Evolution of Compliance for Bank, Fintech, and BaaS Partnerships

Banks are no strangers to regulatory scrutiny, and with the evolution of banking-as-a-service (BaaS) platforms and their increasing number of fintech partners, regulators will continue to ensure that these financial products and services are offered in a compliant manner. 

A few weeks ago, the PerformLine team headed to Vegas for Money20/20 USA where we hosted a session on the evolution of the fintech and BaaS partner ecosystem and the regulatory compliance implications it presents.

The session, led by PerformLine CEO & Founder Alex Baydin, featured Sibongile Ngako, VP of Consumer Compliance and Head of Global Compliance at Affirm, and Juan Azel, former SVP and Deputy General Counsel at Cross River, as they discussed their strategies to create an ecosystem that is safe and compliant for their partners, clients, and end-users.

Here’s a recap of the key takeaways, which include the importance of compliance and collaboration, building a strong compliance management system, how to achieve compliance scalability through technology, and onboarding partners in a compliant manner. 

Table of Contents

Compliance collaboration between partner banks, fintechs, and BaaS 

The session kicked off with a discussion about the importance of compliance collaboration between partner banks, fintechs, and BaaS providers. 

Collaboration on compliance is not only important, it’s essential, says Sibongile:

It’s not only important, it’s essential, which almost goes without saying. I really think that the strength of the compliance organizations between the fintech and the partner banks can literally make or break the relationships—not only between those two organizations but between the companies at large. 

It’s so important to be really clear on things like risk tolerance, and risk acceptance. What are the approval channels for new product services or features? What are the communication channels? What are the models of engagement? If any one of those things breaks down, it can really compromise the relationship, not only between the compliance teams but between the companies at large. So, hugely essential and really whether you’re a fintech company or a partner bank, something that you should consider really thoughtfully, firstly, and foremostly, as you’re going into a partnership.

Compliance collaboration is critical, added Juan:

I agree with all of that—I would say critical. When we think about it from the perspective of third-party relationships—what is a critical relationship? From a bank perspective, every bank or every fintech company is most likely going to be critical, and that means that it requires collaboration to ensure that the risks of regulatory violations are mitigated appropriately. So when you look at the term “partner,” it really is important who you partner with, and I think that’s from both the bank side and from the fintech side. I’m sitting here obviously speaking on behalf of a bank, but banks could have problems, too. They could have compliance management systems that are not really tailored to a third-party provider type of oversight management which kind of pushes down on the fintech and makes the fintechs partnership perhaps a little rocky with that particular bank, and vice versa. 

Banks sometimes want to so badly partner with fintechs that some of the fintechs they partner with perhaps are at the start of the phase, right? They don’t really have a strong Chief Compliance Officer, have not really built out their compliance management system (CMS), and maybe have issues with knowledge. For example, how critical fair lending is in the marketplace lending space. 

Partnering really starts with a strong bank and a strong fintech partner. And if not—and I don’t want to dissuade because this relationship here began where neither Cross River nor Affirm are what they are today— but you have to be ready to understand that the regulatory risk has to be mitigated. You might have to end up doing more from the bank side where you partner with a fintech company that perhaps doesn’t have as strong of a CMS as others.

How compliance has evolved for partner banks, fintechs, and BaaS

Partnerships between banks, fintechs, and BaaS providers have increased significantly in recent years. Alex asked:

Do you feel that the criticality of compliance collaboration is something that’s always been there? You’ve both been at your respective companies for a long time. Is it evolving more in recent years and days as the regulators have paid more attention? Can you just tell us a little bit about how things have changed from when you first got into the game with your companies and, and where things are today?

Regulatory expectations are not new, but are definitely evolving, says Sibongile:

I think the answer is yes to everything you just said. When I think back to my traditional banking days, there was—before banking-as-a-service was an actual thing—always a regulatory expectation that banks have adequate third-party oversight and adequate oversight of their vendor partners. 

And so in my mind, that was always a regulatory expectation and not really new. I think what has evolved is this banking-as-a-service and fintech relationship, and really taking that to the next level because fintechs are not just vendors, they’re true partners in terms of originating, servicing, marketing, ongoing risk management, really all of the facets of the life cycle of the product. And so I think it’s taking what’s always been a regulatory expectation and evolving it in a way that’s commensurate with the risk that’s now being posed through banking-as-a-service and fintech partnerships.

More organizations are realizing that compliance is a joint responsibility, says Juan:

I think there was a time so many of you can remember when a bank, perhaps that was entering into these types of relationships, believed that if the issue happened with the third party, then it’s not their problem. We know now today that’s absolutely not the case. Anything that is provided by a platform that a bank partners with, if there is a regulatory issue, your product and that’s going to come back to you. I think that realization changed a lot of the scope. 

I think that at one point there were some fintechs who said, ‘hey let’s partner with a bank. Then, they can have all the regulatory obligations, and then we don’t have to do anything at all. It’s their problem.’ And we know now that that’s not the case as well. The CFPB has made it very clear, in case there was any doubt, that that’s not the case. 

In addition, we have seen enforcement actions go that reach banks as well as your partners. So we know that there’s a risk of a regulatory violation that extends to both sides. 

Sibongile jumped back in to reinforce the importance of shared regulatory responsibilities:

I would just love to reinforce that point because I think it’s a great and important one, which is part of the evolution that’s happened over time is one, of towards dual responsibility. It’s not just the bank’s problem and it’s not just the fintechs problem, and that also supports collaboration in terms of working together and strategizing how to resolve issues, and how to manage risk in a way that’s effective. But again, collaborative because it’s, it’s both the fintechs and the bank’s responsibility. 

