Banking as a Service (BaaS): Understanding the risks and regulatory landscape

What is Banking as a Service (BaaS)?

BaaS is made possible when a bank (“sponsor bank”) provides access to its banking infrastructure through APIs (Application Programming Interfaces) to a fintech. APIs serve as a software intermediary, allowing two applications to talk to each other. These APIs allow the fintech company to integrate banking functionalities into their own platform or application. Some sponsor banks have their own APIs. Other sponsor banks utilize the APIs of technology “middleware” providers or BaaS platforms in the image below.

Fintech, short for financial technology, refers to companies who create innovative technology to deliver financial services and products. It encompasses a wide range of applications, including mobile banking, payment processing, and insurance technology (insuretech), among others. Fintech companies leverage advancements in technology, artificial intelligence, machine learning, marketing, and customer experience to enhance efficiency, accessibility, and affordability in the financial services industry. These innovations often disrupt traditional financial institutions and create new opportunities for financial inclusion, automation, and personalized services.

End users in the image below represent the customers who sign up for and use the fintech products. In a BaaS model, the end users are typically customers of the sponsor bank and subject to the regulatory consumer protection provisions of a standard bank customer.

Benefits of BaaS

• Banks — For banks, BaaS provides an opportunity to monetize their banking infrastructure and regulatory compliance capabilities. By partnering with non-bank entities, banks can generate additional revenue streams (i.e., interchange or BaaS fees), deposit sources, and leverage their bank charter to serve new customer segments in unique ways.
• Fintechs — For non-bank entities looking to offer banking services, BaaS provides a cost-effective solution. Instead of building their own banking infrastructure and obtaining a banking license, non-bank entities can partner with traditional banks to offer banking services under their own brand, reducing the time and cost involved in launching new services.
• Consumers — The rise of digital banking and the increasing demand for seamless, user-friendly banking experiences have driven the popularity of BaaS. Non-bank entities, such as fintech companies, can leverage their expertise in technology and user experience to offer innovative banking services that meet the evolving needs of consumers.

Regulatory headwinds

From 2022 to 2024, there have been several notable enforcement actions against banks providing services to fintech companies operating under the Banking as a Service (BaaS) model. These actions have primarily focused on concerns related to:

• Bank Secrecy Act (BSA), Anti-Money Laundering (AML), and Know Your Customer (KYC)
• Third party risk management
• Board oversight
• Marketing of FDIC insurance by non-bank entities
• Effective governance including risk assessments
• IT and information security controls
• Business continuity

Regulatory agencies have scrutinized these partnerships to ensure that fintech companies, despite not holding banking licenses themselves, are still adhering to stringent regulatory standards. Failure to comply with these standards have led to significant penalties for both the fintech companies and the partnering banks, including some affected community banks having to leave the BaaS space entirely.

Key risk areas for internal auditors

If your financial institution is already engaged in BaaS or contemplating entrance into the space, internal auditors should be alert to the following risk areas:

Compliance and regulatory risks

BaaS involves multiple parties, including the bank providing the infrastructure and the non-bank entity offering the services. This complexity can lead to challenges in ensuring compliance with regulatory requirements, such as KYC, AML, general consumer compliance, and data protection laws. Internal auditors need to ensure that all parties involved are complying with relevant regulations to avoid regulatory penalties and reputational damage.

Banks must ensure that their BaaS offerings comply with consumer protection regulations, including transparency requirements and fair treatment of customers. This includes providing clear and accurate information about fees, terms, and conditions associated with BaaS services. Additionally, marketing materials including social media must comply with all relevant regulations.

Information security, cybersecurity

In fintech and bank partnerships, critical information security risks must be managed to safeguard sensitive data and maintain trust. These risks include data breaches, cyberattacks, third-party vulnerabilities, failure to meet related regulatory requirements, insider threats, mobile security concerns, identity theft and fraud, and API vulnerabilities. To mitigate these risks, robust cybersecurity measures, regular risk assessments, employee training, clear security policies, and open communication channels are essential. Ongoing security audits and penetration testing can help identify and address vulnerabilities proactively.

It is recommended that a data flow is mapped. Data flow mapping is an essential process that helps in the understanding and visualization of data's journey within various systems and can help stakeholders understand who is doing and responsible for what during each stage of the data journey.

Third party risk

Banks must effectively manage the risks associated with their BaaS partners, including operational, compliance, and reputational risks. This requires thorough due diligence when selecting BaaS partners and ongoing monitoring to ensure that they comply with regulatory requirements. To learn more about third party risk and the role of internal audit, I recommend the following articles and reports:

• The role of internal audit in vendor third-party risk management
• Conducting due diligence on financial technology companies: A guide for community banks
• Third-party risk management: A guide for community banks

Reputational risk

Reputational risks in BaaS partnerships arise from the potential for negative perceptions or damage to the reputation of a bank due to the actions or failures of its fintech programs. These risks can stem from various sources:

• Data breaches or security incidents
• Service disruptions to end users
• Regulatory compliance failures
• Quality or performance issues
• Regulatory enforcement actions

Financial risk

BaaS providers are exposed to financial risks, including liquidity and market risks. Auditors should assess the financial health of BaaS partners and ensure they have adequate capital and liquidity to support operations. BaaS banks should also ensure they have appropriate contingency plans in place in case they need to wind down a fintech program.

An opportunity for internal audit

In conclusion, as BaaS continues to reshape the financial landscape, it presents a rapidly evolving space for internal auditors tasked with safeguarding their organizations. While BaaS offers unparalleled opportunities for expansion and innovation, its inherent complexities introduce a spectrum of risks, from regulatory compliance and data security to reputational vulnerabilities. By comprehensively understanding these risk areas and implementing robust auditing practices tailored to the unique challenges of BaaS, internal auditors can play a pivotal role in ensuring the resilience and success of their organizations in this rapidly evolving ecosystem.