Castellum.AI

View Original

BaaS is Not in Crisis: BaaS Banks Less Likely to Be Fined Than Non-BaaS Banks

A wave of overwhelmingly negative coverage of Banking as a Service (BaaS) has focused on enforcement actions and consent orders against sponsor banks, painting a bleak picture of the future of embedded finance in the United States.

However, a data-driven review of enforcement actions issued between January 2023 and July 2024 by the three main federal banking regulators — the Office of the Comptroller of the Currency (OCC), Federal Reserve (FRB), and Federal Deposit Insurance Corporation (FDIC) — shows continued regulatory support for BaaS and financial innovation.

Rather than undermining the viability of the fintech industry and the banks that support it, regulators are guiding the sector toward safe and compliant innovation.

Fines against Against BaaS Smaller and Less Frequent

See this content in the original post

In total, fines against non-sponsor banks were 10 times larger than those targeting BaaS sponsor banks. Moreover, 42% of BaaS-related civil monetary penalties relate to one fine targeting a bank offering crypto services: Silvergate. Silvergate’s collapse and associated consent order and fine is best viewed in the context of the FTX collapse and regulatory scrutiny on decentralized finance, not the broader BaaS ecosystem.

See this content in the original post

Fines against non-sponsor banks are also more frequent. 18% of enforcement actions against non-sponsor banks included civil monetary penalties (CMPs), while only 13% of enforcement actions against banks involved in BaaS activities included fines.

The lower value and frequency of CMPs targeting banks in the BaaS space reinforces the view that regulators emphasize remediation and corrective action to improve compliance, not simply penalize the industry.

Rise in Enforcement Actions Against BaaS Banks in 2024

See this content in the original post

Since January 2024, 18.3% of enforcement actions have targeted BaaS banks. This represents an increase over 2023 when S&P Global noted that 13.5% of enforcement actions targeted BaaS. However, the rise has been modest, given the industry's rapid growth and the increased regulatory focus.

AML Compliance Emphasized

See this content in the original post

Regulators have consistently highlighted Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) deficiencies in BaaS banks. 64% of all enforcement actions against BaaS sponsor banks have focused on AML shortfalls, compared to 29% for non-BaaS banks.

This high proportion of AML-related actions underscores the challenges banks face when expanding to new markets, customers, and products through fintech partnerships, often without scaling their compliance programs to compensate for new risk exposure.

Regulators have routinely identified the following AML deficiencies:

  • KYC Procedures and Technology: Insufficient due diligence processes, including onboarding screening, inadequate customer identification programs (CIP), failure to identify beneficial owners, and ineffective monitoring of high-risk accounts. This is especially prevalent among sponsor banks that lack effective customer information sharing with fintech partners.

  • Transaction Monitoring and SAR Filings: Inadequate monitoring systems that fail to detect suspicious activities. Enforcement actions also highlight untimely or incomplete Suspicious Activity Report (SAR) filings.

  • Governance and Oversight: Inadequate authority granted to BSA officers and weak board and management oversight of third-party risk and compliance programs.

  • Staffing and Training: Inadequate staff training on BSA/AML compliance and insufficient updates to compliance-related programs.

  • Risk Assessments: Failure to conduct comprehensive and timely BSA/AML risk assessments, and failure to adjust them based on evolving risks associated with customers, products, geographies, or transactions.

  • Independent Testing: Deficiencies in independent audits and BSA/AML program reviews, including insufficient scope, lack of depth in testing, and failure to address audit findings.

Lookbacks Required for Remediation in BaaS

See this content in the original post

Since 2023, 53% of all AML-focused enforcement actions have included lookbacks as part of remediation efforts, but lookbacks are required in 79% of cases involving BaaS sponsor banks. The OCC, FRB, and FDIC mandate lookbacks to address prior AML gaps, such as inadequate customer screening, OFAC sanctions compliance, or transaction monitoring.

The scope and time period of lookbacks vary based on the extent of the identified control deficiencies. Typically, banks are required to engage an external third party to conduct the lookback, ensuring the deficiencies are thoroughly reviewed and validated by independent experts.

Enforcement Aims: Enable Compliant, Safe Innovation

There is no doubt that sponsor banks are under regulatory scrutiny, but the above makes clear that regulators are balancing their primary objective of ensuring consumer safety with enabling financial innovation.

Regulators have put an emphasis on evaluating the efficacy of compliance programs at sponsor banks that have quickly scaled up their fintech partnership programs. The absence of widespread fines and instead a focus on remediation reinforces that the objective is to address compliance deficiencies, not discourage innovation.

To that end, regulators are shifting their approach and addressing BaaS and fintechs directly. Whereas regulatory guidance has often addressed broad “third-party risk management” in its advisories or enforcement actions, recent actions have have started to make specific reference to fintechs (such as the FDIC’s May 2024 Consent Order with Thread Bank).


Castellum.AI’s compliance platform saves BaaS and fintechs time with 88% fewer false positives and global compliance coverage

Trusted by Sponsor Banks and Fintechs to scale their AML programs

See this content in the original post

Best Practices Prevent Consent Orders

To mitigate the risk of consent orders, sponsor banks should adopt best practices that align with regulatory expectations. 

  • Strengthen AML Technology and Procedures: Invest in compliance technology that can handle new risks associated with onboarding new customers and offering new products through fintech partners. Ensure that policies are updated and strong information sharing processes enable effective KYC and transaction screening associated with services offered by your fintech partners.

  • Enhance Transaction Monitoring: Invest in advanced systems that can identify suspicious transactions in real-time and ensure timely, complete Suspicious Activity Reports (SAR) filings.

  • Improve Governance and Oversight: Grant greater authority to BSA/AML officers and ensure strong board-level oversight of compliance programs and require fintech partners to similarly invest in their AML compliance programs.

  • Conduct Regular Independent Testing: Implement comprehensive audits and BSA/AML program reviews to address any gaps before regulatory scrutiny.

  • Adjust Risk Assessments: Regularly update risk assessments and ensure that risk assessments include adequate scope and dept to account for changes in customer profiles, products, and market conditions.

Further Reading


Methodology

This report is based on a detailed analysis of all severe enforcement actions — 124 in total — issued by the Office of the Comptroller of the Currency (OCC), Federal Reserve (FRB), and Federal Deposit Insurance Corporation (FDIC). Castellum.AI identified enforcement actions against any bank publicly known to engage in Banking as a Service (BaaS) activities, and analyzed the types of deficiencies identified by regulators within the enforcement action documentation. 

The analysis covered Enforcement Actions issued between 1 January 2023 and 30 July 2024 in the case of the OCC and FDIC and between 1 January 2023 and 7 August in the case of the FRB. 

Enforcement Actions covered included: Consent Orders, Cease & Desist Orders, Civil Monetary Penalties (CMP), Written Agreements, Formal Agreements, Notice of Charges. Enforcement actions targeting individuals and actions related to flood protection were excluded from this analysis.