🏦 Thoughts on BaaS Risk Management
Updated: Oct 27, 2022
It is no coincidence that several connections reached out in the last few weeks to ask about embedded finance and Banking-as-a-Service (BaaS). They have developed to a scale that nobody can ignore anymore.
With half of my career working with non-financial brands, I shared my candid opinion:
Although there is much growth space with technology advancements and consumer demand, it takes a lot of work (more than many have realized) on both sides of the partnership to make BaaS a sustainable success.
One key component is risk management.
OK, take that with a grain of salt since it is from a risk guy.
However, it is also no coincidence that two events earlier this month had the industry chattering:
The revealed restrictive agreement between Blue Ridge Bank and OCC;
The remarks from the OCC chief on bank/fintech partnership.
As the BaaS model gains strength, it has to take on greater responsibility.
How does risk management work under BaaS? What are the current challenges?
Here are some observations and thoughts, against an adapted risk management framework.
🔲 Regulatory Goal and Path
◾ Regulator is often referred to as part of “the 4th line of defense” in the risk management framework of a financial institution, but its main goal is to manage systemic risk.
Thus it seems an unusual move that OCC stipulated every new fintech partner Blue Ridge Bank takes on has to go through OCC’s review.
But, it is an example when the 3 lines of defense fail, the 4th line feels the need to step in.
In the long run, I don’t see regulators wanting to involve at such a granular level of operations - only when an effective 3 lines of defense can be established.
◾ The industry does not like “regulate-by-ruling”. Clear guidance is preferred.
However, regulation always lags the innovation. One can argue financial innovation essentially is regulatory arbitrage.
Thus the lack of regulatory clarification just reflects the nature of the game.
◾ Regulators apparently increased scrutiny of the banks involved in BaaS partnerships. It is a realistic path for regulators to act quickly within the authority.
Just as CFPB is investigating Goldman Sachs, not directly with Apple.
🔲 A Strong Partner Bank is Needed
◾ Under BaaS, the 2nd line and 3rd line functions are performed by the broad risk management and audit functions within the partner bank. Those teams have to be strong.
Remember, the 1st line - now fintech and non-financial brands - do not necessarily have the risk and compliance experience. In many cases, they look at the partner bank for guidance.
If the partner bank has weak 2nd and 3rd lines, or in the worse case, turns a blind eye to questionable activities, the bank is not playing a risk defense role anymore.
It becomes an amplifier of high-risk activities.
◾ Another challenge is how the partner bank can have visibility of the first line’s activities. It is not easy as those activities are under a different roof.
Nevertheless, seeking that visibility is a must - in order for the partner bank to effectively manage the financial and compliance risk, and serve its partners’ business needs.
Also, if it is not visible to the partner bank, it is not visible to the regulator, who would have difficulty assessing the systemic risk.
◾ Now enters multiple relationships. This is the whole idea for a partner bank - to quickly scale up riding the BaaS opportunity.
Remember even one relationship could take great effort. Now there are multiple to manage.
Each business has its own different nuances. Not understanding them well, could become a risk factor.
◾ The bottom line: without a strong partner bank, risky activities will take advantage of this weak link to quickly rush through the gate, with scale.
Think about something like the subprime mortgage playing out in this setting. The origination of risky loans and the distribution of securitization would be much faster, with the aid of today’s technology.
🔲 First Line Better Be Disciplined
◾ Under BaaS, 1st line of defense resides with fintechs/non-financial brands, who design products and interface with customers.
The question is, do these operators understand they need to play the 1st line of dense to protect their own businesses?
This is something large banks have promoted relentlessly to their employees in the last decade. It is best to spot risks early during daily business activities.
◾ Some of the fintechs/non-financial companies operate more like technology companies - good for them - being mobile and able to seize growth opportunities quickly.
However, risk cannot be ignored in financial services. Risk is often lagged, but it will show up eventually.
There are some recent examples in BNPL and neobanks - the lack of risk discipline from the start eventually hinders their growth or their very survival.
◾ Thus it is beneficial to have risk management and compliance expertise within the 1st line. That should be a core component when the financial products are designed in the first place, not an afterthought.
Fintech/Non-financial brands better have risk and compliance on staff, instead of entirely relying on 2nd line from the partner bank, who might not have full-fledged expertise either.
If the business scale does not warrant it, a fractional chief risk/compliance officer would be helpful to set up the right framework.
Risk management has unique challenges in the more disintegrated BaaS model, as the duties are segregated under different roofs.
However, the 3 lines of defense framework could still work - only when each party fully understands its risk management role and build up its capacities accordingly.