Embedded finance and commercial responsibility
Embedded finance products distribute commercial and compliance responsibility across multiple parties — and the allocation only works if the agreements reflect what actually happens.
Banking-as-a-Service and partner risk
BaaS products depend on regulated bank sponsors whose requirements, risk appetite, and operational decisions can determine whether and how the fintech product can operate.
Banking-as-a-Service products allow fintech companies to offer deposit accounts, payment cards, and other banking features by partnering with a regulated bank that provides the underlying charter and regulatory infrastructure. The fintech provides the customer experience; the bank provides the regulated activity. That structure works, but the fintech’s dependence on the bank creates risks that are as important to manage as the regulatory requirements themselves.
How BaaS platforms distribute risk
In a BaaS structure, the bank sponsor is the regulated entity. It holds deposits, issues payment instruments, and is subject to prudential oversight by OSFI in Canada. The fintech partner provides the customer interface, the product design, and often the technology infrastructure.
The bank retains responsibility for compliance with banking regulations, AML obligations, and its own regulatory requirements. It also retains the ability to make decisions about risk appetite, customer types it will and will not support, and transaction types it will and will not process. Those decisions are not jointly made with the fintech partner — they are made by the bank based on its own regulatory posture and business judgment.
That asymmetry is the core risk of the BaaS structure from the fintech’s perspective. The fintech builds its product and customer relationships on an infrastructure it does not control and that can change based on the bank’s decisions.
What banks require from BaaS partners
Banks in BaaS arrangements conduct detailed diligence on their fintech partners because the fintech’s customers are, from a regulatory perspective, the bank’s customers. AML obligations, know-your-client requirements, and anti-fraud controls apply to the end customer’s relationship with the bank, even though that customer interacts primarily with the fintech’s product.
Banks require fintech partners to implement customer identification and verification processes that meet the bank’s standards, to screen customers against sanctions and prohibited use lists, to monitor transactions for AML and fraud purposes, to report suspicious activity to the bank, and to cooperate with the bank’s own compliance monitoring and examination responses.
The bank may also require contractual representations about the types of customers and transactions the fintech will and will not support, and audit rights to verify that the fintech is implementing the agreed compliance controls.
Compliance program design for BaaS-dependent products
A fintech operating under a BaaS structure has two overlapping compliance obligations. It has obligations under its agreement with the bank sponsor, which reflect the bank’s requirements as a regulated institution. And it may have independent obligations under FINTRAC’s MSB framework, if the fintech itself is performing regulated activity beyond merely providing access to the bank’s services.
The compliance program needs to address both sets of obligations. Where they overlap, the more stringent standard applies. Where they conflict, the question of how to resolve the conflict should be addressed in the BaaS agreement before the product launches.
Termination risk and operational continuity
The most significant operational risk in a BaaS structure is termination. Banks can and do terminate BaaS relationships. Reasons for termination include the bank’s changing risk appetite, regulatory pressure on the bank, the fintech’s failure to meet compliance standards, transaction patterns that exceed the bank’s risk tolerance, and business decisions by the bank about which market segments it wants to serve.
A BaaS termination typically gives the fintech a transition period to find a replacement banking partner and migrate customers. That transition period is often insufficient for a fintech that has built a significant customer base and has no alternative banking arrangements in place.
Managing this risk means understanding the termination provisions in the BaaS agreement, maintaining relationships with alternative banking partners, and building the compliance program and documentation in a way that makes the fintech an attractive customer to any replacement bank.
Related topics
Related Posts
View All Posts »Supply chain finance and funds flow analysis
Supply chain finance platforms move funds in patterns that can engage MSB registration requirements depending on who holds money and how it flows between buyers, sellers, and capital providers.
Trade and fintech: where legal infrastructure starts to matter
Companies building at the intersection of trade, treasury, supply chain, and fintech payment infrastructure face legal questions that arise earlier than they expect.
Payments-as-a-Service and role allocation
PaaS platforms that enable clients to offer payment functionality need to define clearly whether the platform or the client bears the regulatory obligations that follow from the payment activity.