As the landscape of financial technology (fintech) companies continues to broaden to larger markets, traditional financial institutions have recognized the evolution of the marketplace and pursued technological advancement. While some banks may find success in developing proprietary fintech platforms or buying them through mergers and acquisitions, the cost of doing so can be seen as prohibitive. Therefore, smaller institutions may take the approach of creating banking as a service (BaaS) programs in partnership with fintechs. BaaS offerings allow customers of fintechs access to traditional banking services such as deposits, payments, and lending via digital platforms. This strategic approach can help banks remain competitive in a tough economic environment by allowing them to quickly expand to new markets, increase deposit bases (at a comparatively lower cost), and incorporate the latest technology into their offerings.
Although BaaS programs can bring significant value to banks, fintechs, and consumers, they carry unique Bank Secrecy Act/Anti-Money Laundering (BSA / AML) and sanctions risks. BaaS can substantially change the risk profile of a bank upon adoption. Regulators have also signaled particular interest in BaaS partnerships, evidenced by recent enforcement actions and interagency guidance. In this article we discuss ways in which banks can design an effective BSA / AML risk management program to maximize the value of BaaS partnerships while remaining compliant with relevant regulations, by proactively identifying risk and monitoring exposure on an ongoing basis.
BaaS Risk at a Glance
The risks of BaaS offerings generally arise from a decreased ability for the bank to understand the nature of “end-users,” i.e., the customers of the partner. Since fintechs are generally not licensed financial institutions themselves, they are not bound to the same Know Your Customer (KYC) or other BSA / AML-related protocols typically imposed on traditional banks. As a result, banks looking to partner with fintechs must implement a robust third-party risk management (TPRM) program that both thoroughly understands the nature of the fintech’s customer base and ensures the adequate execution of BSA / AML and sanctions controls performed by the fintech. The BSA / AML and sanctions components of an effective TPRM program should be governed by a defined risk appetite, determined by the board of directors and senior management, and accompanied by an enterprise-level BSA / AML and sanctions risk assessment that considers potential changes to the bank’s risk profile resulting from BaaS offerings.
Measuring the Risks
The foundational control of a bank’s TPRM program should be the individualized risk assessment performed as part of an onboarding review for each fintech with whom the bank intends to partner (and annually thereafter). From a BSA / AML and sanctions perspective, these risk assessments should consider the inherent risks of a money laundering or sanctions event, mitigated by the effectiveness of controls (including the consideration of whether the control is to be executed by the bank or the fintech). In addition to risks unrelated to financial crime, such as liquidity, financial, reputational, compliance, and others, any assessment of a potential fintech partner should consider, but not necessarily be limited to, the following:
|Why it matters
|Why it matters
|Number of Customers
|Rapid introduction of a large number of customers to a bank’s portfolio has the potential to strain controls.
|Customer Identification Program (CIP)
|Given that onboarding will generally occur through the fintech, banks should thoroughly review the CIP processes imposed by the partner, especially where non-documentary verification is used.
|Fintechs pose increased risk when they have higher numbers of customers, transactions, or operations in jurisdictions with weaker money laundering controls or higher rates of financial crime.
|Customer Due Diligence (CDD)
|Processes to perform CDD, including the collection and verification of beneficial ownership information, should conform with the bank’s existing expectations (and only altered where necessary), to allow for the establishment of a risk profile and serve as a basis from which transaction monitoring can be conducted.
|Products / Services
|Products / services that offer increased transactional capabilities, such as deposit accounts or peer-to-peer platforms, pose greater risk than more limited offerings, such as lending. Banks should also consider the degree to which a fintech’s products may offer anonymity to the user (e.g., cryptocurrency).
|Suspicious Activity Monitoring
|Banks likely should integrate monitoring systems, tailoring new rules and scenarios to transactions conducted by, at, or through fintech partners. Robust standards should be developed for when such activity should be escalated to the bank for potential suspicious activity report filing, with periodic quality assurance reviews performed.
|The methods in which customers are onboarded to the fintech, such as online, through affiliated marketing channels, can pose additional financial crime risk, since the ability to identify / understand the risk profile of customers may be more difficult.
|As with suspicious activity monitoring, banks will likely benefit from integrating exiting sanctions screening modules to include customers onboarded and transactions conducted by fintechs. Possible matches should be escalated to the bank timely, for potential reporting to relevant sanctions authorities.
|Residual risk should be interpreted as the risk of the occurrence of a money laundering or sanctions event, once accounting for controls. The level of residual risk should drive decisions such as required approval level, frequency of periodic reviews, level of scrutiny applied during testing, and others.
