To Avoid Hitting a Regulatory Wall, Don’t Offload Compliance to a BaaS Provider

Fintechs need to prepare for evolving regulations by finding a BaaS provider that empowers you to manage compliance
,
July 28, 2022
A train labeled "fintech" traveling on tracks headed towards a clear path away from a forked path that leads to a brick wall labeled "regulators"

Key Takeaways:

  • Bank collaboration for compliance: Fintechs should strategically collaborate with bank partners to take ownership of compliance, aligning with evolving regulatory dynamics.
  • Drawbacks of outsourcing compliance: Offloading compliance models to BaaS platforms can lead to regulatory gaps and compromise user experiences.
  • Long-term viability in BaaS partnerships: While outsourcing compliance may seem attractive, industry experts say it's unsustainable and urge direct bank-fintech partner involvement through the right BaaS model for long-term success.

As embedded finance and Banking as a Service (BaaS) continues to gain wider adoption, the industry as a whole has attracted greater regulatory scrutiny — with implications for banks, fintechs, and the BaaS providers themselves. 

For fintechs, finding the right BaaS provider can make all of the difference as different BaaS platforms have starkly divergent approaches to handling compliance, with some better structured to help you deal with regulatory crackdowns in the long-term.

BaaS providers and compliance approach

Not all BaaS providers are created equal. At its core, BaaS providers are the technological bridge between fintechs and chartered banks and enable both parties to easily work together. 

Some fintechs choose to offload compliance to the BaaS provider altogether for short-term convenience. But as we’ve seen in recent regulatory actions, If fintechs aren’t prepared to take ownership of their own compliance, they also won’t be prepared to meet ever-changing regulatory demands. This can put their whole business at risk. 

Treasury Prime is different from other BaaS companies because we help our clients stand up their own compliance program that is tailored to their specific risk profile, empowering them to stand up to increased regulatory scrutiny and combat fintech fraud. As part of our approach, we integrate directly with  top-of-line third-party providers including Alloy, Cable, and Unit21 to offer specialized solutions for your fintech compliance program. 

How is BaaS regulated right now?

Federal regulators have made it clear that they have their eyes on banking as a service. Just last year, the Consumer Financial Protection Bureau invoked its dormant authority to regulate non-bank entities like neobanks and other consumer fintechs while the Office of the Comptroller of Currency has released statements advocating for stricter oversight of the bank-fintech relationship as the lines between banks and fintechs blur. 

Fintech BaaS scrutiny

It shouldn’t come as a surprise that regulators are painting a target on the back of BaaS. BaaS is a booming industry. The embedded finance market is expected to reach $230 billion in 2025, up from $22.5 billion in 2020. Coupled with the fact that these direct bank relationships with non-banking fintechs are relatively new, it leaves the issue of compliance in murky waters.

The explosive growth of the BaaS space and fintechs, in general, have precipitated greater regulatory attention. And the current ecosystem makes clear, as Fintech Business Weekly founder Jason Mikula said in a recent — and highly buzzed about — article, that the banks partnering with BaaS providers are still ultimately responsible for ensuring compliance with banking laws and regulations, including the Bank Secrecy Act. 

Yet notwithstanding this fundamental premise, it’s not totally black and white. While banks may be responsible for compliance, fintechs play a role as well in knowing their end users, guarding against nefarious conduct, and implementing fintech fraud detection measures as regulations change. In an interview with Treasury Prime, Mikula says that because many fintechs tend to partner with smaller community banks, the banks may lack the internal infrastructure as well as industry expertise to enforce compliance optimally on their own. That means it’s incumbent on fintechs and their BaaS providers to work with specialized third-party solutions for fintech fraud prevention.

Maintaining Baas compliance

When it comes to BaaS, banks aren’t — and shouldn’t be — maintaining compliance alone. Their fintech partners should own at least some if not all of its compliance journey and work in concert with their bank especially as federal regulators look to clamp down on how fintechs are perceived and examined from a regulatory perspective. Unfortunately, most BaaS providers structure their models in a way that does not support this relationship. 

What role should a BaaS provider play in compliance?

Many BaaS providers tend to market compliance as a bundled offering, essentially absorbing compliance responsibilities from the fintech, and using internal teams to review any workflows related to compliance. Treasury Prime’s Associate General Counsel and Vice President of Compliance, Sheetal Parikh says this model has many limitations from both a brand management and regulatory lens.

“In this model fintechs don't know what data points are being reviewed and validated.” Parikh explained. “So if a fintech’s customer ends up in a manual review and doesn't pass KYC, the BaaS provider’s own compliance team reviews the end user in the manual review queue, which could take days, weeks. In this paradigm, a fintech’s ability to onboard its end customer is entirely dependent on the BaaS provider’s compliance team, having the potential to lead to a bad customer experience as well as a fragmented regulatory review.”

