As nearly every financial institution wrestles with ways to enhance their service to consumers and business customers, cloud-based banking-as-a service (BaaS) offerings through fintech firms are gaining traction. Platforms reliant on an institution’s balance sheet are equipped to handle loans, deposits or payment services, and financial institutions are eagerly getting in on these opportunities to stay competitive.
But such high-stakes relationships with fintechs pose risks to financial institutions that could be overlooking the accompanying risks amid the enthusiasm and industry expectations to dive into the world of BaaS. Institutions have a lot riding on these fintech partnerships, and it’s important they don’t give short shrift to the increasing regulatory scrutiny they may be subject to.
As BaaS becomes a core strategy — not merely an ancillary activity — for financial institutions, the risk management issues are both significant and frequently underestimated.
Find the right partner
Because it takes a special level of expertise around technology, compliance and risk management beyond what is typically dealt with, financial institutions need to be sure they pick the right fintech partners and manage them correctly. It's equally important that fintechs themselves partner up with institutions that provide assurances about their risk and regulatory compliance policies.
The peril that financial institutions put themselves in when they work with fintechs with weak risk-management protocols became apparent in September 2022 when the Office of the Comptroller of the Currency (OCC) ordered Charlottesville, Virginia-based Blue Ridge Bank to bolster its oversight of its risk management program over its fintech partnerships. The financial institution also was told to step up its anti-money laundering risk management, suspicious activity reporting and information technology controls after the regulator “found unsafe or unsound practice(s),” according to an agreement between the OCC and Blue Ridge Bank.
The bottom line is that financial institutions are on the hook if a fintech firm they work with falls short in its duties. Because some banks partner with as many as 20 fintechs at a time, the responsibilities and risks are enormous.
Here’s how financial institutions can reduce risk in working with fintechs:
1. Ensure your risk-management practices are sound and secure
Conduct the necessary due diligence before you engage with a fintech partner, and be sure to continue to monitor the operations and activities that affect your organization. This guidance is not new but has become more important as financial institutions increase the number and risk level of partners that they are working with. The scrutiny should be at a deeper level than with more traditional third parties given how closely interconnected the fintech will be with the institution and the lack of experience of many newer fintechs.
2. Create a robust vendor management program (and be sure fintechs do the same)
Be clear with the fintechs you work with who exactly is responsible for Bank Secrecy Act compliance and money laundering issues. Fintechs need business continuity plans and information security plans, both of which could be newer territory for them.
3. Have clarity on customer verification
When onboarding new customers or accounts, be clear on who has the primary responsibility for vetting them, and make sure they are legitimate. An overreliance on technology to do the vetting can get you in trouble. Fraud risks are significant, so be sure it’s clear whether the fintech or the financial institution is taking the lead in verifying new customers and approving accounts.
4. Stay attuned to regulatory scrutiny
It’s the financial institutions, not the fintechs, that are on the hook for violations committed by either the institution or the fintech since fintechs themselves are not directly regulated. Many fintechs are not even on the radar of regulators because they are small and may not yet have made any money. Financial institutions have the burden to make sure all is operating correctly. Regulators can significantly harm fintechs by curtailing their activities with the institutions they partner with. And financial institutions get no protection from working with entities that themselves aren’t regulated, which can be the case when fintechs are onboarding fraudulent accounts, for example.
Before launching into fintech partnerships, financial institutions need to make sure they understand what they’re getting into before pulling the trigger. It’s essential for the board and senior management to know what the full risks are and feel confident they have the technology infrastructure and human resources to support BaaS. Financial institutions need a good handle on risk, both at the outset and on an ongoing basis with their fintech partners.
How Wipfli can help
If your financial institution is considering a new fintech partnership or you have risk-management questions concerning the relationships you’ve already established, Wipfli’s team can help you feel confident about the next steps. Our deep experience can help financial institutions and fintechs be sure they are on solid footing as they strive to meet regulatory compliance requirements and serve the needs of today’s customers. Contact us to learn how we can help financial institutions and fintechs.
Sign up to receive additional information relevant for financial institutions in your inbox, or continue reading on: