BaaS Beyond the Boom – Compliance in 2024 and Beyond

Banking as a Service (BaaS) has changed rapidly over the last several years. While it’s no secret BaaS business has boomed since its inception, a new shift is taking place in the space.

The rise of BaaS set the stage for a new crop of challenges. Customers now expect the frictionless experience they enjoy through agile fintech startups, e-commerce platforms, gaming, and even social media. The sponsor banks who empower these platforms to enter the banking ecosystem have been content to lend their charter and let their partners handle the rest.

While this system empowers non-bank institutions to provide financial services by binding the infrastructure and capabilities of traditional banks, it leaves obvious fraud gaps as non-bank partners lack the institutional experience in fraud prevention that their sponsor banks have. BaaS continues to boom, but fraud attacks will too if left unchecked. Regulators have stepped in to bring new requirements that aim to put BaaS on par with the level of safety—and scrutiny—traditional banks are used to.

The future of BaaS will be defined by rapid customer growth and even more rapid adjustment to regulatory requirements. Compliance is key not just to growth, but survival, for many sponsor banks and their partners. To understand what likely lies on the horizon for BaaS, we have to first look at how the unique BaaS landscape has create the current compliance situation. Then we can predict and prepare for the future of BaaS in 2024 and beyond.

How BaaS applications have driven specific compliance changes

The unique characteristics and applications of BaaS not only drove its rise, but each played a special role in shaping the current compliance landscape. Looking at each one in detail helps us understand how regulators are thinking about new requirements they pass down and how these changes bring overall benefit in the long term, if still bringing a compliance crunch for some in the short term.

Unique characteristics of BaaS

Digital Transformation: With consumers increasing demand for digital channels of their financial transactions, traditional banks were compelled to renovate their business operations. BaaS partnerships between banks and digital enterprises opened up new customer opportunities and deliver seamless, digital banking experiences.

Innovation: Fintechs are redefining the financial landscape with their innovative offerings. However, often these lines of business need help in obtaining regulatory approvals and creating the infrastructure to operate as a banking institution. BaaS models allow fintechs to focus on innovation while leveraging banks for their charter, regulatory compliance, and backend support.

API: The advanced development of Application Programming Interfaces (APIs) has become paramount to modern software development, creating smooth integrations between complex systems and services. APIs allow BaaS platforms to showcase the functionalities of banking, empowering third-party developers to incorporate financial services into their applications effortlessly.

Globalization: Sponsor Banks driving BaaS in turn drive financial inclusion and expand their banking services, particularly in underserved areas of the world. Leveraging the bank’s infrastructure, Sponsor Banks can swiftly expand their operations and reach other markets without large upfront investments.

Regulatory responses to BaaS: Why compliance looks like it does today

These innovative transformations have brought user-friendly banking directly to customers at the places they want to access banking most often. That widening of accessibility, combined with lagging fraud oversight, is also the reason BaaS is facing regulatory challenges.

What specifically are regulators looking to address with these new requirements? In short, the same areas that they address most fervently when crafting rules for traditional banking institutions.

This includes:

1. Compliance: BaaS providers must prove they have demonstrable control and oversight of areas with established legal requirements. This includes data privacy, KYC and CIP, and anti-money laundering (AML). Sponsor banks and their partners must have deep relationships to develop, maintain, and prove these requirements to regulators.
2. Data Security: Strict data handling requirements are being enforced to mitigate cyber attacks and data breaches. Not only does the BaaS provider have to prove customer confidentiality, data security, encryption, and authentication, but these best practices must be implemented and reviewed regularly.
3. Customer Trust: Customers must have confidence that BaaS offerings are reliable, secure, and give them transparency into the financial tools they utilize. On top of developing strong customer relationships, BaaS providers must provide outstanding customer support to keep customers loyal.

These compliance requirements have been put in place to catch fraud at every stage of the customer journey. If an onboarding experience doesn’t have the proper identity checks, fraudsters can easily create synthetic IDs. BaaS providers need to collect more than the basic personally identifiable information (PII) elements and prove they are continuously monitoring customer behavior and account activity throughout the lifetime of the account.

Compliance in 2024 and beyond—preparing for the future of BaaS

Right now, BaaS compliance can be overall categorized as sponsor banks being required to prove they have oversight of their partners and a strong fraud prevention platform in place that meets the same requirements as traditional FIs face.

You can break these requirements down further into several categories:

1. Enhanced due diligence
2. Comprehensive KYC protocols and procedures
3. Comprehensive fraud detection systems
4. Robust transaction monitoring
5. Regulatory compliance programs
6. Data security measures
7. Employee training and awareness
8. Regulatory reporting and collaboration

Each of these categories has a handful of requirements beneath them that make up what we can consider the basics of compliance in 2024. You can get an expanded list with these criteria in an easy-to-follow checklist DataVisor created for sponsor banks to use as a guide for BaaS compliance.

| Download your copy of the BaaS Compliance Checklist for Sponsor Banks.

The compliance protocols put in place now have been a serious adjustment for a large number of sponsor banks. Going from a more laissez-faire approach to proving a strong level of scrutiny and communication with partners is a tough task. On top of that, regulators expect these compliance changes to be made expeditiously. The penalty for falling short of them is severe—in some cases, banks face cease-and-desist orders that spell the end of their existence.

As compliance evolves beyond this “righting of the ship” phase, we can expect things to trend even further toward the shifts we see in compliance for traditional FIs. Things like anti-money laundering and its components, proof or real-time transaction monitoring, and leverage of machine learning models will all start becoming a larger compliance focus from regulators to sponsor banks.

Because of the global nature of BaaS, a great level of scrutiny will be put on monitoring the entire customer journey. Accounts that originate from high-risk areas will need to be watch carefully from the outset. Things like customer risk ratings will become crucial for maintaining compliance and ensuring customers are who they say they are.

Again, the nature of BaaS plays an important role here. Agility, smooth user experience, and access to banking in non-traditional spaces are all strengths of BaaS. Regulators will want sponsor banks to prove comprehensive fraud protections, but the banks must also prioritize crafting an enjoyable customer experience for their good users.

We can’t say with certainty exactly what BaaS regulatory requirements will look like in 5, 10, or even 20 years. Nor can we truly predict how large the BaaS industry will become and the changes it will go through in that time. What we do know is that, especially now as new regulations hit, the entire BaaS community can benefit by learning from each other, being proactive about adopting future-proof fraud prevention solutions, and asking the right questions before it’s too late to make changes.

I recently had a great discussion with BaaS leaders at a lunch and learn webinar, and I encourage you to listen if you’re working to reach BaaS compliance. Whether you’re a sponsor bank, a fintech partner, or any other player in the BaaS space, the insights shared here will help you and empower you to help others at your organization.