3 Takeaways as Enforcement Actions and Data Breaches Roil BaaS Models

As nonbank enterprises offer financial services, aided by traditional financial institutions and FinTechs, the emergence of the banking-as-a-service (BaaS) model has promised to transform lending and platforms.

But the recent spate of news tied to enforcement actions and settlements over data breaches gives the nod to a few takeaways of what not to do against a backdrop of shifting regulations at a time when even the regulators are short-staffed.

Generally speaking, BaaS links banks and FinTechs to payments and account functionalities, where the API connectivity means that their client firms need not obtain a banking charter.

The nature of the third-party relationships — as banks bear liability for their FinTech collaborations — has been spotlighted by recent enforcement actions. In particular, regulators have been increasingly focusing on anti-money laundering (AML) and know your customer (KYC) lapses. The banks themselves must ascertain that their FinTech partners are in turn in compliance with relevant laws.

This month, the Federal Deposit Insurance Corporation (FDIC) published consent orders and enforcement actions that illuminate the fact that third-party relationships are increasingly under the microscope.

A consent order between Quaint Oak, a Pennsylvania Bank, and the FDIC, per a company filing, indicates that “ the bank has engaged in unsafe or unsound banking practices … related to, among other things, the Bank Secrecy Act” and regulations tied to the AML and Countering the Financing of Terrorism program. Among other things, the May 15 order mandates that the bank develop a third-party risk management program and must develop independent testing of those programs along with look-back reviews.

Separately, the FDIC has published its consent order with Hatch Bank (which had a separate and simultaneous consent order in California). The federal order (available through the FDIC website) also tasks Hatch with beefing up its BSA/AML efforts as relates to third-party pacts, including periodic risk-based reviews.

For the regulators themselves — and by extension the oversight of these bank/FinTech BaaS relationships — staffing pressures mean that the self-policing described above is more important than ever. In the latest audit of the agency, conducted earlier this year, there are remarks that “currently the FDIC faces risks in ensuring that it has examiners with the requisite skillsets to perform IT examinations using existing examination procedures.”

No less than 53% of examiners classified as “advanced IT subject matter experts were eligible to retire in 2024 with retirement eligibility rising to 63% for this population in 2028.” Those examiners qualified as having “intermediate IT expertise” have commensurate retirement eligibility rates of 16% last year and 27% in 2028. The audit also stated that “it is critical that the FDIC maps the interconnections of banks and their third parties to understand and examine potential operational points of failure and possible cyber intrusion and contagion.”

And in addition, “increasing use of third-party service providers for compliance with Bank Secrecy Act (BSA) and Anti Money Laundering (AML) and sanctions requirements may require different examination processes or examiners with different skillsets,” the audit said. Separate PYMNTS Intelligence data indicated last year that about a third of banks and FinTechs had been hit by fraud. Evolve Bank and Trust earlier this year agreed to settle a class action suit filed in the wake of a data breach where information exposed had included, among other things, financial account and routing details for customers of the firm’s open banking partners.

The creation of virtual accounts and the intricate web of bank/third-party relationships has led to a complex system of tracking fund flows particularly among ledger and subledger accounts. An April class action lawsuit against Evolve and Lineage Bank alleged that the defendants’ “use of Synapse and failure to adequately monitor and safeguard Plaintiff’s and Class Members’ funds in their control led to significant ledger discrepancies in account balances … these irregularities were materially inaccurate and, as a result, could not be used as the basis for distributing funds to the end user…members had their funds lost, stolen, or misplaced.”

As for the Synapse implosion, Ingo Payments CEO Drew Edwards told PYMNTS CEO Karen Webster late last year, “my sense is they tried oversimplification … and potentially took millions of consumers’ money accounts, and put them into a single commingled omnibus account without proper real-time or even daily reconciliation of very complicated money in and money outflows.”

The post 3 Takeaways as Enforcement Actions and Data Breaches Roil BaaS Models appeared first on PYMNTS.com.