and AML providers to equip themselves with the best prevention and AML tools.

In the case of BaaS, however, sponsor banks benefit from outsourcing fraud prevention to their fintech partners. So as the banks provided the all-important charter, fintechs took on the responsibility of giving customers agile new technology and delightful experiences while also detecting and mitigating fraud attacks.

The BaaS ecosystem flourished, but the potential risks of sponsor banks outsourcing fraud prevention to fintech partners began to surface. This created a disconnect between risk exposure and accountability within traditional banking institutions. With risks offloaded, banks often overlooked the need for robust infrastructure and controls to mitigate potential losses, adopting an “I’m not responsible for that risk, so it’s not my concern” approach.

The consequences of that oversight (or lack thereof) became apparent. Around 2012, the first whispers of cease and desist orders emerged, signaling regulatory concerns over the growing risks associated with BaaS arrangements. These concerns were primarily related to data security, consumer protection, and anti-money laundering measures. As fraud proliferated, regulators trained their focus on BaaS industry norms.

The situation reached a critical mass in early 2023, as major shifts led to systemic enforcement actions against BaaS banks, including fines, penalties, and in some cases even the revocation of banking licenses.

This shift in regulatory stance still serves as a wake-up call for the banking industry. The days of banks absolving themselves of all risk and responsibility are gone. Sponsor banks now must:

1. Complete a fundamental reevaluation of their risk management practices
2. Redesign their infrastructure to manage triparty programs that collaboratively involve the bank, their fintech partner, and regulatory authorities.

The future of risk management in BaaS

New, redesigned triparty fraud and risk programs are crucial in ensuring BaaS compliance, risk mitigation, and transparency in the BaaS ecosystem. Tighter collaboration between banks and fintech partners on its own is essential, but not the final step to achieve sound compliance. Each party needs clearly defined roles regarding compliance and fraud mitigation to ensure accountability and transparency across the BaaS ecosystem.

I strongly believe that collaboration rather than outsourcing will be the cornerstone of sustainable growth and regulatory compliance in the future of banking. Looking back, it’s evident that a focus on revenue growth overshadowed the importance of risk assessment in the early days of building the BaaS ecosystem. As we navigate the complexities of the financial landscape, it’s crucial to heed this lesson and adopt a holistic approach that considers both risk and reward.

Regulators, too, are evolving in their approach. Revenue growth alone will no longer suffice as a metric of success. Regulators will scrutinize the revenue generated and the mechanisms in place to identify, assess, and manage emerging risks.

The evolution of BaaS underscores the need for banks to adapt to changing dynamics and embrace a proactive risk management culture. By redefining risk and responsibility within the BaaS framework, banks can navigate regulatory challenges and lay the foundation for sustainable growth in the digital era of banking.

Want to keep the discussion going? Join Brenda Banks and BaaS fraud leaders from around the industry at DataVisor’s first-ever BaaS Lunch & Learn on June 12th, 2024 at 11am PT / 2pm ET.