Does the OCC Know What BaaS is?
By Alex Johnson
Last month, I joked on Twitter about the challenges that fintech companies were going to start facing trying to get onboarded by banking-as-a-service (BaaS) banks as regulators started paying more attention to BaaS.
At that time, there were plenty of rumors swirling that regulators were having some uncomfortable conversations with banks about BaaS and their fintech partnerships, as Jason Mikula at Fintech Business Weekly reported:
Sources across the fintech and banking ecosystem — at banks, fintechs, BaaS platforms, VCs, and in the regulatory sphere — broadly confirmed significantly stepped up scrutiny, particularly from the OCC.
In conversations with participants across the ecosystem, there was a sense of, when is the other shoe going to drop?
Specifically, regulatory exams of Blue Ridge and Evolve, which have rapidly scaled their BaaS businesses both through platforms and direct relationships, have yielded “serious issues,” according to sources.
Well, it turns out that Jason’s information (much of which I had heard as well) was good. A couple of months later it was revealed that Blue Ridge Bank had entered into an agreement with the Office of the Comptroller of the Currency (OCC) – a federal banking regulator responsible for ensuring that national banks and federal savings associations operate in a safe and sound manner – to address some concerns that the OCC had with Blue Ridge’s BaaS business. Here’s Jason again:
Blue Ridge has grown aggressively in recent years, both through M&A activity as well as through direct fintech partnerships and those through BaaS platform Unit.
Blue Ridge’s oversight and compliance infrastructure doesn’t seem to have kept up with the bank’s rapid growth. The OCC agreement, viewed in aggregate, stems from Blue Ridge’s inability to adequately oversee its sprawling fintech partnerships.
This was confirmation that the OCC was actively studying the risks of BaaS and bank-fintech partnerships and taking action when it found specific banks that it oversees that weren’t properly managing those risks.
Still, it didn’t give banks and fintech companies a lot to go on. Financial services companies hate having to backward engineer compliance strategies based on enforcement actions taken against individual companies. They want more generalized guidance.
We still don’t have that, but we do have a speech that Acting Comptroller of the Currency Michael J. Hsu gave yesterday at The Clearing House and Bank Policy Institute’s Annual Conference.
The remarks do not constitute official guidance from the OCC on how banks should approach BaaS or fintech partnerships, but they do give us a window into the thinking of Mr. Hsu’s thinking on those subjects and, well, it’s quite confusing.
So let’s break it down by asking a few questions about the Acting Comptroller’s remarks and the OCC’s (and other regulators’) possible views on BaaS and fintech more broadly.
1.) Should the OCC be prioritizing fintech over crypto?
Before we even get into BaaS, I found this quote from the opening portion of Mr. Hsu’s remarks pretty interesting:
Like many industries, banking is being digitalized. At a high level, this is occurring through the expansion of technology firms into financial services and to a lesser degree the hype and growth of the crypto industry. While crypto has grabbed the headlines for most of the past year, I believe fintechs and big techs are having a large impact and warrant much more of our attention.
Last year, Mr. Hsu reversed the OCC’s prior position on the question of banks doing crypto things (cryptocurrency custody services, holding reserves backing stablecoins, etc.) and basically told banks to chill out for the time being. This turned out to be timely advice given the crypto crash that happened in the Spring of this year.
However, what’s interesting to me is how focused Mr. Hsu appears to be on not letting crypto distract his bureau from focusing on other technology innovations that may more deeply impact the safety and soundness of nationally-chartered banks.
This might not be great for fintech companies, but I think it’s very wise on the part of the OCC. Fintech has had and continues to have a much larger impact on banks and on bank customers than crypto.
2.) Does the OCC know what BaaS is?
I would have assumed the answer here was yes, but after reading Mr. Hsu’s remarks, I’m not so sure.
He starts off by including BaaS as a primary component of the fintech innovation that is introducing complexity and risk into the banking industry:
The growth of the fintech industry, of banking-as-a-service (BaaS), and of big tech forays into payments and lending is changing banking, and its risk profile, in profound ways.
And he is right to do so!
BaaS – which I’ll define here in simple terms as an arrangement in which a non-bank company provides customer-facing financial products and services, built on top of a licensed bank’s compliance and operational infrastructure – is the most popular form of partnership between banks and fintech companies today. So popular, in fact, that an entire category of fintech infrastructure, made up of companies like Synctera, Synapse, Bond, Treasury Prime, and Unit, has popped up to support it by providing middleware and program management.
