BaaS (Banking-as-a-Service) has gained popularity as a new revenue stream for banks over the past few years. And while BaaS has been around for a long time, the recent spike in regulatory consent orders has garnered the attention of those interested or already involved in providing these services.
At AML RightSource, we work with BaaS banks to help navigate the demands associated with regulatory expectations, and consent orders, as well as advising and assisting in the building and bolstering of their AML/BSA, OFAC, and fraud programs to comply with regulatory expectations. 3rd party AML firms play a vital role in the BaaS community given the nature of their business, which can sometimes be categorized as high-risk, complex, and volatile. There are three main components a BaaS BSA Officer must analyze and explore while overseeing their program:
- Staffing – As noted in many of the recent consent orders, federal regulators have focused on staffing inadequacies and how certain compliance departments lack skilled resources or sufficient resources to address the risks and challenges presented by the BaaS ecosystem. In many cases, a bank has transitioned a portion of its business model to BaaS, which subsequently alters the bank’s risk posture into a higher risk position, with more complex and volatile transaction volumes.
As the bank grows and generates new revenue streams, its compliance function must grow with it. A few areas of staffing we have seen specifically mentioned in these consent orders are backlogs, lookbacks, and general BAU (business-as-usual) staff shortcomings. All of these are traditionally addressed in full or part by a trusted outsourced partner like AML RightSource.
- Advisory & Consulting – When BaaS banks partner with 3rd party firms, a major component of a successful engagement is ensuring they work with those who have an innate level of experience and understanding of the nature and complexities of the BaaS model and ecosystem. BaaS banks should undergo an updated risk assessment, a novel approach to independent audit, analyze their current technology, ensuring its fit for purpose and is capturing 3rd party (fintech, crypto, etc.) activity, revised procedures for KYC and transaction monitoring which encompasses the 3rd party relationships, and more. As mentioned, most BaaS banks trace their origins back to operational models of traditional community banks that benefited from an evolving business model. Given this change, third-party consultants must approach each bank with a fresh set of perspectives. Additional areas of note include an advisory element to help address consent orders, mandatory model validations, independent audits, risk assessments, staffing assessments, threat assessments, policy and procedure revisions, training, and more.
- Technology – BaaS banks must adopt modern technologies to give them comprehensive coverage over their 3rd party relationships. Legacy technology can still be effective, but the technology itself must undergo a thorough evaluation to ensure there are no gaps in transaction monitoring, KYC (CDD, CIP, EDD), OFAC, and fraud processes. Gaps in technology have been scrutinized and highlighted in recent consent orders, signaling a clear focus by regulators on keeping stacks current and functional. What might have worked well for a bank previously may no longer be the case, especially where the scope of the bank’s service offerings has ventured into banking FinTechs, crypto, etc. There are veteran renowned technologies that can remain serviceable for banks in BaaS, along with plenty of newer technology products that market their ability to service the BaaS vertical specifically. In either case, each should be explored by BSA Officers looking for the proper tools to fuel their programs.
Although most of this post has focused on BaaS banks under a consent order or immense internal pressure, it is worth highlighting that many BaaS banks have had the right mindset and approach to compliance from inception. It is evident that if a compliance program implements comprehensive third-party controls from the onset, the bank will have a much higher probability of succeeding and growing in the long term. Staying up to date on newly published consent orders helps compliance professionals reference a roadmap on what they are doing right and what can be improved on.