The Meteoric Rise of BaaS Models in the Modern Financial Landscape
In 2011, Marc Andreessen penned an influential essay claiming, “Software is eating the world.”
Over the next decade, this prediction manifested in the banking sector through Banking-as-a-Service (BaaS). Fast forward a decade, and that bite took a particularly significant chunk from the financial industry, as highlighted in our 2022 BaaS Roundup and 2023 roundup on The State of Embedded Finance.
BaaS shifted the spotlight onto on-demand, modular, and cost-effective banking services accessible even to non-banks and unlicensed fintechs. This shift initiated a widespread surge of new entrants – from those providing and enabling BaaS to those leveraging BaaS to launch personalised financial products for underserved segments.
This wasn’t just a shift – it was a revolution. A Cambrian explosion of players rose, each wielding BaaS to reimagine what banking could be. From sponsor banks offering their charters like an appetiser to venture-backed middleware platforms cooking up compliance and operations as side dishes, the feast was full of surprising flavours. KYC, risk monitoring, reporting, core banking, loan underwriting – everything became bite-sized and served a la carte. Non-banks and nimble fintechs swarmed, feasting on a modular, on-demand buffet of banking capabilities. Armed with this smorgasbord of “as-a-service” options, they unbundled financial products like Michelin-starred chefs, crafting hyper-specific dishes for niche palates left starving by the incumbents. This was the era when the ‘as-a-service’ aspect of BaaS reigned supreme.
The incumbent mega-banks watched aghast as their business models were reimagined, challenged, and devoured. Well, almost! In late 2022, regulators, initially content to watch the culinary chaos unfold, began to take notice. This unbundling frenzy, the re-bundling by larger players, was all a bit much to swallow for the regulators. In 2023, regulatory bodies intensified their scrutiny, primarily focusing on the ‘Banking’ aspect of BaaS, critically examining the deconstructed value chain.
From Feast to Famine: BaaS Faces Global Regulatory Squeeze
Gone are the days when banks could simply outsource compliance headaches to BaaS middleware platforms and end-user-focused fintechs. Regulators are now holding banks accountable for the actions of their BaaS partners, ensuring thorough due diligence and risk management at every step. This applies not just to the banks themselves but also to the “middleware platforms” that facilitate these partnerships and the consumer-facing brands that leverage BaaS solutions.
While the focus on BaaS regulation is global, the approach varies by region. Here’s a glimpse into what’s happening:
- USA: The Federal Reserve Board of Governors (FRB), the Consumer Financial Protection Bureau (CFPB), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) are leading the charge, utilising methods like issuing guidelines, enforcement actions, monetary penalties, lawsuits, and cease-and-desist orders. The recent banking crisis in the US involving Silicon Valley Bank, First Republic Bank, and Signature Bank has further emphasised the need for stricter oversight.
- EU and the UK: European Regulators have been rather stringent, as pointed out in our report “The State of Banking-as-a-Service in the UK & Europe” in collaboration with Toqio. In January 2023, the German regulator, Federal Financial Supervisory Authority (BaFin), imposed onboarding restrictions on Solaris, subjecting the fintech to a “permission proviso” for any future business partnerships. This decision followed an order of additional equity capital requirement after a banking supervisory audit of Solaris by PwC revealed compliance deficiencies. Modulr faced similar onboarding restrictions in the UK, as the Financial Conduct Authority (FCA) issued restrictions, preventing the fintech from engaging new partners, including agents and distributors who use its payments infrastructure for cards or accounts. The Bank of Lithuania imposed identical onboarding restrictions on PayrNet in March 2023, the local subsidiary of Railsr. Subsequently, PayrNet’s e-money licence was revoked three months later for breaching anti-money laundering (AML) and combating the financing of terrorism (CFT) policies, along with contraventions of the Republic of Lithuania Law on Electronic Money and Electronic Money Institutions, the Law on the Prevention of Money Laundering and Terrorist Financing, and the Law on Payments.
Navigating the Changing Tide of BaaS Models in the USA
The regulatory framework for banks in the US is structured around permissive and restrictive requirements, forming a legal boundary referred to as the regulatory perimeter. Banks operating within this perimeter are allowed to engage in banking activities, subject to extensive laws, regulations, and federal banking agency oversight. Nonbank entities outside this regulatory perimeter are governed by alternative laws and restrictions, primarily at the state level, but also including federal consumer protection regulations when involved in other financial and non-financial activities. Regulators perceive the provision of financial services through BaaS partnerships as a distinct departure from traditional banking, necessitating a new approach. According to Michael Hsu, the acting comptroller of the OCC, the BaaS model signifies the “de-integration” of banking, creating challenges for customers, regulators, and the banking industry in delineating “where the bank stops and where the tech firm starts.”
