Enforcement numbers are telling: BaaS crackdown picked up in early 2024

Early 2024 data shows U.S. banking regulators are clamping down on organizations aligned with technology partners that typically operate under much lighter enforcement of the same rules.

Regulatory action against fintech partner banks in the first quarter made up 35% of all enforcement notices combined from the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency, according to tracking by consultants Klaros Group and shared by Klaros co-founder Konrad Alt on LinkedIn.

The result marks a steady increase from 26% of the share of enforcements a quarter earlier and 10% of the share in the same three-month period one year earlier.

The operations most under scrutiny are for banking-as-a-service, or BaaS. These partnerships vary but might include the banking backbone of a financial literacy app or the loan application architecture for drivers on a ride-sharing platform.

BaaS has been a potential game-changer as banks team up with fintech to compete with each other and with the broad reach of traditional tech, which can also push into payments and other financial-services offerings, again under a much lighter touch from Washington than for traditional banking. The global BaaS market is projected to reach nearly $75 billion by 2030, according to one measure.

There is significance to the timing of the early-2024 enforcement rise. The supervisory bodies have recently adopted joint guidance on evaluating third-party risks, codified last summer. Klaros did also note that the uptick in BaaS-related enforcement hit amid a doubling of total enforcement actions against banks over the same period.

“I believe scrutiny of fintechs and third-party tech partners has grown because the market is so large it’s considered systemically important to the banking industry,” said Chris Boersma, product manager, compliance, with BAI.

“They can cause substantial harm to consumers by not following regulatory requirements, and if one of the larger fintech banks fail, it could cause consumer confidence and the U.S. economy to drop. The Consumer Financial Protection Bureau (CFPB) led the charge and the other regulatory bodies have expressed they are following in the Bureau’s footsteps.” he said.

Some observers believe it’s too soon to determine if the agencies are playing catchup in quickening this enforcement rollout in response to the new guidance, or if the rise reflects a more fundamental hardening response toward BaaS models within highly regulated financial services. But there’s little doubt that the early-year response could influence the appetite for BaaS partnerships moving forward.

For certain, regulators have not limited their action to just third-party guidance. Last year, the OCC launched an Office of Financial Technology to “adapt to a rapidly changing banking landscape,” and the Fed established what it called the Novel Activities Supervision Program, with special attention on fintech partnerships, engagement with crypto assets and other emerging strategies that push outside of traditional financial services.

In fact, regulators had signaled increased scrutiny since as early as 2021. The Fed, FDIC and OCC that year issued jointly proposed guidelines for managing third-party risks.

Supervisory scrutiny has also intensified in the wake of 2023’s Silicon Valley Bank and other high-profile regional bank failures. The size of these community banks meant that they in general leveraged some operations through tech partnerships. Regulators believe this may have lowered risk tolerance, or at least risk measurement, that left these banks vulnerable to their own runs and raised the chances of systemic fallout.

Fintech and banking consultants and trade groups, broadly speaking, have expressed their desire that regulation avoids the fallacy of one-size-fits-all, based both on the footprint of the banks under scrutiny and because BaaS business models can vary greatly.

And their hope is that the speed of technological change doesn’t mean that all proportionality is lost. After all, third-party regulatory complexities have existed for decades from co-branded credit cards to wealth management sweep agreements, as Klaros’ Patrick Haggerty has written.

Others worry that stifling fintech is to deny banking the growth that could democratize access. As Rajashekara Maiya of Infosys has written for BAI, the most significant potential outcome of the BaaS model is greater financial inclusion, as more than 50% of the global population is either unbanked or underbanked.

For their part, regulators emphasize their desire for banks to dig deeper into the full activities of their fintech partners and those partners’ internal mechanisms for risk measurement, including cybersecurity, fraud and downside financial exposure.

But they’ve also made clear that the “blurring” between technology, commerce and banking that can make life easier is also what’s making a regulator’s job harder.

In an early-2024 speech on payments modernization, acting OCC Head Michael Hsu wrapped up remarks by pinning the great financial crises of U.S. history—the Panic of 1907, the Great Crash of 1929, and the 2008 Global Financial Crisis to common roots in which great leaps for commerce were “blurred” with banking, leading to “… rapid growth, then fragility, and eventually collapse.”

Rachel Koning Beals is Senior Editor with BAI.