"Rent is Rising – The Rent-A-Charter Model Just Got More Expensive"

Trevor N. Tanifum

August 25, 2022

Where there is smoke, there is fire.

The smoke: a recent flurry of regulatory activity in response to poor application of risk and compliance requirements in the bank-fintech partnership model.

The fire: existential risks to the bank-fintech partnership model and, by extension, the provision of financial services products.

The extinguisher: clear-eyed assessment of the current state, commitment to principles of safety and soundness, and considered strategy to manage risk and compliance.

Let’s take a step back.

The last few years have seen an evolution in the nature of the relationship between fintechs and banks. Early theories that fintechs would pose serious threats to community banks haven’t quite proven to be true. Fintechs’ ability to fully execute on their value proposition – that, by using technology, they can service more people, more quickly, and at lower cost – has been hindered by regulatory complexities. Due to the financial, logistical, and political challenges associated with obtaining their own bank charters, fintechs have struggled to compete directly with banks. Although the number of community banks has steadily declined the last few years, this decline is not at the hands of fintechs. Other things, yes; but not fintechs.1

Instead of direct competition, fintechs and banks have orchestrated mutually-beneficial relationships where fintechs create products and define the customer experience, while banks – the regulated entities – provide the infrastructure and regulatory authority to offer the underlying services and products. This is known as ‘banking-as-a-service’ (“BaaS”). In a traditional program manager relationship, the fintech is contractually required to maintain a subset of the regulatory compliance and risk management functions applicable to the products it offers.

This fintech and bank relationship also created a new layer of market participants, known as ‘BaaS platforms’ or ‘middlewares,’ whose principal value proposition is to negate the costly and time consuming interactions between banks and fintechs.2

The BaaS platform pitch is straightforward; if you are a bank, enter into one commercial arrangement and submit to one technological integration, but get the financial benefit of many. If you are a fintech, integrate with sophisticated APIs (as opposed to an outdated bank core) while also handing off some (or in some cases, most) aspects of your risk and compliance program and focus on what is most important to you – customer acquisition.

Commercially, this model has flourished. To provide just a couple of statistics, customer acquisition cost for financial institutions that partner with BaaS platforms are 82.5% to 95% lower than without 3, and projections of global revenues for the BaaS platform industry are as high as $12.2 billion by 2031, up from $2.5 billion in 2020.4

Unfortunately, a great deal of that commercial growth may have outpaced the maturity of the risk and compliance programs designed to support it, much to the discomfort of one group of stakeholders – regulators.

Regulators are charged with, amongst other things, ensuring that banks comply with a myriad of state and federal regulations, including those related to risk management, consumer protection, and anti-money laundering. The tools regulators use to oversee banks – such as mandatory reporting requirements and examinations – have sought to afford them a comprehensive and candid view into the relationships between banks and their end customers, and thus allowed regulators to observe banks’ compliance with applicable rules and regulations. The bank-fintech relationship has made this more difficult by placing the bank one or two steps removed from the compliance program and two or three steps removed from the customers. Commercial agreements by and between banks, BaaS platforms, and fintechs can be complicated, often leaving parties unclear about ownership of risk and compliance responsibilities.

This confusion can be compounded by the growth in capabilities of ‘regtech’ tools, which seek to expedite and automate many aspects of regulatory compliance. While these tools can be efficient, effective, and – in many cases – necessary, fintechs and BaaS platforms too often consider the adoption of a generic written policy and the acquisition of a regtech solution as satisfaction of their regulatory expectations. Then, instead of tailoring procedures and calibrating tools specific to each use case, some BaaS platforms adopt a one-size-fits-all approach. The end result is a ‘RACI’ matrix showing a bank that is not responsible or accountable, and a fintech that is not consulted or informed.

In the eyes of the regulator, however, there is no confusion about whom to blame. Banks are the regulated entities, customers are customers of the banks, and banks are accountable for weaknesses in risk and compliance programs.

Recently, regulators have been making themselves clear:

An OCC-chartered fintech partner bank has been told it may no longer sponsor new fintechs, particularly those involving consumer use cases;
Another OCC-chartered bank was told to off-board its largest fintech client;
A state-chartered, Federal Reserve Board-supervised bank has terminated agreements with two promising, high-valuation BaaS platforms; and
An OCC-chartered, long-standing fintech partner bank has declined to support any new fintech programs proposed by its BaaS platform partner.

