top of page

Regulatory Pressure on BaaS is Mounting at a Critical Juncture for the Industry


Banks have been providing back-end services that enable nonbanks to offer financial services to their customers for decades. For instance, major co-branded credit card programs have been around for at least forty years. These programs invariably have a bank as issuer, and typically also involve a credit card processor and lender (which may or may not be the issuer), and a brand provider such as an airline, major retailer, university, or sports team. Other joint payment card programs, such as municipal transit cards and prepaid cards used to distribute payroll have relied on back-end partner banks for many years. Similarly, registered trust companies and broker-dealers involved in wealth management often seek bank partners to hold customers' excess cash in insured deposit accounts through sweep agreements.

What has changed over the past decade or so is the larger number of smaller community banks involved, and in parallel the exponentially larger array of fintechs and other would-be financial services providers seeking bank partners. In the wake of the global financial crisis and the Dodd-Frank Act, community bank-fintech partnerships have exploded, reflecting the surge in fintech VC activity in the same period. During this same timeframe, banking regulators have steadily ratcheted up their risk management expectations for banks of all sizes, including in particular expectations for the rigor of third-party risk management (also known as vendor management). These expectations are not altogether new. However, with the growth of fintech and the rise of “banking-as-a-service” (or BaaS), third-party risk has suddenly become one of the most critical risks facing a large swath of the community banking sector.

We estimate there are more than 100 community banks involved in bank-fintech partnerships, some of which likely entered into these arrangements without a clear understanding or appreciation of the risks and regulatory expectations, or with the resources to put in place the needed processes and systems. Despite the rapid growth in bank-fintech partnerships, regulatory scrutiny of these relationships has been comparatively subdued until recently. Given the length of the typical exam cycle and the inevitable lag between market developments and regulatory focus, it is not surprising that the regulatory pressure cooker is only beginning to boil now – i.e., a few years after a surge of new community banks entered into the space.

The regulators face an important and likely steep learning curve to understand through the eyes of their regulated banks serving as partners to fintechs what the real risks and opportunities may be. As is always the case with emerging practices, there are inevitably issues to be uncovered, and a lot of work will be required to sort out good practices from the bad. If the regulators make those appropriate distinctions, the industry and the customers it serves will be better for it. If the regulators paint with a broad brush and clamp down on an entire sector, without proportionality or enlightened perspective, that could cause irreparable harm to the community banking sector and stifle innovations that could have profound benefits for consumers, small businesses, and overall competition for financial services.

My colleague Brian Graham recently shared some expanded thoughts on this dynamic and offers his guidance on how to preserve innovation while ensuring safety and soundness here. As always, if you’d like to delve further into these topics or any of the myriad related topics at the intersection of finance, technology, and regulation, please shoot us a note at

Photo by Essow


bottom of page