Banking as a Service: A Potential Regulatory Storm on the Horizon

In part one of this series, we tackled some of the industry jargon and definitions to better understand Banking as a Service (BaaS) and how its continued growth has become a disruptor of our traditional way of doing business.  In this article we dive a bit deeper into the regulatory landscape around BaaS and provide some practical guidance of how to manage risks regarding your BaaS products and partners.

We begin with a description of the unique “double-edged sword” that a FinTech (FT) partner can be for a bank, and look at some recent examples of FTs running afoul of a regulatory body, in this case, the Consumer Financial Protection Bureau.

Regulatory Risk to Sponsor Banks

BaaS FinTechs(FTs) often partner with a chartered bank to be able to legally offer their financial services to customers.   Because BaaS players strive to be nimble and innovative, they often can run into regulatory issues including fines and damage to brand image.  This may, in turn, create exposures for the “sponsor bank” including increased strategic risk, regulatory penalties, and knock-on reputational impact. In fact, recent examples of FTs and sponsor banks experiencing such headwinds are not hard to come by. While a bank partnering with a vendor or third-party is nothing new, the risk exposures that these BaaS players bring to the bank represent a significant threat we have not traditionally seen.

CFPB Cracking Down on Financial Service FTs

In Q3 2022 alone we’ve seen the Consumer Financial Protection Bureau (CFPB) initiate the following regulatory penalties and lawsuits against FT players in the financial space.

• ‍On August 10,2022, the CFPB issued an order against Hello Digit, LLC (“Hello Digit”), a financial-technology company that offers consumers an automated-savings tool. Hello Digit uses a proprietary algorithm to make automatic transfers from the consumer’s checking account, called “auto-saves,” to an account held in Hello Digit’s name. Hello Digit claimed the tool “never transfers more than you can afford,” and they also provided a “no overdraft guarantee.” The CFPB found that Hello Digit engaged in deceptive acts or practices because the automated-savings tool often did in fact cause consumers’ checking accounts to overdraft and Hello Digit did not always reimburse consumers for overdraft fees as promised. It was also found that Hello Digit deceived consumers when it claimed that it would not keep any interest earned on consumer funds that it was holding, when in fact Hello Digit kept a significant amount of the interest earned. Hello Digit must pay a $2.7 million penalty.‍
• On September 29, 2022, the CFPB filed a lawsuit in the United States District Court for the Southern District of New York against MoneyLion Technologies Inc. (MoneyLion), ML Plus, LLC, and 37 MoneyLion lending subsidiaries. MoneyLion offers online installment loans through its lending subsidiaries and membership programs through its subsidiary ML Plus. The Military Lending Act (MLA) contains a number of protections for active duty servicemembers and their dependents, defined as “covered borrowers.” The CFPB alleges that MoneyLion violated the MLA by imposing membership fees on covered borrowers that, when combined with loan-interest-rate charges, exceeded the annual percentage rate cap defined within the MLA, inserting illegal arbitration provisions into contracts, and failing to make required disclosures to covered borrowers. The CFPB also maintains that MoneyLion engaged in deceptive acts or practices in violation of the Consumer Financial Protection Act of 2010 by misrepresenting that covered borrowers owed loan payments and associated fees that they did not in fact owe because loan contracts were void from their inception.

Management of BaaS Risk to Banks

Whether a BaaS runs afoul of regulations due to greed, mismanagement, or ignorance, the risk to a sponsoring bank can be significant.  Thus, new, specific FT risk management tools and techniques are essential for this aspect of a bank’s FT risk management framework.  At a minimum, it is essential to have the following core elements in a bank’s risk approach:

• An FT risk management framework that captures key risks for FTs across all risk categories including financial, operational (e.g., IT, failed processes), strategic, legal, and regulatory.‍
• Holistic FT due diligence which analyzes potential FT partners across business and risk domains including financial strength, management effectiveness, cyber risk, operational risk, and strategic direction‍
• Deep understanding of FT business models and their relationship to the bank’s core business operations, its data, its revenue stream, and the FT’s possible impact to the balance sheet and risk profile‍
• Ongoing monitoring of a bank’s FT partners across all risk areas using consistent risk scoring, automation, and prioritization of management response through a portfolio risk lens

 The FT risk management framework should include traditional third-party and FT-specific risk management tools that analyze a FT’s financial resilience, cyber security, strategic direction and associated risks, as well as the FT’s legal and regulatory risks that may create potential contagion effects at the bank.

In the due diligence phase, it is crucial to identify and assess a bank’s potential partnership with a FT as well as conduct an analysis of how the FT may potentially create risk concentrations in light of the bank’s risk profile or that of its existing FT partners.  Such an analysis should start with the FT’s intended service, its business model, and the space in which it operates.

Once a FT is onboarded, it is important to continue to manage its risk in isolation and also as a part of the bank’s “portfolio” of FT partners. The portfolio view illuminates risk concentrations, diversification and inter-relationships. This “ongoing monitoring” must occur on a regular cadence and leverage a set of key risk indicators which assess a variety of risk exposures.  As the portfolio of the bank’s FTs grows, automation can help ensure the process remains both accurate and manageable.

In the next article in our series, we will explore an innovative approach for FT risk management including tools that provide customized FT risk assessment methods, a modern FT risk management framework and maturity assessment that is powered by an enterprise risk technology platform, offering intuitive data visualizations and on-going monitoring.

‍