Spotlight on Third-Party Risk Management in Banking as a Service (BaaS)

Paul Noring and Lucas Lima discuss the evolving Banking as a Service (BaaS) landscape and increasing regulatory scrutiny from the Federal Deposit Insurance Corporation (FDIC), Office of Comptroller of the Currency (OCC), and state regulatory departments. The authors emphasize the importance of enforcement actions as both corrective measures and benchmarks for best practices within the banking industry. These actions often require banks to enhance their oversight and management of third-party risks, especially with fintech partners.

The authors provide a timeline of key enforcement actions against BaaS banks in 2023 and 2024 due to poor risk management, inadequate capital controls, and noncompliance with fair lending practices. These actions underscore systemic issues in third-party risk management and compliance, reflecting a trend toward stricter oversight and higher compliance standards.

The authors also highlight the necessity for comprehensive risk management frameworks for BaaS providers. As banks increasingly rely on fintech partnerships to offer innovative services, managing these relationships’ complexities becomes paramount. Each fintech partnership introduces potential vulnerabilities, from data breaches to compliance lapses, which can jeopardize not only the bank but also its customers.