How to Manage Banking as a Service (BaaS) Vendor Risks

You may have encountered the term banking as a service (BaaS), but don’t know precisely what it means or how it relates to third-party risk management. For third-party risk professionals in the financial and fintech industries, now is a great time to get educated.

What Is Banking as a Service (BaaS)?

Until recently, financial services have traditionally been the sole domain of regulated financial institutions. However, with the rise of technology, fintech companies began to emerge and introduce new and unique financial products, such as peer-to-peer lending or digital wallets. Financial products are highly regulated, and without a legal bank charter, technology companies cannot legally accept deposits or hold funds.

BaaS is a mutually beneficial partnership between a licensed bank and a non-bank entity (such as a fintech company). Within the partnership, the bank provides access to its banking licenses, infrastructure, and core services, and the third-party technology company then uses those financial services to build and distribute its own products.

Banking as a service allows financial institutions and their partners to offer a wide range of products and services through digital channels that customers can easily access at their convenience from mobile phones, tablets, or laptops. Nowadays, BaaS is everywhere.

Here are some examples of the most common types of banking as a service:

• Digital access to bank accounts
• Charge and credit cards
• Payment and account servicing
• Payroll services
• Financing and lending

What Are Banking as a Service Vendor Risks?

Banking as a service has made accessing financial products and services more accessible for everyone. However, for organizations offering this convenience, there are also increased third-party risks, including cybersecurity, compliance, business continuity concerns, and the potential for reputational damage.  

It's essential to remember that the financial institution and the technology company are separate entities that are third parties to each other. Both organizations rely on third-party relationships, such as vendors, suppliers, and service providers, to deliver products and services to the customer.

Regulatory expectations for these relationships are clear: it's crucial to identify and analyze the third-party risks and the measures organizations can take to manage them effectively.

Let's examine a few of these risks:

• Cybersecurity risk: BaaS products depend heavily on a customer's personal identifying information (or PII), including sensitive details such as Social Security numbers, bank accounts, credit scores, account balances, etc. Without the proper cybersecurity controls, the customer's data is vulnerable to loss, misuse, or theft. Financial institutions, their technology partners, and their related subcontractors must have appropriate cybersecurity protocols and practices that a qualified individual has verified.
• Compliance risk: Financial regulators have strict guidelines to ensure the protection of the consumers' rights and to protect them from violations of privacy, discrimination, and the improper use of their data. Technology companies and banks must comply with all laws and regulations and ensure that all their associated third parties and subcontractors (vendors, suppliers, and partners) do the same.
• Business continuity risk: Access, convenience, and reliability are imperative to successful BaaS products and services. If customers can't perform transactions or access funds because of a business interrupting event such as a natural disaster, power outage, or cyberattack, both the financial institution and the technology company will be held accountable, resulting in loss of customer confidence, decreased revenue, or legal and regulatory fines.
• Financial risk: The technology world is rife with stories of exciting startup companies poised for success until their funding runs out and they go out of business overnight. While this is less common for financial institutions, it does happen. A BaaS partnership is only as good as the financial health of each party.
• Reputation risk: It only takes a single data breach or regulatory violation to damage an organization's hard-earned good name and brand. Customers don’t distinguish between the bank or technology relationship. When customers experience issues, no matter whose fault they may be, everyone's reputation and business are at stake.

While those are just a few of the third-party risks that can arise in the banking as a service ecosystem, effective identification, assessment, mitigation, and management of all third-party risks remains essential for both financial institutions and technology companies alike.

How to Manage Banking as a Service Vendor Risks

It's essential to remember that the financial institution and the technology are separate entities that act as a third party to the other. Additionally, both organizations rely on third-party relationships to deliver products and services to the customer. So, what can each organization do to manage third-party risks appropriately?

Here are 7 best practices to follow to manage banking as a service vendor risks:

• Plan for the engagement. Consider how the partnership will affect your operations and risk management. Will you need to depend on external resources to help you validate the partner's risk management practices and controls? Do you have the right resources, experience, and skill to manage the relationship? Who will be responsible for the relationship? Do you have the proper third-party risk management framework to identify, assess, manage, and monitor the risks?
• Assess the inherent risks and determine the criticality of the partner or vendor. Inherent risk is the risk that naturally exists in a product, service, or relationship, and it’s assessed without considering any future controls. On the other hand, criticality refers to the potential impact on an organization's operations if a partner or vendor fails or goes out of business. It's essential to identify all possible risks and if the relationship is critical to your operations or will impact your customers should there be a failure.
• Conduct risk-based due diligence. Collect and review information about the partner's risk management practices and controls. The level of due diligence will vary based on the engagement's risk and criticality. Some examples of due diligence you may collect and review are business continuity and disaster recovery (BC/DR) plans, audited financial statements, and SOC reports. This process will validate the effectiveness of mitigating controls and help you determine the engagement's residual (remaining) risk. Ensure that any identified issues are remediated before you execute the contract.
• Structure contracts appropriately. Your legal agreements are some of the best risk management tools you have. Make sure that contracts are written to identify the roles and responsibilities of both parties, determine required service level agreements (SLAs), and outline expectations for cybersecurity, compliance, customer complaint management, right to audit, and conditions of termination.
• Periodically re-assess risk and refresh due diligence. Third-party threats are constantly evolving and changing. Your initial risk assessment and due diligence only represent a point in time. For this reason, it’s essential to periodically review and re-assess the inherent risks of the engagement and refresh the partner's diligence documentation for review. The frequency of review should be based on the risk and criticality of the engagement. This will help to ensure that appropriate controls are in place.
• Monitor risk and performance. To ensure the partnership delivers the intended benefits, it’s essential to monitor your partner's risk and performance constantly and consistently. Monitoring risk means staying aware of industry shifts, regulatory changes, consumer behaviors, data breaches, or any other new or evolving risk that can impact your partnership or your customers. At the same time, your partner must meet the agreed-upon service levels and conditions of the contract.
• Have a solid exit strategy and plan: Before entering into any partnership, it's essential to know how you might leave it should the need arise. Defining your exit strategy (move to another partner, bring the work in-house, or discontinue the product or service altogether) is the first step in ensuring your relationship is safe and secure. If the time comes to terminate the connection, your predefined strategy will be the foundation for a robust exit plan.

The success of any banking as a service partnership depends on the trust customers place in the financial institution and the technology company. Effective third-party risk management ensures both parties deliver safe, reliable, and regulatory-compliant products and services. It also mitigates the potential financial and reputational damage that could result from data breaches, compliance violations, and business continuity interruptions. Comprehensive third-party risk management is crucial for the long-term success of financial institutions and technology companies utilizing BaaS to expand financial service options and their availability to consumers.