Can’t sleep? Maybe that’s because you’re among the BaaS-enabled banks worried about consent orders.
Since late 2023, the FDIC and CFPB have issued seven consent orders because of BaaS-related issues. In addition to two consent orders issued this month to Sutton Bank and Piermont Bank; Lineage Bank, Blue Ridge Bank, Cross River Bank, Green Dot, and First Fed Bank have all been hit with consent orders in recent months.
BaaS was once considered the key to having it all; banks could maintain their legacy core technology while quickly adapting to consumer trends by bolting on the newest fintech innovations. Many BaaS-enabled banks are starting to discover that using third-party technology may not be the best solution, however. As it turns out, implementing another company’s technology comes with its own set of issues.
Part of the problem stems from the fact that regulators have been eschewing formal rule-making, and have instead been making examples of particular firms by enforcing consequences in the form of consent orders.
But where are things going wrong? Below are four things banks are (or should be) worried about when it comes to using BaaS partners:
Data privacy, security
While every bank executive worries about fraud, security, and data privacy, BaaS-enabled banks face double the concern because they not only need to worry about the security of their own institution, but also that of their third party partners. That’s because BaaS involves sharing sensitive customer data with third party providers. Banks need to ensure that their partners comply with data protection regulations and stay up-to-date on regulatory changes.
Regulatory compliance and reporting
Speaking of regulations, banks that use BaaS tools need to ensure that their own organization, as well as their third party partners, are complying with all financial regulations such as AML and KYC requirements. To verify ongoing compliance, banks need to implement vendor management practices to oversee the compliance efforts of their BaaS providers and mitigate risks on both sides.
Almost as important as complying with regulations is proper reporting around activities. Banks should make sure that they can accurately report on their activities and compliance efforts, even when using BaaS tools. Banks should maintain proper records and be able to provide information to regulators upon request.
Consumer protection
Banks must not only safeguard their consumers’ data privacy, but they must also protect consumers from misinformation. Banks are responsible for ensuring their BaaS providers are relaying information regarding their products and services accurately and clearly to customers. This will both facilitate fair treatment and reduce redlining concerns.
Operational risk
Adding to the list of concerns is operational risk. When working with BaaS providers, banks are responsible for things outside of their control, including service disruptions and clunky or broken user interfaces. To reduce these issues, banks should have risk management processes in place and regularly check in with their partners.
When it comes down to it, banks can’t oversee every part of their BaaS partners’ organization. However, by conducting proper due diligence, regularly updating controls, and learning from other institutions’ mistakes, firms may find it easier to sleep at night.