As traditional financial institutions and FinTech companies join forces to offer innovative financial solutions, the BaaS model stands poised to revolutionize lending and operational platforms.
However, recent enforcement actions and settlements linked to data breaches provide cautionary lessons about compliance amid evolving regulations. The current landscape, marked by limited regulatory oversight, raises significant concerns for businesses operating within this model.
Broadly, BaaS integrates banks and FinTech firms with payment and account functionalities, allowing client companies to leverage API connections without the need for a banking charter.
Importance of Vigilant Oversight
Recent enforcement actions have highlighted the risks associated with third-party relationships, compelling banks to ensure that their FinTech partners adhere to compliance standards. Notably, regulators have intensified scrutiny of anti-money laundering (AML) and Know Your Customer (KYC) practices.
This month, the FDIC released consent decrees reiterating that third-party associations will face rigorous examination. For instance, a consent order involving Quaint Oak Bank revealed that the institution had engaged in unsafe banking practices related to the BSA, necessitating the establishment of a robust third-party risk management program.
Similarly, a separate FDIC order with Hatch Bank mandated improvements in BSA/AML oversight regarding its third-party agreements, reinforcing the critical nature of compliance in these partnerships.
Challenges Faced by Regulators
Regulatory bodies are facing significant staffing challenges that affect their oversight capabilities in bank/FinTech BaaS relationships. According to a recent audit, the FDIC is struggling to retain a sufficient number of skilled examiners for crucial IT assessments. Alarmingly, over half of the advanced IT examiners are poised for retirement by 2024, leading to potential gaps in regulatory effectiveness.
The audit emphasized the necessity for the FDIC to analyze the complex interconnections between banks and third parties to identify vulnerabilities, operational failures, and potential cybersecurity threats. Moreover, the increasing reliance on third-party service providers to ensure compliance with BSA and AML regulations may require evolving examination processes and skill sets to maintain integrity.
Recent data indicates that nearly one-third of banks and FinTech firms targeted by fraud have succumbed to cyber incidents. For example, Evolve Bank and Trust recently settled a class-action suit following a data breach that compromised sensitive financial information, highlighting the vulnerabilities rampant in BaaS arrangements.
Reconciliation: The Pivotal Challenge
The proliferation of virtual accounts and complex banking relationships complicates the tracking of fund flows, particularly concerning ledger discrepancies. An April class-action lawsuit against Evolve Bank argued that the mismanagement of funds through inadequate monitoring led to significant discrepancies, adversely affecting account balances and fund distribution.
Commenting on these challenges, Ingo Payments CEO Drew Edwards noted that oversimplification in management practices may have resulted in the wrongful commingling of funds within poorly monitored accounts, causing serious operational risks.