In contemplating this recent activity, four broad areas comprise the regulators’ concern:

Onboarding – the diligence required to safely onboard a customer is neither robust nor quantitatively tied to risk tolerance.
Compliance Management System (“CMS”) – compliance programs must be risk-based, tailored to each fintech, and neither the fintech nor the bank’s CMS can stop maturing post-launch, particularly as transaction volumes and risk increases.
Anti-money Laundering (“AML”) – AML programs are ‘cut-and-paste,’ and not tailored to the unique activities and risks of the fintech.
Electronic Funds Transfers: Regulation E (“Reg E”) – statutorily-mandated statements provided to customers must meet regulatory expectations and customer disputes must be handled pursuant to requirements.5

Considering the four areas above, one can see that regulators are taking issue with the very value proposition of this model. Consider the case of the typical BaaS platform, for example. A single BaaS platform will aim to take compliance responsibilities off the hands of one hundred fintechs — one hundred fintechs, with hundreds of thousands of combined customer accounts. That many customers naturally generate a lot of issues regarding AML, Reg E, and unfair, deceptive, or abusive acts and practices (“UDAAP”)6. That volume of activity cannot be resolved by a small bank compliance team, a small BaaS platform compliance team, and limited fintech compliance personnel. Furthermore, the BaaS platform will restrict the ability of its bank partners to interact with the fintechs, whose customers contractually belong to the bank. This creates safety and soundness concerns. When regulators eventually catch on, instead of working with the bank to remediate issues and build a regulator-approved model, the BaaS platform simply moves new or existing fintech partnerships to another bank, effectively trying to outrun the regulators’ implicit demand to modify the operating model.

Before I provide some guidance on how to address these issues, it is worth pausing to examine the big picture. As I mentioned at the top of this article, where there is smoke, there is fire. The potential impact of the recent regulatory activity could be vast.

For partner banks: sponsoring fintech programs can be a profitable business line, in addition to allowing banks to command tech-like valuation multiples. Partner banks could face incredibly expensive enforcement actions and remediation projects. They also stand to lose a valuable revenue stream or, in egregious cases, their entire charter.
For BaaS platforms: this business model relies on trust and volume; banks trust that BaaS platforms are owning or delegating compliance responsibility appropriately, while BaaS platforms onboard many fintechs, as quickly as possible. If banks are forced to monitor more closely, and BaaS platforms to onboard fintechs more slowly, the unit economics suffer, and the model becomes less viable.
For fintechs: cost and time-to-market for new products could increase exponentially if banks lose the ability to partner with BaaS platforms, requiring more fintechs to obtain state licenses and/or build full-fledged compliance programs.
For consumers: the majority of consumers will not suffer. However, any fintech serving the ‘unbanked,’ ‘underbanked,’ or ‘underserved’ should take note: the biggest impact on consumers of a collapse of the bank partnership model will be a restriction of fintech’s ability to foster financial inclusivity. 7

Now, some good news. Although regulatory scrutiny is increasing, there are ways each of the market participants mentioned throughout this article can help inspire regulatory confidence in these partnerships. The table below illustrates, at a high level, how fintechs and banks should think about building programs that withstand regulatory scrutiny in the areas of concern.

Market Participant	Onboarding	CMS	AML	Reg E
Bank	Improve the risk assessment process prior to onboarding fintechs. Create a due diligence document request list that is comprehensive and ties directly to the type of product they are offering. Verify that fintechs operationalize and adhere to their policies and procedures. Improve staffing or outsource this part of the process.	Encourage ongoing improvement of BaaS platform compliance programs, including direct oversight of fintech CMS where justified by risk. Refine nature and scope of audits over time to account for changes in BaaS platform clients.	Require more documented justification for program standards. Require ongoing validations and calibration exercises. Review staffing levels and alert dispositions. Review write-ups of escalated cases (commonly called “unusual activity reports” or “UARs”) for insight into potential compliance issues. Consider banks’ own transaction monitoring (“TM”) system and its appropriateness for these partnerships; create specific rulesets.	Review statements, Reg E dispute process, and logs. Inquire into outputs of Reg E disputes; monitor dispute resolution trends.