However, Mr. Hsu then goes on to describe the nature of bank-fintech partnerships in a way that bears little resemblance to BaaS (emphasis mine):
The pressure to partner is not only coming from the bank side, but from fintechs as well. Valuations in the fintech space have fallen significantly. (Customer acquisition is more expensive and harder than expected, apparently.) As a result, prophesies of fintechs disrupting banks out of existence have largely been replaced with a focus on building partnerships. By partnering, banks can gain speed to market and access to technological innovation at lower cost, while fintechs seek to benefit from banks’ reputations for being trustworthy, longstanding customer bases, and access to cheaper capital and funding sources. As a result, bank-fintech partnerships have been growing at exponential rates and have gotten more complicated. Banks and tech firms, in an effort to provide a “seamless” customer experience, are teaming up in ways that make it more difficult for customers, regulators, and the industry to distinguish between where the bank stops and where the tech firm starts.
That’s not how BaaS works!
BaaS doesn’t accelerate banks’ speed to market or give them access to innovative new technology. Quite the opposite! Onboarding fintech partners is a slow and labor-intensive process (if done correctly … more on that in a sec) and banks that want to compete in BaaS usually need to build new technology in order to do so.
And fintech companies don’t leverage BaaS to get access to banks’ trustworthy brands (they only mention their partner banks’ names when they have to) or their customer bases (fintech companies specialize in customer acquisition) or their capital (fintech lenders have to arrange their own sources of funding, outside of their partner banks, which is growing source of stress in a rising rate environment).
Now yes, sure, there are other types of bank-fintech partnerships that more closely resemble the one being described in the Acting Comptroller’s remarks – see Greenlight’s partnership with Chase or the arrangement that Upstart had with many banks, until recently. And, of course, there are a lot of fintech infrastructure companies trying to sell their technology to banks (this, to be clear, makes these fintech infrastructure companies vendors not partners and the OCC has a good handle on third-party vendor management already). However, these other partnership models should be a relatively small concern for the OCC compared to the huge and growing phenomenon that is BaaS.
3.) Does the OCC know how many of the banks that it regulates have BaaS partners?
Again, I would have assumed the answer would be yes, but this quote gives me pause:
I recently asked my team to quickly profile banks with multiple BaaS partners. They identified at least 10 OCC-regulated banks that have BaaS partnerships with nearly 50 fintechs. Using public information they also identified similar arrangements at banks regulated by the Federal Reserve and FDIC.
It’s the “at least 10” part that confuses me. Are they not sure exactly how many OCC-regulated banks have BaaS partnerships with fintech companies? And if not, how did they discover the ones that do? Did they have their examiners ask the banks that they oversee? Did they do some type of analysis based on call reports and other public data?
Seems like a good first step in figuring out how to regulate BaaS would be to get a more precise count of the banks that are offering it.
4.) Does the OCC understand why most banks offering BaaS are small community banks?
It seems like maybe this was news to Acting Comptroller Hsu?
Notably, this is not a large bank issue. The vast majority of the banks identified have total assets below $10 billion; nearly a fifth have total assets less than $1 billion.
I assumed it was common knowledge that the reason that most BaaS banks are small is because of the debit card interchange pricing advantage that the Durbin Amendment gives banks under $10 billion in assets.
5.) Does the OCC believe that BaaS is a net positive for community banks?
BaaS provides an incredibly important avenue for community banks, which are disappearing at a rapid clip, to generate revenue and thrive as independent businesses.
Based on Mr. Hsu’s comments, the OCC appears to believe that keeping at least some small banks from being gobbled up in mergers is a good thing:
The OCC is working with our federal banking agency peers and the Department of Justice to review our bank merger frameworks consistent with President Biden’s Executive Order on promoting competition, as well as my own concerns about bank merger impacts on communities, the potential for institutions to become too-big-to-manage, and financial stability.
Will the OCC’s regulatory guidance around BaaS take into consideration just how important BaaS will be in sustaining a robust community banking ecosystem?
6.) How is the OCC thinking about the impact of potential fintech failures in banks’ BaaS programs?
What happens if a fintech company, built on top of a partner bank’s BaaS infrastructure, fails? How do the fintech company’s customers manage their accounts and access their funds? Who do those customers call if they have questions or need help resolving problems?
These are questions that many banks providing BaaS haven’t thought through nearly enough (read this article by Jason Mikula for one example of what can happen when this process isn’t handled well).
Well, based on its agreement with Blue Ridge Bank, it looks like the OCC is going to force its banks to be much more diligent on this front.
The OCC is requiring Blue Ridge to develop, implement, and adhere “to a written program to effectively assess and manage the risks posed by third-party fintech relationships” and that risk management program must specifically include “contingency plans” for winding down fintech partnerships in an “effective manner”.