Outsourcing compliance to a BaaS provider can disrupt the customer experience and make it more difficult to onboard new customers. If a potential customer is flagged during the KYC process by the BaaS provider, the fintech has no visibility into the basis of escalation and has no say into assessing whether the perceived risk or escalation has any merit. As the primary source of contact between itself and the end user, a fintech is best positioned to understand whether a user indeed poses a true risk and assess additional context that can serve as an explanation or mitigation to an initial escalation point.

Additionally, a fintech is best positioned to understand trends and behavior that can signal a potential suspicious customer. A one-size-fits-all KYC process from a BaaS provider isn’t going to meet the nuanced needs of different fintechs with drastically different user bases and use cases.

“Aside from the regulatory considerations, there's the brand management and the customer journey,” Parikh said. “As the fintech, if you're not dealing with any piece of KYC for instance, and you're offloading it to a BaaS provider then all of a sudden you see some fraud and accounts just start getting closed, those customers are going to call the fintech. It's inevitable that you have to have some basic understanding of the types of fraud potentially impacting your platform and how to institute basic fraud management measures.”

Why outsourcing compliance responsibilities is unsustainable

Despite these considerations, fintechs do choose to go this route and partner with a BaaS provider that handles compliance on their behalf. Why do these fintechs choose this type of model?

Understandably, on the surface, it looks attractive. Compliance is a complex undertaking and especially as a young startup with limited resources, passing off compliance in lieu of focusing on a core product offering can feel more important. 

“If you are at a very early seed stage you might be trying to prove if there is product market fit.” Mikula said. “When you are that early, maybe it does make sense.”

However, Mikula makes it clear that even early-stage fintechs can’t fully divest themselves of compliance responsibilities.

“I wouldn't describe it even as being able to fully outsource compliance,” Mikula added. “Because it still requires interfacing. Somebody at the fintech [will need to be] interfacing with counterparts at the BaaS platform or at the partner bank.”

Parikh agrees. Outsourcing compliance, while attractive in the short term, isn’t feasible and isn’t sustainable in the long term.

“The reality of this space is that it's so regulated, partly because you're dealing with people's money and people's data,” Parikh said. “These two areas are so highly protected and regulated that this idea of, ‘I don't want to deal with it,’ or ‘I want somebody else to do it for me’ is not a sustainable model in the long run because regulatory compliance is inextricable to the core of a fintech’s business.”

Watch our on-demand webinar about the increasing scrutiny around BaaS and fintech regulation and how it may impact fintech innovation in the future.

The Treasury Prime Baas compliance model

Treasury Prime’s BaaS model takes a diametrically different approach to compliance. Instead of directly handling compliance for partner fintechs, Treasury Prime instead provides the tools, resources, and guidance to equip fintechs to manage compliance internally. Treasury Prime also facilitates and encourages direct relationships between fintechs and banks to holistically address compliance.

Parikh likens Treasury Prime’s model to that of a traditional bank: Normally a bank teller is trained and prepared to determine if a customer may be acting nefariously. In Treasury Prime’s model, the fintech would be like the bank teller, essentially a gatekeeper.

“Fintechs are that first line of defense. They're the face that the end users see.” Parikh said. “So it's really imperative for them to have some role in compliance.”

How are fintechs prepared to take on compliance by using Treasury Prime? 

1. Risk assessment: Fintech receives a risk profile generated by Treasury Prime’s audit. This helps fintechs understand their own risks and helps in the bank-matching process.

2. Due Diligence: Fintechs are assisted by Treasury Prime to ensure that they supply the right information and documentation to banks to complete due diligence.

3. Communications: Treasury Prime advises on external messaging like marketing collateral and website content to make sure they are compliant and also has approval from the banking partners.

4. Bank Secrecy Act / Anti-Money Laundering: The Treasury Prime team develops a custom compliance solution that fits the fintech’s specific business (and business resources), laying the foundation for a scalable internal fintech compliance program. Treasury Prime partners with Alloy, Cable, and Unit21 to provide cutting-edge KYC and transaction monitoring solutions.

On top of this solution, fintechs also have access to a team with a deep history in banking and working with startups. As Parikh explained, the Treasury Prime team speaks both languages of the bank and fintechs and uniquely positions Treasury Prime’s compliance solution to foster long-term growth.

“​​We won’t do it for you, but we’ll do it with you.” Parikh said. “We’ll give you the tools to support you through your compliance journey. Other providers view compliance as a checkbox, a one-time endeavor. We want to build a long-standing relationship where we have our compliance team and our customer success team really supporting the fintech throughout.”

These models clearly approach compliance differently, but why should a fintech opt for a BaaS provider like Treasury Prime? Simply put, fintechs that choose Treasury Prime are best suited to weather any future regulatory changes — of which we’ve already witnessed the beginnings.

Federal and state regulators are already tightening the vice on embedded finance players. In Mikula’s article, he cites recent incidents with fintechs, banks, and even BaaS providers that are facing cases alleging questionable behavior and deceptive marketing. 