The risk assessment should result in a report detailing:
- Company background: information regarding company formation / ownership structure, market presence, acquisition history, size, etc.;
- Results of external research: adverse media, Politically Exposed Person (PEP) and sanctions checks performed on key individuals within the fintech and summarized in the risk assessment report;
- Inherent risks: a description of key risks identified, ratings, rationale for ratings, and a conclusion as to whether associated risks appear to be increasing or decreasing;
- Control effectiveness: a summary of the effectiveness of controls, ratings, rationale for ratings, and a set of recommendations detailing opportunities for enhancements to the fintech’s controls environment to further mitigate inherent risks;
- Contingencies: any decisions regarding contingencies to onboarding the partner, such as restrictions on international transactions or permitting only certain customer types;
- Residual risk and risk appetite conclusion: based on the residual risk level, a conclusion as to whether the fintech partner is within the risk appetite of the bank and the associated rationale.
Following completion of the risk assessment report, key individuals both within the lines of business and risk management functions of the bank should provide an approval as to whether to engage in the fintech partnership. The level of individuals responsible for approving these relationships should be contingent upon the risk posed by the fintech.
Ongoing Partner Due Diligence
Once a fintech is onboarded, it is crucial that banks maintain ongoing due diligence processes sufficient to understand:
- changes in risk profiles of fintech partners;
- the performance of controls executed on behalf of the bank; and
- the progress of corrective action items.
Deficiencies in controls, identified either by the bank, an independent auditor, or testing processes internal to the fintech, should have clear resolution plans and associated timelines. Due diligence cycles may be based on the residual risk level identified by the risk assessment, but the cycle period should be codified in a policies and procedures document with all partnerships being reviewed annually, at a minimum. Periodic due diligence reviews should include updating the risk assessment, where necessary, and also consider the following:
- Independent audit: Banks should require fintech partners to annually engage an independent third party to perform an audit of BSA / AML and sanctions programs. The periodic due diligence process should consider the results of this report and review the fintech’s corrective action plans for any identified issues.
- Transactional patterns: A crucial component of periodic due diligence is understanding the transactional profile of customers onboarded at a bank through a fintech partner. To do so, a bank may consider the overall volumes, types of transactions, when transactions are typically conducted, the general demographics of end-users, etc. The bank should also consider the volume of SARs filed on the customers in relation to the size / scope of the BaaS partnership.
- Know Your Partner (KYP) refresh: Periodic due diligence should also refresh the KYP information for the fintech, including beneficial ownership and the re-performance of adverse media / PEP checks.
Periodic due diligence reviews should conclude in an assessment as to whether the partnership remains within the risk appetite of the bank, subject to the approval of designated individuals, based on the risk level posed.
Due diligence processes should be supplemented by frequent communication with fintech partners, to review key metrics, changes to program operating models, identified money laundering or sanctions events, etc. Regular meetings should be held between bank and fintech personnel, with attendees in the lines of business and compliance departments on both sides, to establish a mutual culture of compliance at both companies.
Fintech Customers Are Bank Customers
In addition to maintaining a robust set of controls for managing the risks posed by BaaS partnerships, banks should also ensure fintech customers are included in their global definition of a “customer” and apply the same policy standards to such relationships. For example, if CIP functions are executed by a fintech partner on behalf of the bank, the same set of acceptable documents or verification thresholds should be applied to customers onboarded through fintech partnerships as to traditional banking customers. On the basis of risks, banks may choose to create policy “carve-outs” for its BaaS relationships. Some examples may be:
- KYC requirements: To satisfy the bank’s KYC policy, it may consider allowing certain fintech partnerships to satisfy KYC requirements through different means. For example, what if a bank that typically requires the collection of occupation as part of its CDD program partners with a fintech focused on student lending? In this case, the bank may establish as a condition of the partnership that all customers are students, and therefore not require explicit collection of occupation (i.e., the occupation would be defaulted to “student”).
- Customer Risk Rating (CRR): A bank may also choose to capture risks of its fintech customers by considering the residual risk level of a fintech partner in the CRR of the end customer. For example, the bank may consider incorporating a “distribution channel” risk factor in its CRR calculation and assign higher scores to this factor for customers onboarded through fintechs with higher residual risk levels.
Similar to duties and obligations related to correspondent banking, a bank is responsible for managing the risks of all of its relationships, including those accessing banking services through fintech platforms.