Newsletter

During a recent online seminar, I was posed with a multifaceted question: Is Banking as a Service (BaaS) an outsourcing arrangement, now commonly known as Third Party Arrangement (TPA)? Does it present an operational risk to the BaaS provider? Why isn’t BaaS classified under existing guidelines issued by financial regulators as an outsourced service or TPA? Lastly, is BaaS, by its nature, a cloud-based computing solution, akin to Platform as a Service (PaaS), Software as a Service (SaaS), and Infrastructure as a Service (IaaS)?

I recall being asked a closely related question six years ago during an in-house regulatory compliance training session for the procurement department. The attendees did not consider SaaS, PaaS and IaaS as an outsourced services because they were not listed in the regulator’s guideline as examples of outsourcing arrangements.

Consistent with my previous response to the attendees at the then in-house training course, I would like to maintain that BaaS is an outsourced service; and it qualifies as a TPA and cloud-based computing solution by design. It has the same risk elements and exposures as PaaS, IaaS, and SaaS, and requires appropriate due diligence and business controls to be effectively managed. By default, Banks and financial service providers should manage BaaS under their Third-Party Risk Management (TPRM) framework recommended by regulators. Waiting for regulators to formally recognize it as TPA is a no brainer.

 What is BaaS?

BaaS is the provision of banking/financial products or services to end users through third party distributors such as Fintechs, as the delivery channel. It allows Fintechs and other non-bank entities to offer banking products and services (account opening, payments, lending, deposits, and card issuing, via APIs) to customers without having to obtain a banking license or deal with the regulatory and operational complexities of traditional banking.

What Fintechs needs to know

 BaaS is becoming ubiquitous and comes through different value chains and propositions (arrangements) such as: provider-only, provider-aggregator, distributor-aggregator, and distributor -only. As major disruptors, Fintechs and other financial service vendors are being integrated into the banking journey by banks, whilst non-financial companies are also embedding banking products into their services. So, many opportunities for partnership exist, but it requires strategic planning and groundwork on the part of Fintechs as such partnership does not come on a platter.

Is there a risk, and what about it?

Absolutely, there is an inherent risk. From a compliance standpoint, the risk owner is the BaaS provider (Bank), and traditionally, banks, as the risk owners, cannot delegate or outsource that risk to a third party (fintech) as regulators will always hold the risk owner (Bank) accountable if anything goes wrong, or push back on such delegation. While this arrangement undoubtedly benefits customers, who can enjoy more convenient, personalized, and seamless financial experiences embedded in the products and services, we must not overlook the inherent risks embedded in such partnerships and faced by the three of them. That is why in my candid opinion, Fintechs, even if they are not the risk owners, should do more in terms of strategic risk awareness and management rather than just coming to the negotiation table with tech-savvy financial digital solutions. This brings me to the next point: mind the gap.

 Mind the gap

Recognizing these challenges and risks can help Fintechs become more aware and intentional about winning competitive partnerships arrangements with Banks. Fintechs should demonstrate risk consciousness and avail themselves with information regarding the risk universe in the proposed partnership, and a blueprint (toolkit) that will enable them to support the Banks in mitigating such risks. In most cases, this demonstration of knowledge and willingness to act is what sets one Fintech apart from another when it comes to banks choosing a Fintech partner. It enhances the opportunities for Fintechs with Banks.

 Things to think about

As the market matures, Fintechs must stay alert to potential pitfalls and gaps that could impact their performance, reputation, and compliance. This includes due diligence on their internal control, risk, and compliance management systems.

Being aware of and acknowledging the risks and being prepared to mitigate them can enhance the prospects of fintech securing business partnerships with Banks.

On their part, Banks must be proactive by consistently assessing the external service provider environment, beyond the examples cited by regulators. Business arrangements evolve over time, and regulators are not always at the same pace or speed to catch up or revise their rules or guidelines to capture that. This was my position six years ago when I informed the attendees in an in-house training that PaaS, SaaS, and IaaS should be treated as an outsourced approach. BaaS will follow soon, but when that would be, no one knows, but until then, Banks should continue to “mind the gap.”