7.) How much legal and reputational risk will the OCC allow BaaS to bear?
From the OCC’s perspective, I think we can break their concerns about BaaS into two broad categories.
First and most obviously, BaaS makes banking more complex and the OCC is naturally suspicious of complexity, as Mr. Hsu explained in comparing BaaS to the rise of shadow banking in the lead-up to the 2008 financial crisis:
My concern today is that a similar increase in complexity is happening with regards to online and mobile payments, lending, and deposit-taking activities. To be clear, this is different from the credit disintermediation of the 1990s and 2000s. The “de-integration” of banking services that is taking place now has its roots in technology, data, and operations and is affecting all banks, not just the large, money center banks. My strong sense is that this process, if left to its own devices, is likely to accelerate and expand until there is a severe problem or even a crisis.
A second, related concern is that BaaS may enable banks to indirectly take risks that their examiners would never allow them to take directly. This concern can be seen in the agreement that the OCC came to with Blue Ridge, which requires the bank to beef up its suspicious activity monitoring and reporting program and “to conduct a “SAR Look-Back” to determine if SARs should have but were not previously filed for “high risk customer activity involving the Bank’s third-party fintech relationship partners.”
Fintech companies are constantly lobbying their bank partners to allow them to take more risks to serve underserved customer segments. Once regulators have a better view into what their banks are doing with fintech partners, will they allow those banks to continue taking the legal and reputational risks they are quietly taking today?
8.) What does the OCC (and CFPB) think of BaaS platforms?
An axiom in BaaS is that the most sophisticated and least risky fintech and non-bank companies tend to partner directly with banks for BaaS, while the less sophisticated and riskier ones tend to go through the BaaS platforms (Synctera, Synapse, Bond, Treasury Prime, Unit, etc.)
These platforms often assist their bank partners in onboarding new fintech companies, conducting due diligence, and monitoring for potential compliance issues, in accordance with their bank partners’ policies. This third-party program management is attractive for smaller banks that may not have adequate compliance resources to handle a scaled-up BaaS operation themselves, but it runs the risk that the BaaS Platform (which is incentivized to sign up as many fintech companies as it can) may cut some corners that ultimately create problems for their partner banks (think of it as BaaS moral hazard).
It’s not clear at this point what the OCC thinks about BaaS platforms, but you’d have to imagine that it does have an opinion.
And it’s very possible, when it comes to the BaaS platforms, that another regulatory agency may jump off the top rope:
While much of the discussion of regulation of banking-as-a-service focuses on banks’ prudential regulators, the CFPB’s potential involvement shouldn’t be discounted.
with the consumer protection agency’s recent declaration it would leverage its “dormant” authority to examine non-bank companies that “pose a risk” to consumers, fast-growing fintechs like neobanks, payment apps, and online lenders could see additional scrutiny.
Where these companies leverage an underlying bank, that bank could be drawn into any supervisory activity. BaaS platforms themselves could also be a potential target of the CFPB.
9.) Will federal regulators be cool with bank acquisitions by non-banks looking to get into BaaS?
A trend I’m keeping my eye on – billionaires quietly buying community banks out of their own pockets and turning them into BaaS providers.
The first example was William and Annie Hockey buying Northern California National Bank for $50 million last year and turning it into Column, a technology-first BaaS bank.
The second example is Jacqueline Reses acquiring Kansas City, Missouri-based Lead Bank. Lead Bank is already deep into BaaS, but one imagines that Reses will significantly accelerate the bank’s transformation into a tech-first provider of BaaS services.
I have no idea what federal regulators think of this trend (or if it’s even on their radar), but given that all bank acquisitions need to be approved by regulators and given the competitive advantages that tech-first BaaS banks will have over traditional community banks and non-bank BaaS platforms, I could see them taking an interest.
10.) Will federal regulators start requiring banks providing BaaS to get individual approval on new fintech partners?
The OCC is requiring Blue Ridge Bank to do exactly this:
Prior to onboarding new third-party fintech relationship partners, signing a contract with a new fintech partner, or offering new products or services or conducting new activities with or through existing third-party fintech relationship partners, the Board shall obtain no supervisory objection from the OCC.
Of course, this is in reaction to a slew of presumed compliance and risk management failures on the part of Blue Ridge. It is unlikely that the OCC or the Federal Reserve and FDIC (which oversee state-chartered banks at the federal level) would place this burdensome requirement on all the banks that they oversee.
Unlikely, but not impossible.
BaaS is at a very important inflection point and the way in which BaaS banks proceed, in building out their compliance and risk management programs and in managing their third-party relationships, will be critical in determining how their regulators react.