The Growing Compliance Burden for Sponsor Banks in Banking-as-a-Service Models

For a BSA Officer, getting a cease and desist order from a prudential regulator can be career altering.

While the fintech revolution has opened doors for consumers, sponsor banks face mounting pressure to get compliance right. In 2023, federal regulators levied regulatory actions against several banks that provide Banking-as-a-Service (BaaS) for fintechs. 2024 looks to be just as busy on the regulatory front.

How We Got Here

Leveraging fintech partnerships and expanding access for customers have been a boon to sponsor banks. This is especially true for smaller banks, allowing them to expand their deposit base and customer profiles as well as take advantage of technology that may be challenging in a straight up retail environment.

This has made for a competitive environment to attract fintech relationships, but has also led to some banks appearing to let the fintechs “drive” the relationship.

Based on recent consent and cease and desist orders, this approach isn’t working well.

The most successful BaaS environments are built on a true partnership between sponsor and fintech. When it comes to sponsor bank relationships, the fintech must recognize that the bank carries the risk and owns the charter, while the bank must recognize the assets a fintech brings to the bank — such as market reach and innovative technology.

Regulatory Crackdown on Sponsor Banks

After the collapse of Silicon Valley Bank and other regional banks in 2023, regulators have stepped up enforcement measures for capital requirements, fraud prevention, fair lending standards, and anti-money laundering/KYC regulations. More often now, regulators are requiring that sponsor banks have demonstrable control over who fintechs are onboarding as customers. This goes beyond basic customer identification programs (CIP) and into oversight of fraud settings, document verification, and fraud scorecards as well as behavioral transaction monitoring, Customer Due Diligence and Know Your Customer (CDD/KYC) and customer risk ratings.

Bottom line: a sponsor bank is required to understand all operations of the fintechs that are leveraging their charter.

Disproportionate Impact on Smaller Banks

Sponsor banks have been disproportionately affected by enforcement; despite making up about 2% of U.S. banks, they accounted for 13.5% of severe enforcement actions last year. That number is steadily rising, and the impacts can be severe.

Recently, several BaaS banks received consent orders or cease and desist orders and were forced to pay large settlements or fines. Metropolitan Commercial Bank, for example, paid a $30 million fine.

Cease and desist orders last on average for about five years, but can extend as long as 7-10 years depending on the severity of the order and the operational impacts. There are also a host of unknown or informal enforcement actions requiring sponsor banks to demonstrate controls or pay the price. These actions are precursors to formal orders.

But fines are just the beginning. Remediation costs can amount to 12x the original fine over the first 18 months. Enforcement actions often result in loss of new programs, vendors, reputational damage, and compromised business plans that cause long term disruption to your business.

In addition, a bank under a consent order cannot make substantive changes to grow their business; new vendors, fintechs, or changes to the business typically have to first be approved by the regulators. This makes organic growth nearly impossible.

Compliance Challenges Inherent to Fintech Model

Part of the problem is inherent to the fintech model. While fintechs offer mobile services that give more opportunities for those traditionally cut out of the banking system — young people or new-to-country demographics — they put their sponsor banks at greater risk of compliance issues. But even though a bank provides services through the delivery channels of another company, people who use the bank’s goods are still considered customers of that bank and are subject to regulations.

Banks prove they have controls by performing audits and reviewing policies, procedures, and controls at the fintech, but this lacks real-time data and automation. It’s critical that they have full oversight of intermediary providers, which often becomes difficult when working between two separate organizations. The days of relying on audit samples to display compliance are ending – it’s become necessary to prove that sponsor banks have control over the process, as if the fintech were another branch of their organization.

In order to demonstrate that they are actively managing risk, banks must shift to clearly show regulators they have a handle on their programs and portfolio to meet regulatory expectations.

If not, some consent orders can result in sponsor banks shutting down their fintechs partnerships entirely.

Bottom line: the fintech-sponsor bank relationship needs to be a symbiotic one that is carefully coordinated to assure a healthy ecosystem that’s a win-win for all parties.

The Path Forward: More Oversight

So what can we learn from these enforcement actions? The takeaways point to a clear theme. Best practices for the fintech sponsor bank ecosystems must be more open and transparent.

Improving compliance controls around digital identification has become a competitive advantage for fintechs and sponsor banks. The new trend in oversight is for sponsor banks to have the responsibility to run a Customer Identification Program (CIP) for fintechs. While ensuring one entity is performing compliance checks is good for centralization, it also forces sponsor banks to invest more in security and strains internal resources. Sponsor banks also run the risk of losing business to big banks that have established compliance practices and greater resources.

Implement a Solution with Clear Controls

To get ahead, BaaS providers should prioritize implementing a solution that provides clear controls and oversight and centralizes compliance data for complete transparency. Banks can also explore reseller arrangements as an option to standardize fintech compliance capabilities. A bank could contract with an identity verification software provider and then license it to its fintechs. This does demonstrate control but also adds the need for additional resources at the bank. Throughout the process, all parties should continue to conduct risk assessments to identify and address vulnerabilities.

Add Entity Resolution Procedures

At the next level of complexity, banks can add entity resolution procedures to help identify customers that have multiple relationships. Sponsor banks also have responsibilities to stay in line with OFAC and sanctions, a feature which can be consolidated into one solution. They can also help clarify Customer Due Diligence, Enhanced Due Diligence, and customer risk rating by using specific content around the risks of the bank. PEP, Adverse Media, Human Trafficking and other specific risk content can help drive better scoring and detection capabilities in the customer lifecycle.

Plan for Regulatory Updates

In the long term, the industry should expect more enforcement actions that force fintechs and sponsor banks to make changes. Regulators have focused on using older laws like the Bank Secrecy Act as enforcement over modern digital industries, but as in the case of new beneficial ownership laws, the industry should expect updates and new regulatory guidelines. Meanwhile, questions remain around what constitutes reasonable security and whether regulators will mandate protective measures or loss distribution through legislation.

A Solution to the Chaos

Sponsor banks are expected to prove that their controls are effective in a distributed model. These organizations will need to increase their compliance spending and keep upgrading their systems to match regulatory pressure. Managing an unwieldy stack of compliance solutions between two institutions is what’s getting sponsor banks in trouble; multiple vendors with different approaches and decision standards can introduce risk in both third party risk management and oversight and control. By reducing the number of vendors, you can increase visibility across your entire portfolio to mitigate compliance risk across your BaaS partners.

With Socure’s Control Center, you can achieve real-time oversight for decision logic, application flow, fraud rates, CIP/KYC approvals, watchlist cases and more with access to compliance KPIs through a single, no-code controls interface. These controls can create a collaborative environment to create demonstrable controls (and prevent enforcement actions).

Trusted by 90% of the sponsor bank market and more than 400 fintechs, Source helps you confidently accelerate growth and stay on the right side of regulators. By enforcing consistent organizational policies paired with a complete audit trail to prove compliance, sponsor banks can enable greater control and oversight, maximum consumer access, and increased automation.

Learn more about the Socure Control Center for sponsor banks here.