Market Participant	Onboarding	CMS	AML	Reg E
BaaS Platform	Tailor onboarding process to client verticals, including due diligence and risk assessment. Ensure transparency of customer risk ratings with fintechs, to ensure mutual understanding of customer risk ratings.	Where you own compliance on behalf of the fintech, generate compliance program modules that are specific to the client verticals and structures of each relationship. I.e. the program documents that govern your payments clients should not also govern your lending clients. Improve overall compliance program over time, ensuring it is tailored to the changing mix of fintechs supported.	Create efficient and systematic processes for UAR escalation to bank partners. Ensure staffing levels are commensurate with AML responsibilities, particularly where leveraging regtech solutions for the benefit of fintech customers.	Create efficient and systematic processes for collating and resolving Reg E disputes.
Fintech	Prior to commencing due diligence, be prepared to present a tangible plan for operationalizing the program. Go beyond policy creation — develop artifacts and processes to support execution of policies. Set appropriate expectations — going through bank partner onboarding is not a quick process.	Consider where you are in the journey and how regulatory expectations increase as risks increase, especially in areas like technology, processes, desktop procedures, and staffing. Seek expertise in mapping risk to appropriate program maturity level.	For ‘know your customer’ (“KYC”) / ‘know your business’ (“KYB”) — consider customer risk rating and enhanced due diligence standards. For TM — perform coverage assessment and validate TM ruleset and thresholds. I.e., ensure you can justify why rules and thresholds were chosen. Clear alerts on time and improve documentation over time.	Review standards and create a policy for resolving within timelines. Ensure timely submission of logs to the bank on time.

In Conclusion

The advent of fintech marks one of the most significant developments in financial services since the Great Recession — it has created billions of dollars of fintech valuations and provided a lifeline to smaller banks that otherwise would have been limited by their traditional bricks and mortar footprints and local customer bases.

The bank-fintech partnership model can likely be thanked for much of the growth and success of fintechs. However, following years of sustained growth, this relationship appears to be under pressure.

The smoke led us to the flickers of a fire; it should be extinguished before it spreads. Now is the time for market participants to think carefully about their roles in managing risk and compliance.

1The decline of community banks actually began with a series of policy changes in the 1990s that allowed big banks to become giant conglomerates, gobbling up market share and their smaller competitors. After the financial crisis of 2008, the federal government encouraged further consolidation by adopting extraordinary assistance programs to ensure the survival of the biggest institutions. Wilmarth, Arthur E., A Two-Tiered System of Regulation is Needed to Preserve the Viability of Community Banks and Reduce the Risks of Megabanks (January 15, 2015). 2015 Michigan State Law Review, pp. 249-370, GWU Law School Public Law Research Paper No. 2014-53, GWU Legal Studies Research Paper No. 2014-53, Available at SSRN: https://ssrn.com/abstract=2518690.

2 ‘BaaS’ is often used interchangeably with ‘middleware,’ but middleware is best thought of as a type of BaaS where a third party platform sits in between the bank and the fintech.

3 Dan Jones, Anosh Pardiwalla, Sara Zanichelli, The Rise of Banking As A Service, Oliver Wyman Insights, https://www.oliverwyman.com/content/dam/oliver-wyman/v2/publications/2021/mar/the-rise-of-banking-as-a-service.pdf.

4 PYMNTS, Why Every Bank Can Be, and Should Be, a Banking-as-a-Service Company, PYMNTS.com, (June 3, 2022), https://www.pymnts.com/news/banking/2022/why-every-bank-can-be-and-should-be-a-banking-as-a-service-company/.

5 12 U.S.C. § 5565. Section 1055(c) of the Consumer FInancial Protection Act (“CFPA”) authorizes the Consumer Financial Protection Bureau (“CFPB”) to administer monetary fines for violations of the CFPA.

6 12 U.S.C. § 5536(a)(1)(B). Section 1036 of the CFPA prohibits “unfair, deceptive, or abusive” acts or practices. Areas that are prone to UDAAP risk include marketing materials, disclosures, product flows, and individual interactions with customers, including complaint management.

7 Without the bank partnership model, fintechs will be required to obtain requisite licenses or charters, which will drive up operating costs. This will make it difficult to provide certain types of products, such as low-cost financing, thereby denying valuable services to consumers.