Navigating BaaS: Growth, Fintech Compliance, and Insights

April 10, 2024
Sarah Beth Felix
Co-Founder, Chief AML Officer, & AML Consultant

Hello BaaS enthusiasts! I'm Sarah Beth Felix, a panelist at the 2024 BaaS Spotlight: Banks-Fintechs Partnership Roundtable hosted by Unit21. As a seasoned expert with a background of 23 years in AML/sanctions and co-founding a bank, I'll share insights on how the industry can adapt to increased regulatory scrutiny in fintech compliance in this transformative era. Join me for an exploration of navigating the dynamic landscape of Banking-as-Service (BaaS).

Understanding the BaaS Phenomenon

Let's examine the underlying drivers behind the exponential growth of the BaaS market. With projections indicating a staggering $66 billion industry by 2030, it's crucial to comprehend the factors fueling this expansion. Working with fintechs around the world, I've observed a notable trend—the U.S. stands out as a prime location for fintech startups, partly due to our nascent regulatory environment, especially from an AML perspective

Community banks are increasingly venturing into the BaaS realm, seeking to augment their Net Interest Income amidst changing fee structures. However, it's crucial to dispel the misconception that BaaS is a straightforward endeavor. Many banks are underestimating the complexities involved, often misled by advisors who incorrectly portray it as an easy lift compared to other ventures.

Navigating Regulatory Scrutiny

The surge in BaaS adoption during 2023 brought heightened regulatory scrutiny, emphasizing the importance of fintech compliance. While diligently complying with CFPB requirements is important, it's essential to recognize that compliance with these standards doesn't equate to full-fledged AML and sanctions compliance. Because there’s nothing calling this out as an issue, banks are stepping in and becoming a big driver of BaaS banking.

The regulatory landscape presents a nuanced challenge, with an explicit focus on BaaS in enforcement actions related to third-party risk management. This regulatory ambiguity has led many banks to naively assume that their foray into BaaS is devoid of regulatory risks, potentially exposing them to unforeseen challenges.

Addressing AML and Sanctions Risks

A critical aspect of BaaS is the transference of AML and sanctions risk from unregulated, or less regulated, fintechs to partnering banks. As an advocate for regulatory reform, I'm committed to closing the loopholes that exempt many fintechs from federal AML laws, fostering a more equitable regulatory framework. While the FFIEC BSA Manual explicitly states that banks are not the de facto regulator, the federal government's lack of action has resulted in banks assuming the de facto regulator role.

“It’s unfair that banks have to be the de facto regulator when the federal government can just remove these loopholes.”

If done by the federal government, we can be like our sister nations, where they regulate their fintechs like a bank, or in the UK, where they regulate them as a PSP.

Banks must recognize the inherent risks associated with BaaS partnerships and ensure thorough due diligence and risk assessment processes are in place. Moreover, fostering open communication and collaboration between banks and fintechs is paramount in effectively mitigating AML and sanctions risks and threats.

Balancing Growth and Compliance

In navigating growth and fintech compliance, it's crucial for both banks and fintechs to adopt a proactive approach. Banks must communicate transparently with their boards, emphasizing the long-term nature of BaaS ventures and the inherent regulatory challenges involved. 

Before venturing into BaaS, consider a crucial litmus test: Would you be willing to bank a foreign financial institution? If not, you may want to reconsider the risks involved. Because whether it’s a direct or indirect BaaS relationship, you’re still dealing with an unregulated party from an AML point of view. Board comfort and clear communication about being in the red before the black are essential.

On the other hand, fintechs must prioritize a deep understanding of potential threats and vulnerabilities within their products and adopt a proactive stance in addressing AML and sanctions risks. 

Communicating the Underlying Threat

To fortify BaaS collaborations, effective and transparent communication of underlying threats is paramount. While risk assessments provide a broad overview, honing in on specific threats related to money laundering and sanctions violations is crucial for a proactive defense.

“Risk assessments are good, but threat assessments are better.” 

  • Risk Assessment: Traditionally, banks and fintechs conduct risk assessments to identify potential vulnerabilities and challenges in their BaaS ventures. While valuable, these may not delve deeply enough into specific threats related to money laundering and sanctions violations.

  • Threat Assessment: Unlike risk assessments, threat assessments focus on finding and fixing specific issues unique to fintech and BaaS. It's about understanding how fintech products could be misused for illegal activities.

The Bank's Role

From the bank's standpoint, a proactive approach involves delving into open-source intelligence, particularly platforms like Reddit. Scrutinizing fintech discussions and feedback unveils insights into payment processes and products, enabling a better understanding of potential risks.

Collaborative Vigilance

A collaborative effort between the bank and fintech is essential. By jointly identifying threats and vulnerabilities, both parties can fortify defenses and establish robust countermeasures.

Elevate Your BaaS Experience!

To wrap it up, the collaborative synergy between banks and fintechs is the linchpin for success in the evolving BaaS landscape. Transparent communication, proactive threat assessments, and open collaboration are essential for fortifying defenses. 

Want to learn more about the BaaS landscape and current trends in banking and fintech? Follow me on LinkedIn, where I regularly post my analysis on enforcement actions, consent orders, and other regulatory trends. 

The views expressed by Sarah Beth Felix on this blog post are hers alone and do not necessarily reflect the views of her employer.

Subscribe to our Blog!

Please fill out the form below:

Related Articles

Getting started is easy

See first-hand how Unit21
can help bolster your risk & compliance operations