Fintechs likely won’t be off the hook for enforcing compliance in the long term, and fintechs that aren’t preparing themselves now for the changes in regulation that are already being forecasted will have a much more difficult time adhering to new policies than those that have already established a compliance framework. 

“Compliance really is a journey that kind of lives with the fintech.” Parikh said. “And that's so inherent in how regulated the space is, which is what we're already seeing. It's not a one-and-done.”

And with tightening regulations, the responsibility of BaaS providers is now an open question. It is a very real possibility that because many BaaS providers are directly handling compliance — and in an opaque manner — that regulators may pull more tightly on the reins.

As a software company that isn’t directly tied to compliance measures, Treasury Prime’s fintech customers can be confident they not only will have a toolkit to work against shifting regulations but have a long-standing BaaS partner that will be flexible with the fluid nature of state and federal policy.

Treasury Prime’s compliance partners

Treasury Prime integrates directly with leading compliance, fraud detection, transaction monitoring, and other partners. Our integrations offer extensive visibility and control for end users, helping fintechs to customize their compliance program to their needs, and building trust with bank partners in the process. Here are some of our core partners.

  • Alloy: Global identity decisioning platform Alloy offers best-practice journeys for both commercial and consumer identity verification. Alloy offers access to more than 175 data sources, making it a powerful tool for fintech fraud detection and prevention. The KYC and KYB platform has helped hundreds of fintech and bank partners cut instances of fraud by 48 percent on average. 
  • Cable: Companies can leverage Cable, an all-in-one financial crime effectiveness testing platform, to ensure compliance with financial crime requirements as part of a fintech fraud prevention strategy. 
  • Middesk: Middesk provides business verification and risk assessment. The tool can be leveraged within our Alloy integration as part of Alloy’s best practices for commercial identity verification.
  • Unit 21: No-code platform Unit21 enables neobanks, fintechs and their partner banks to monitor suspicious behavior. The RegTech company enables fintechs to customize rule sets and models to detect and address suspicious activity, while partner banks retain transaction monitoring responsibilities.

What should fintechs look for in a BaaS provider?

Growing fintechs are entering somewhat uncharted territory when they partner with a BaaS provider. Boundaries and conditions aren’t fully mapped out in the BaaS and embedded finance space, so fintechs need to choose a BaaS provider that can help them navigate the regulatory landscape and set them up for success.

We’ve already mentioned the advantages of partnering with a BaaS provider that enables a fintech to own compliance rather than taking it on the fintech’s behalf. Mikula in his interview with Treasury Prime also highlights the importance of having a large bank network. 

“There's also a balance sheet management piece. If you go out and open up tens of thousands, millions of customer accounts, and all of a sudden deposits are flowing into a bank’s balance sheet, that has very real implications for how a small institution manages its balance sheet and its capital requirements.” Mikula explained. “Whether it is a fintech working through a platform or working directly with partner banks, having multiple banks with which it works allows it to better manage its risk.”

Parikh corroborates this sentiment.

“Without any other bank partners there is never the option of portability to the extent a fintech outgrows its bank partners for any reason. Leveraging Treasury Prime’s multi-bank network, we are able to — and we have — taken a fintech from one bank to another bank in certain instances.” Parikh explained. “With our model, fintechs don’t face the risk of over-concentration or dependency because there are always other bank options to consider. This is especially relevant in light of increased regulatory scrutiny. If you have a regulator come in and tell a bank that they need to stop onboarding new card programs, that could really impact a fintech.”

Treasury Prime has the largest growing network of banks with over a dozen for fintechs to partner with, including banks that are able to partner with enterprises in emerging industries like crypto and cannabis. 

Mikula also suggests looking for a BaaS provider that can grow with the fintech. As Mikula explained, fintechs have a lifecycle, and they need a BaaS provider that can help them across every stage of their growth.

Parikh had similar advice, especially regarding the regulatory cornerstone of compliance. Compliance can feel daunting, but with the right toolkit and expert guidance, fintechs of any size can benefit from bringing as much of the compliance process in-house as possible. It not only spells out benefits for long-term growth but for stronger and more stable relationships with partnering banks.

“Regulatory compliance is often viewed as such a burden and almost as this monster with five heads.” Parikh joked. “But what we say is, if you can lean into the fact that you are operating in this regulatory environment, it oftentimes does have synergy with better business and can lead to better quality customers.”

Treasury Prime is the BaaS provider with the largest network of banks and a compliance solution built for the future. If you’re interested in learning more about how you can meaningfully grow your business while managing your compliance, contact us

Related fintech regulatory compliance articles

Fintech Transaction Monitoring Behind the Scenes

Identity Verification with Alloy

How are Neobanks Regulated?

Stay on Top of Fraud and Risk Mitigation with Treasury Prime Partners

Setting up the Right Fintech Compliance Program for the Size and Stage of Your Company

← Back to blog