Building a strong compliance management system for fast-growing partner banks

Earlier this year, Cross River announced a very large funding round led by Andreessen Horowitz. Alex asked Juan:

Do you feel, in a way, that there’s an added responsibility that you and your colleagues were building the blueprint for how these partnerships should operate at scale and what the CMS management should look like?

Cross River aims to act as the gold standard for compliance, Juan explains:

Your growth in your business has to be scalable with your world and your compliance function and there are economies of scale that you can use in your compliance function. The traditional risk management practices don’t always translate one on one when you’re dealing with a third-party platform.

It’s not like you can sometimes just apply everything that has been around for ages when you talk about blueprints for success and industry best practices and whatnot. So there’s a responsibility to ensure that websites and merchants are monitored. We monitor them to ensure that they are not using particular types of terms to originate a loan, and in the end would be a compliance violation. We’ve partnered with PerformLine to do a lot of that web crawling of that. But again, there’s no blueprint for that. How many websites are you going to monitor? Are you going to sample? What type of sample methodology are you going to do? Are you going to do a statistically representative sample? Are you going to do a judgmental sample? And once you get it, are you going look at every single website? That’s nuts, right? Every single item? So you have to look at this, and you have to really come up with a risk management framework of a blueprint.

So to answer your question directly, where do we do that? We’re doing that to our system, and we absolutely feel that the industry looks at us and says, how is Cross River doing this? You have a lot of partnerships. What are they doing in terms of not just UDAAP, but everything from onboarding to running change requests? How do you ensure that your Truth in Lending Act disclosures are issued properly when you have a very innovative delivery check? And from everything, we always have to innovate. And we actually feel that we are there and Cross River always wants to be the gold standard in compliance. But you know, it’s definitely a challenge in this day and age.

Achieving compliance scalability with technology

On that same theme of scalability, Alex turned to Sibognile and asked how Affirm achieves compliance surveillance and scalability with over 170,00 different merchant partners.

Having the right people, processes, and technology is key, explains Sibongile:

As you would expect, technology plays a huge role in scalability and ensuring that a CMS is scalable. We’ve partnered with companies like PerformLine for merchant monitoring, speaking of that. We’re all dealing with organizations that have a finite number of resources, and so the prospect of continuing hiring to support manual processes just at some point is not tenable. And that’s where technology comes in. And it can be used for purposes of monitoring from a merchant marketing standpoint, and could be on the financial crimes front, but I think it’s incumbent upon us as leaders of compliance organizations to always have the hat on that is searching to refine how we use technology, make sure that we’re identifying the correct tools, constantly reassessing whether the tools we onboarded are effective. And I also want to note that onboarding the technology is just the starting point, right?

It’s not a magic bullet. A lot of times people think, ‘oh, we’re going to get this great tool and that’s going to take care of this aspect of the CMS’. That is rarely, if ever the case, certainly in my experience, that’s a starting point. And I think the considerations that you need to take into account after that fact include what is the ongoing tuning that may need to take place? What are the compliance rulebooks that need to be developed and considered in order to make sure that these tools are operating efficiently? What are the human resources that yes, we may need to ensure that these tools are operating efficiently? So I think the combination of being really smart with your selection of technology, but also equally fulsome in our thinking around what is needed to maintain that tool is essential.

Onboarding new partners in a compliant and scalable way

Everybody wants to move fast with partnerships—but how do you onboard new merchants, fintechs, or other partners quickly and compliantly?

Be thoughtful when selecting your technology and processes, says Sibongile:

I would say both from a customer and a merchant onboarding standpoint, you want to be really careful with your selection of tools and technology, because I think this is one of those instances where not all tools are built alike and some will be more favorable to your process and some will be less, some will be more resource intensive from a human resources standpoint, and some will be less. And you want to be really thoughtful in making that selection. 

You also want to be very clear on your process and on your requirements. This is something that you’ll have to potentially revisit as a company scales and grows in volume. The goal should always be scalability of your onboarding process. And then from a merchant standpoint, I would say not just the process of onboarding the merchant, but making sure it’s very clear what the terms of service are. What merchant obligations fee, going back to merchant monitoring. So really considering all of that as you’re building your onboarding process, I think is so important.

It’s also about making sure that your partners are a good fit for your business, Juan explains:

Is this partner bringing a new product for the bank? If it’s a new product for the bank, let’s say a bank’s doing payments traditionally, but now wants to get into the BNPL space, you’re going to trigger regulations that you haven’t before. 

Does the partner have a strong CMS? Do they have a strong Chief Compliance Officer? How much of the mitigation is the bank going to have to do to make up for something perhaps that the partner is not quite up to speed up at that point? At the end of the day, it has to be mitigated. So. somebody has to do it to avoid a regulatory issue. So obviously onboarding, it’s the assessment of their partner is incredibly important. 

For full insights from this session, watch it on-demand here.

Compliance checklist for partner banks, fintechs, and BaaS providers

The common theme from this session is clear—whether you’re a partner bank, fintech, or BaaS provider, compliance is critical to gain a competitive advantage and to manage risk with third-party relationships

Download this checklist for building out a robust third-party compliance program, including key considerations for risk management, due diligence, compliance management systems, and documentation and reporting.

Build a strong third-party compliance program with PerformLine

Prioritizing compliance oversight is key to managing risk with third-party relationships and gaining a competitive advantage in the marketplace. 

PerformLine is already helping leading partner banks and fintechs like Cross River and Affirm automate and scale their compliance monitoring. Our omni-channel compliance solution provides:

• Comprehensive coverage of your organization and your partners across marketing channels, including the web, calls, messages, emails, documents, and social media
• An adaptable compliance program that matches your risk threshold as you bring on new partners
• Scalability as your partner program grows, allowing your organization to bring on more partners faster while ensuring compliance

Ready to scale your compliance program? Schedule a quick call and see how PerformLine can help.