BaaS Faces Regulatory Reckoning: OCC and FDIC Actions Underscore Growing Scrutiny

Banking-as-a-service (BaaS), as a business model, promises to reshape financial services.

And a drumbeat of regulatory actions and continued scrutiny from a veritable alphabet soup of regulators promises to reshape BaaS.

The model, generally speaking, is one in which non-banks gain access to banking features, connecting to FinTechs and banks (who in turn collaborate to provide that infrastructure to other firms). The businesses that gain access to those banking products and services can in turn embed those offerings as they reach end customers. 

For the client firms (and for neobanks too), and for the banks seeking to innovate, the benefit is that they don’t have to build their own back-end systems to handle those services, as customers embrace embedded finance and virtually issued cards (to name but two examples).

But the BaaS relationships are on regulators’ radars, resulting in enforcement actions, especially against smaller banks that are operating with FinTech partners to issue cards and enable other banking-related services.

This month, and as noted by PYMNTS this week, the Office of the Comptroller of the Currency (OCC) announced an enforcement actions against Axiom Bank of Maitland, Florida, alleging Axiom had “outdated and questionable practices” that jeopardized its compliance with AML laws.   

In addition, sites such as FinTech Business Weekly have reported that former company executives have filed suit against the company, alleging retaliatory activities from the firm in the wake of concerns raised about BaaS partners and activities.

The OCC’s enforcement action specifically cites the need to set up — and submit to the OCC — written plans related to the “risks associated with money laundering and terrorist financing and other illicit financial activity, with particular attention to the Bank’s pre-paid card and merchant processing partnership programs.” 

The consent order also describes “a written customer due diligence  program to ensure appropriate collection and analysis of customer information when opening new accounts, when renewing or modifying existing accounts for customers.” 

Also: “Effective immediately, the Bank shall cease adding (i) new merchant processing partnerships, (ii) prepaid card partnerships, or (iii) additional merchants to a merchant processing partnership” until the OCC has reviewed and offered no objection.

The Axiom news follows other actions from regulators — in this case, the Federal Deposit Insurance Corp. (FDIC) — taken against Sutton Bank and Piermont Bank, also via consent orders. The orders spotlight issues with third-party relationships and BaaS activities.

In the order against Piermont Bank, which is based in New York, the FDIC said, “The FDIC considered the matter and determined, and the Bank neither admits or denies, the bank engaged in unsafe and unsound banking practices relating to” internal controls and systems appropriate for “the nature, scope, complexity, and risk of its Third-Party Relationships.” 

Piermont is required to detail more fully its third-party relationships, “the nature of the business arrangement and any associated Bank Activities or proposed new Bank Activities and the anticipated volume of these Bank Activities.”

Separately, Sutton Bank was ordered to develop and implement a revised plan that “Includes the appropriate assessment and oversight, both initial and ongoing, of any entity or party that has entered into a business relationship or arrangement with the Bank … wherein any AML/CFT regulatory requirement or obligation of the Bank is outsourced to the Third Party” in compliance with the Bank Secrecy Act.

As reported in September, Financial Institutions, the bank holding company, owner of Five Star Bank and Courier Capital, announced “an orderly wind down” of its BaaS offerings. CEO Martin Birmingham said at the time that the decision followed an internal review that considered factors such as BaaS’ contribution to the company’s results and regulatory changes, among other considerations. 

The BaaS concept — and the benefits therein — are likely to endure, we note. The PYMNTS Intelligence/NCR Voyix report, “Embedded Finance and BaaS: From Marketing Buzz to Banking Bedrock,” shows the integration of application programming interfaces (APIs) and the joint efforts with FinTechs help underpin digital banking’s expansion, and embedded finance in particular. Roughly half of financial institutions (FIs) have augmented their BaaS activities and 79% of FIs state that banking will be embedded in everyday consumer and commercial facing activities.

In an interview over the summer,  Ingo Payments Chief Revenue Officer Lydia Inboden told PYMNTS that the BaaS industry might be going through a period of upheaval, but direct relationships enable a more thorough vetting of FinTechs to ensure satisfaction of anti-money laundering and other compliance programs.

“The financial institution needs to be able to show proper oversight into all those downstream partners,” she told PYMNTS.

The post BaaS Faces Regulatory Reckoning: OCC and FDIC Actions Underscore Growing Scrutiny appeared first on PYMNTS.com.