State of Compliance in Embedded Banking
We’re a week beyond the buzz of Money 20/20, and while the prominent LinkedIn voices, newsbreakers, and media partners have all presented their post-show insights, a crucial theme appears to have been glossed over—where's the spotlight on "Trust & Uncertainty?”
Money 20/20 spotlighted “Trust & Uncertainty” within its agenda with no less than a dozen dedicated sessions and “Chatham-house” style meetings. You’d have been hard-pressed to find a spot at the expo without BaaS and Fintech regulation being discussed, particularly regarding industry stability and consumer protection.
“...with the Metropolitan Commercial Bank news, everyone at Money 20/20 talking about compliance…we’ve bumped compliance to priority 1, alongside building payment rails.”
This focus was echoed in the hundreds of meetings we had with innovators throughout the embedded banking sector. Budget controllers are also taking note, with one organization telling Cable “...with the Metropolitan Commercial Bank news, everyone at Money 20/20 is talking about compliance…we’ve bumped compliance to priority 1, alongside building payment rails.”
Regulatory Turmoil in Embedded Banking:
The regulatory landscape is changing rapidly, with clear signals from compliance watchdogs that the old guard and “checking the box” will no longer suffice. This follows similar pronouncements by other federal banking regulators, including the Office of the Comptroller of the Currency (OCC) going so far as to specifically call out the following areas of interest in their Fiscal Year 2024 Bank Supervision Operating Plan, with a heavy emphasis on BaaS:
- Operations and change management: Examiners will assess risks from new, innovative, or complex products and services, including BaaS arrangements and third-party relationships with Fintech companies, and assess the governance processes of banks with significant changes in operations, risk management frameworks, and business activities, such as using third-party service providers for critical activities.
- Consumer Compliance: Examiners will focus on new or innovative consumer products and services offered through third-party relationships, including with Fintechs or through BaaS activities, and examine compliance risk management systems, effectiveness of compliance functions by third-party service providers, and due diligence on third-party relationships.
- BSA/AML/CFT/OFAC: Examiners will assess BSA/AML programs and compliance with OFAC sanctions, with an emphasis on implementing the AML Act of 2020.
We recently hosted a webinar unpacking the Fed's Novel Activities Supervision Program (NASP).
The many banks, BIN sponsors, program managers, and Fintechs that we met with at Money2020 all recounted increasingly frequent and intense regulatory examinations and harrowing bank audits. Banks, BaaS providers, and payment platforms are now expected to operate under the microscope, where any lack of oversight could lead to significant repercussions.
Banks are being held accountable for their third-party partners’ compliance—highlighting the need for comprehensive BSA/AML strategies that adapt to these growing expectations and increased focus on oversight.
It is no longer a secret that banks, BaaS programs, and program management platforms have undergone significant scrutiny following the fall of FTX in 2022 and Silvergate, Signature, and Silicon Valley Bank earlier this year but this continues to play out in public with recent turmoil at Solid, Metropolitan Commercial Bank, Synapse and more.
Metropolitan Commercial Bank's (MCB) $30M fine for inadequate oversight of third-party programs underlines the high stakes involved in third-party risk management, particularly when it comes to prepaid card programs that can be exploited for fraud. This illustrates the heightened vigilance that regulators are now demanding from banks and Fintech companies alike.
The allegations against Solid Financial for falsifying revenue figures to attract investors raise serious concerns about the integrity of BaaS platforms and underscore the necessity for banks to stringently scrutinize their downstream partners and Fintech programs to ensure everything is buttoned up for compliance, risk management, due diligence, and monitoring. This exemplifies why regulators are intensifying their focus on BaaS banks and platforms, and the adequacy of their due diligence processes.
Our CEO recently issued an official statement on this subject, read the full release.
What We're Hearing About Additional MRAs and Regulatory Orders:
Recent boardroom and closed-door meetings are abuzz with the notion that these public MRAs are just the beginning, that there are a number of private actions currently being carried out and the word on the street is regulators are just getting warmed up. The fine levied on MCB is not an isolated incident but part of a crescendo of enforcement that's sending shockwaves through the industry. Compliance teams must brace for impact and adapt swiftly as this trend shows no signs of abating.
What’s more - what compliance teams have been doing to protect their organizations from financial crime for the past several decades is no longer cutting it. There is a growing regulator demand for improved compliance data infrastructure.
These orders are not just “checks” on a list; they are calls to action for banks to implement real-time, dynamic monitoring of account onboarding, transactions, and customer interactions and are an open threat that says in no uncertain words that dip sampling is obsolete and you must move towards automated testing.
Rumors Are Spreading About a BaaS Crackdown:
Rumors of a BaaS crackdown are not without merit, as regulatory bodies sharpen their focus on the sector. With industry titans falling from grace, the whispers in the hallways are turning into strategic meetings — all intent on deciphering the next moves of regulators and ensuring they're not the next cautionary tale.
The recent layoffs at Synapse—a significant player in the BaaS landscape—highlight underlying pressures that could signal a turning point in the industry. As Synapse let go of 40% of its workforce, concerns grow around the volatility of Fintech ventures and the robustness of regulatory compliance and consumer protection in the rapidly evolving BaaS sector. This development reflects the broader context of market challenges and client impacts that are reshaping the future of compliance architecture in embedded banking.
This regulatory crackdown on BaaS providers and their partners is not just a rumor but a current reality, affecting even established traditional banks. With a pattern of well-documented risk and compliance shortcomings across the BaaS landscape over the last 2 years, perhaps this consolidation shouldn’t come as a surprise and undoubtedly some BaaS players will be able to weather the storm, while others won’t—the difference will be in their compliance capabilities.
Future of Compliance in Embedded Banking:
As the dust settles on a landscape scarred by regulatory actions, a new compliance architecture emerges from the chaos — one underpinned by the robust technology of automated effectiveness testing. No longer can compliance be a passive, check-the-box affair. The future beckons with a call for continuous, proactive monitoring, and Cable stands at the vanguard, ready to redefine the bedrock of trust in embedded banking.
The compliance architecture of the future is seamlessly integrated, data-centric, and powered by automation. This infrastructure is not just about meeting regulations—it's about setting a new standard that prioritizes effectiveness and efficiency, ensuring that compliance is a driver of business excellence rather than a roadblock.
To continue discussing why compliance is effectiveness, we will be hosting a series of discussions on the topic of current regulation and how to best prepare yourselves and your fintech partners.
The first of these is on Thursday, November 16th, when we will invite a number of banks to share how they are weathering the current storm and advice on how to set banks up for success in 2024 and beyond. We hope you will join us.