In 2023, the FDIC unleashed its wrath in a no-holds-barred crackdown on predatory lending practices. In February, the regulator downgraded Transportation Alliance Bank’s (TAB) Community Reinvestment Act (CRA) rating from “satisfactory” to “needs to improve” over funding predatory puppy loans, predatory auto repair loans, and predatory loans to service members and veterans through its fintech partner EasyPay.
In April, the FDIC issued a cease-and-desist order to Cross River Bank, citing non-compliance with fair lending laws and oversight weaknesses with fintech lending partners. The order resulted from a 2021 review, labelling the bank’s internal controls, information systems, and credit underwriting practices as “unsafe or unsound.” The consent agreement mandated increased board supervision and thorough due diligence, corrective actions, enhancement of fair lending and third-party risk management compliance programs enhancement, and prior FDIC approval for new fintech partnerships and credit products.
Federal regulators increased scrutiny of companies’ compliance with AML and Bank Secrecy Act (BSA) obligations. Metropolitan Commercial Bank (MCB) faced fines of $14.5M from the FRB and $15M from the New York Department of Financial Services (NYDFS) due to failures in third-party risk management and BSA/AML compliance, related to MCB’s association with prepaid debit card issuer MovoCash from 2016 to 2020. In addition to the imposed penalties, MCB entered agreements with the FRB and NYDFS to strengthen board oversight, enhance the customer identification program, improve the customer due diligence program, and fortify the third-party risk management program.
The FDIC also intensified actions on fintechs involved in misrepresenting deposit insurance coverage and misusing the FDIC’s name or logo. CEX.IO Corp, Zera Financial, Captainaltcoin.com, Banklesstimes.com, Utoppia, Bodega, Money Avenue, OKCoin USA, and Unbanked were all found guilty of making false and misleading statements about their FDIC deposit insurance status and were issued cease-and-desist orders.
The “Novel Activities Supervision Program” was introduced by the FRB to enhance oversight of complex, technology-driven partnerships between banks and non-banks for banking services. Additionally, joint guidance was issued by the FDIC, the FRB, and the OCC, providing guidelines for managing risks associated with third-party relationships. These actions further indicate the proactive approach the US regulators took to ensure that banks and fintechs are held accountable for their risk management practices.
Amidst the dark clouds of compliance, BaaS finds its silver lining
Despite the stringent stance of the regulators on BaaS, they were not immune to legal challenges, exemplified by a notable case where Opportunity Financial (OppFi) took legal action against the regulatory measures and emerged victorious in the California Superior Court. The prolonged legal dispute between the California Department of Financial Protection and Innovation (DFPI) and OppFi revolved around determining the “true lender” in the BaaS arrangement. OppFi collaborates with FinWise Bank to provide unsecured consumer loans in California. As FinWise operates under a Utah charter, it benefits from interest-rate preemption according to the Federal Deposit Insurance Act (FDIA). This allows FinWise to issue loans under Utah’s Consumer Credit Code, permitting lenders to establish “any interest rate,” contrary to California’s Consumer Financing Law (CFL), which imposes a 36% annual interest rate limit. The DFPI contended that OppFi violated the CFL by being the “true lender” instead of FinWise.
In November 2023, the California state court rejected DFPI’s motion for a preliminary injunction against OppFi, asserting that the DFPI failed to demonstrate that the OppFi-FinWise partnership was a mere sham and subterfuge. The court stressed that there was insufficient evidence of FinWise acting as a puppet, pointing out the bank’s use of its own funds for loan origination, ownership retention, and sale of loan receivables to an OppFi affiliate within days of origination. Additionally, the court noted FinWise’s substantial financial risk, ongoing exposure to economic fluctuations, and oversight of compliance and credit models developed by OppFi.
The Path Ahead: Collaboration, Consolidation, and Cleansing in BaaS
As we look towards 2024, the BaaS sector stands at a crucial juncture. Compliance and collaboration are key priorities for BaaS players, essential for navigating the complex regulatory landscape and fostering sustainable growth. The sector is also anticipated to consolidate significantly, with larger, more established players likely acquiring smaller, financially constrained counterparts. This consolidation phase is not just about market dynamics but also about strengthening the foundation of the BaaS ecosystem.
Moreover, the combined forces of market dynamics and regulatory pressures are set to play a critical role in “cleansing” the sector. These forces will likely weed out entities that fail to align with the necessary compliance standards, ensuring that only those committed to integrity and operational excellence remain. These developments will collectively contribute to a more resilient and transparent BaaS landscape, setting a solid foundation for the future of financial services.