What Regulators May Be Asking About Your BaaS Program
Regulators have the job of keeping on top of technology developments and looking out for potential risks that could threaten a bank's safety and soundness. Embedded Finance (EmFi) and Banking-as-a-Service (BaaS), where a third-party "owns" the customer relationship, is an emerging delivery channel that regulators in many countries are exploring.
They are right to be concerned. There have been some high-profile failures, where depositors lost money. This risk is heightened where roles and responsibilities between parties in a BaaS arrangement aren't clear.
But regulators are also under increasing pressure not to stand in the way of innovation and competition. So if you are a bank looking to innovate, this may be a good opportunity to show your regulator that you have risks under control.
BaaS is different from traditional outsourcing - it is not strictly a client/service provider relationship; it is a partnership where the non-bank BaaS partner may have as much at stake in terms of its own reputation with its customers. BaaS risk management is as much about good governance and effective communication and collaboration structures, as it is about contract terms and top-down security audits.
What should a bank be prepared to demonstrate to their regulator when they want to set up a BaaS program with a vendor or fintech?
Here are some areas to think about.
- The regulator will probably want to see your partnership agreement with the technology vendor and your BaaS business partners. This is where all critical details on roles and responsibilities are set out.
- They may want to look at the partner's app, their marketing and an overview of the technology platform.
- They may want to see operating procedures and how you will delegate responsibilities for financial crime monitoring, consumer protections and other obligations.
- Regulators are questioning governance, accountability, and controls.
The regulator may be asking questions such as:
1. Does the bank understand what it is getting into?
What is the bank board's understanding of the business case for the BaaS program, including P&L and balance sheet impacts over the term of the arrangement?
2. Which features and functions are provided by the bank, which by the BaaS partner and any other service providers?
The operational structure of BaaS products can vary and the bank needs to understand which components it controls and maintains, and which are provided by others. This includes the consumer-facing app, the core customer accounting system, transaction processing, card issuance and payment system connections among others, and back-up arrangements for all of the above.
3. Is there an effective jointly owned risk governance process in place?
Does the BaaS program have its own risk and compliance committee and governance structure? Does the bank's risk and compliance team liaise regularly with those of its BaaS partners?
4. How is incident management handled?
Is there a joint escalation process for managing incidents set out in operational procedures? Who is responsible for notifying regulators in the event of an incident, such as a cyber-breach or major outage?
5. How does the bank assure itself that BaaS partners are sustainable and are effectively managing risks?
What is the due diligence process for BaaS partners? Does each BaaS partner have its own compliance staff who understand the obligations of operating in a regulated financial services industry?
6. Who has the final say on product features, customer fees and rates?
What is the ongoing governance process for key product decisions, such as new product features, fees and interest rates, and customer communications?
7. Are customer funds adequately safeguarded?
If the BaaS arrangement includes raising deposits or customer funds, are these funds held legally as deposits (or other liability) of the bank? What happens to customer funds if the BaaS partner becomes bankrupt/insolvent? Has legal advice been sought?
8. What are the operational controls and funds reconciliation processes and who is responsible for implementing these?
Are customer funds held in separate accounts managed by the bank or does the partner have access to these funds for its own purposes? What regular (daily) reporting on account and funds reconciliation is provided to the bank's operational management?
9. Do customers understand who is providing services and where to go for help?
Are Terms and Conditions clear about which entity is providing which products and services?
10. What is the potential impact on the bank's risk profile?
If the arrangement involves lending, what is the expected and actual loan performance relative to the bank's proprietary channels and how is this being monitored?
11. Are there reputational or conduct risks to the bank?
Is the BaaS partner using the banking relationship to evade or arbitrage applicable regulatory requirements? Could the bank be viewed as standing behind any non-banking products provided by the partner?
13. Is there a clear and realistic exit plan?
What are the terms of a BaaS contract termination? Who controls communications to customers in an exit scenario? What happens to customer data upon contract termination?
At Staq, we pride ourselves on putting compliance readiness at the heart of everything we do. We have helped our partners answer these and many other questions from their regulators or other relevant stakeholders. If you are looking for BaaS and EmFi solutions but the regulatory landscape worries you, get in touch with our team and let’s build a secure and efficient framework together.
Contact a Staq Expert to learn how we can help you launch BaaS and EmFi solutions while staying ahead of regulatory requirements.
