Banking-as-a-Service (BaaS), a model poised to transform financial services, is now under increasing regulatory scrutiny, with recent actions by the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) underscoring the growing concerns.
BaaS allows non-banks to access banking services by connecting with FinTech companies and traditional banks, creating an infrastructure that enables businesses to embed banking products within their offerings. This approach allows firms to provide banking services—such as embedded finance and virtual card issuance—without building back-end systems, benefiting neobanks and other innovators.
Regulatory Actions by FDIC and OCC
However, the rapid growth of BaaS partnerships has caught the attention of regulators, leading to enforcement actions against several banks involved in these activities. Recently, the OCC took action against Axiom Bank in Florida, citing “outdated and questionable practices” that put the bank’s compliance with anti-money laundering (AML) laws at risk.
The OCC’s consent order demands that Axiom implement written plans addressing risks related to money laundering, terrorist financing, and other illicit financial activities, particularly concerning the bank’s prepaid card and merchant processing partnership programs. Additionally, Axiom must establish a rigorous customer due diligence program and has been directed to halt adding new merchant processing or prepaid card partnerships until the OCC reviews and approves its compliance measures.
The Axiom case isn’t isolated. Former executives of the company have filed lawsuits alleging retaliation for raising concerns about the bank’s BaaS partners, further fueling scrutiny of BaaS operations.
Broader Industry Impact
Other regulatory actions highlight similar concerns. The FDIC issued consent orders against Piermont Bank in New York and Sutton Bank in Ohio, both emphasizing the need for improved oversight of third-party relationships in BaaS. The FDIC’s order against Piermont Bank cited “unsafe and unsound banking practices” due to inadequate internal controls over its third-party relationships, requiring the bank to provide detailed reports on its partnerships and associated activities.
Sutton Bank was also directed to revise its approach to managing third-party relationships, particularly those that involve outsourcing compliance with AML/CFT (anti-money laundering and counter-financing of terrorism) regulations under the Bank Secrecy Act. The bank must ensure continuous oversight and assessment of these partnerships to comply with regulatory obligations.
Additionally, Financial Institutions, the parent company of Five Star Bank, recently announced it would “wind down” its BaaS offerings, citing regulatory concerns and the limited contribution of BaaS to the company’s overall performance.
Future of BaaS Amid Regulatory Pressure
Despite these regulatory challenges, the BaaS model is expected to persist, given its significant role in driving the expansion of embedded finance.
Ingo Payments Chief Revenue Officer Lydia Inboden noted that while the BaaS industry is facing a period of regulatory upheaval, direct relationships with FinTechs offer banks greater oversight to ensure compliance with AML and other regulations. She emphasized the need for financial institutions to demonstrate proper oversight of all their downstream partners to maintain regulatory standards.
As regulatory scrutiny intensifies, the BaaS sector will likely adapt by implementing more robust risk management frameworks and compliance programs to ensure the sustainability of the business model in a rapidly evolving financial landscape.
Comments